Part 1

Background

The Linux distribution we chose was DEFT – Digital Evidence and Forensic Toolkit – Linux. Built on Lubuntu, DEFT is a live CD designed for police, investigators, system administrators and other linux and securities enthusiasts.

The distribution image file (.iso) was obtained at the DEFT download page and the download links can be found here

DEFT finds its origins in the Ubuntu/Debian linux flavor world. Currently, DEFT is distributed as a live cd (taking up roughly 682mb of space).

DEFT is primarily developed by an Italian team, lead by Stefano Fraepietro. Other core team members include Salvo Tarantino, Davide Gabrini, Valerio Leomporra, Massimiliano Dal Cero and Alessandro Rossetti. DEFT is used by a variety of individuals, including professors, police and engineers.

Installation/Startup

DEFT is a LiveCD .iso so startup is as easy as configuring the BIOS, and inserting a disc with the burned iso. No virtualization software was needed, but first attempts at running this distribution involved the use of VirtualBox.

Having this distribution as a LiveCD is important due to its forensic purpose. An easily deployable forensic toolkit is perfect for when dealing with computers where passwords may not be granted, such as those that are seized. A user could then obtain browser or administrator passwords for example, from the machines filesystem.

Figure 1 - Startup

Figure 2 - Main

After booting up in a VirtualBox VM with 512 MB RAM allocated, it was soon realized that in order to get a true experience out of DEFT, being a forensic tool, it would be more appropriate to run on an existing machine running Windows.

To get it running:

Burn a disc with the deft_6.1.iso file
To run an .exe containing many of the forensic tools in the DEFT OS, put the disc into a running version of Windows
To get to the DEFT startup menu (Figure 1), set the BIOS to boot from the CD/DVD drive primarily.

After choosing a language you can pick one of three options:

DEFT Linux live cd
Check disk for defects
Test memory

Check disk and test memory are just utilities for hardware checking, so the live cd option was chosen. DEFT goes through plenty of configuration operations and hardware scans to get the OS ready for use. Once this is all complete you are greeted by the main console screen of DEFT (Figure 2).

For a GUI Interface, type in 'deft-gui' into the console. Some of the applications in DEFT require the GUI to be used, such as Catfish or the Digital Forensic Framework (FDF).

Basic Operation

DEFT utilizes BASH or Bourne-again shell. Again, the shell functioned according to the norm that I have come to expect from debian-based distributions. I utilized ssh functionality from the shell, to ssh into my home server located at home.justincampbell.ca.

Figure 3 - Desktop

After working with basic bash/unix commands and shell scripts, I decided to work with the graphical user interface. I switched to graphical mode and began utilizing different applications and the desktop environment to perform “simple” tasks.

DEFT uses the LXDE windows manager (Figure 3). While I have been an avid Linux user since 2003, I have not used LXDE in any meaningful capacity before. LXDE has, thus far, proven to be a very simple user interface with very few issues.

The usage of DEFT was much like my experiences with KDE (and “Windows Aero”/the Windows environment). It seemed to have a similar menu and taskbar setup graphically, and was laid out much in the same manner of KDE and GNOME (to an extent). The graphical interface had “laggy” periods during read/write operations from disk; due to the operation system being a live cd.

Since DEFT is simply xubuntu with some specialty softwares most of my usage cases were related to the usage of particular programs related to forensics and other data ‘investigation’ tools.

After these brief tests, I booted from the LiveCD on a spare laptop that I had around, in the hopes of testing Ophcrack (the Windows password cracking utility). I decided to go the route of trying to obtain the passwords from the encrypted SAM file, located in "C:\Windows\System32\config". After installing a set of password tables from the Ophcrack website, I ran the utility and my password was found.

One of the interesting applications from the suite is WINE, an emulator for windows applications. Due to the nature of the setup (Live CD), and the emulation nature of the application, applications run under WINE experienced a slower than “normal” execution time. The application I chose to emulate was PuTTY.

The application functioned properly, but noticeably slower that the counterpart ‘ssh’ commands from the linux shell.

Usage Evaluation

I found that this distribution was packed full of excellent programs for anyone wishing to carry out forensic analysis of a system and its contents.

Some of the tools, such as the various browser history and cache viewers were not much more than allowing a user to see a list, however for free software I did not expect anything too fancy. Other tools, like the Ophcrack Windows Password cracker seemed like it could be useful in many situations that would involve the use of DEFT.

This is the first distribution I have used where I found a graphical MountManager, which I found to be very helpful, and can see how it would be almost imperative for non-Linux users who do not have skills working at the command line.

All-in-all I can see how this distribution could be used well to serve its design purpose, and through use of the live CD can be used on a wide variety of machines anywhere, anytime.

Part 2

Software Packaging

Deft uses the apt-get command line tool that works with the Advanced Packaging Tool (APT). This tool provides a simple command line interface which can be used to update, remove, and install new packages as well as other features.

A list of installed packages can be obtained by running the dpkg utility:

dpkg --get-selections

For the "front-end" interface, the Deft GUI uses the Synaptic Package Manager to allow you to browse for new packages, as well as update, install/remove, and allow you to view more information about a certain package. Packages are first archived with the tar utility and then compressed further with gzip.

To add packages to your system from the command line, you simply call

apt-get install <package-name>

and apt-get will take care of the rest. To remove a package, use

apt-get remove <package-name>

Packages are downloaded from repositories (directories or disks with an index) that are sourced in APT's sources.list config file. After a reloading of the list of packages provided by Synaptic, there are over 32000 packages available for download and install.

I would say that the software included is quite extensive, as there are tools for most jobs someone working in the digital forensic field would need to carry out on a system. Also included with the distribution is the DEFT-extra set of utilities for working straight on a Windows host OS. These utilities include a large variety of software auditing programs, image viewers, and tools to search through and monitor filesystems, registries, and system files.

Major Package Versions

To note first, DEFT Linux version 6 is based entirely off of Lubuntu version 10.10; originally developed in summer 2010, and published around Christmas 2010/2011. DEFT tends to be a distribution devoted to simply added packages to a strong base distribution. Changes to the distribution are typically minor and adjust settings to fix bugs that occur between applications. This means that most packages are similar, if not the same, to packages from Lubuntu/Ubuntu distributions. Ubuntu based distributions, in turn, modify packages from the Debian (and other) collections to build the custom flavour distribution.

Most packages are the age that they are due to the minimal updates performed after the initial release of the distribution. Ten examples of this are the following packages:

Package	Version	Latest Official Release	Official Source	Fork	Command
Linux Kernel	2.6.35 (2010-08-02)	3.1.1 (2011-11-11)	http://www.kernel.org/	https://launchpad.net/linux/2.6.35	`uname –a`
libc	2.12.1 (2010-08-03)	2.14.1 (2011-10-07)	http://www.gnu.org/s/libc/	http://ftp.gnu.org/gnu/libc/	`command /lib/libc.so.6 –version</ncode>`
X.org X Server	1.9.0 (2010-08-20)	1.11.2 (2011-11-04)	http://www.x.org/wiki	https://launchpad.net/ubuntu/+source/xorg-server/2:1.9.0-0ubuntu7	`x –version`
bash	4.1 (2010-01-01)	4.2 (2011-02-13)	http://www.gnu.org/software/bash/	ftp://ftp.gnu.org/gnu/bash/	`bash –version`
gtk+	2.22.0 (2010-09-23)	2.24.8 (2011-11-10)	http://www.gtk.org/	http://download.gnome.org/sources/gtk+/2.22/	`pkg-config --modversion gtk+`
qt	4.7.0 (2010-09-21)	4.8.0 (2011-12-15)	http://qt.nokia.com/products/	http://qt.gitorious.org/	`qtcreator –version`
firefox	3.6.12 (2010-10-27)	8.0.1 (2011-11-21)	http://www.mozilla.org/en-US/firefox/fx/	http://www.mozilla.org/en-US/firefox/fx/	`firefox –v`
gcc	4.4.4 (2010-04-25	4.6.2 (2011-10-26)	http://gcc.gnu.org/gcc-4.4/	http://gcc.parentingamerica.com/releases/	`gcc –v`
grub	1.98 (2010-03-06)	1.99 (2011-05-05)	http://www.gnu.org/software/grub/	ftp://ftp.gnu.org/gnu/grub/	`grub-install –v`
cups	1.4.4 (2010-06-17)	1.5 (2011-07-25)	http://www.cups.org/	http://www.cups.org/software.php	`cups-config --api-version`

As the packages vary from a single leap in versions to many leap in versions, the release notes for each package has been provided (where available). The notes contain information about the package differences. Most follow the method of simply improving upon the last package, by dealing with bugs arriving in the previous packages.

Package	Version Release Information	Latest Release Information
Linux Kernel	http://kernelnewbies.org/Linux_2_6_35	http://lwn.net/Articles/467038/
Libc	http://sourceware.org/ml/libc-alpha/2010-05/msg00000.html	http://sourceware.org/git/?p=glibc.git;a=shortlog;h=refs/heads/release/2.14/master
X.org x server	http://www.x.org/wiki/Server19Branch	http://www.x.org/wiki/Server111Branch
bash		http://tiswww.case.edu/php/chet/bash/NEWS
Gtk+	http://mail.gnome.org/archives/gtk-devel-list/2010-September/msg00263.html	http://mail.gnome.org/archives/gtk-devel-list/2011-November/msg00026.html
Qt	http://labs.qt.nokia.com/2010/09/21/qt-4-7-0-now-available/	http://labs.qt.nokia.com/2011/12/15/qt-4-8-0-released/
Firefox	http://www.mozilla.org/en-US/firefox/3.6.12/releasenotes/	http://www.mozilla.org/en-US/firefox/8.0.1/releasenotes/
Gcc	http://gcc.gnu.org/gcc-4.4/	http://gcc.gnu.org/gcc-4.6/
Grub	http://lists.gnu.org/archive/html/grub-devel/2010-03/msg00017.html	http://lists.gnu.org/archive/html/grub-devel/2011-05/msg00032.html
Cups	http://www.cups.org/articles.php?L596	http://www.cups.org/documentation.php/doc-1.5/whatsnew.html

Initialization

When the computer is started, its BIOS boots grub. Grub goes on to load the kernel and gives control to the init process.

The init process runs the NetworkManager, which runs dhclient to configure the network interfaces present on the machine.

Init then runs several daemons including atd (there to run jobs that are queued for later execution with at), and cron (which runs to execute scheduled commands).

For the user session init runs the login process, which then runs bash which in turn runs deft-gui (as I chose to work with the gui for this part)

The deft-gui starts the lxdm-binary (the lxdm login manager executable) and the beginnings of a graphical interface are born. Xorg (the open source version of the X window system) is run, along with lxsession to get everything going. Lxsession, the standard session manager of LXDE, starts a set of applications and gets a working desktop environment set up.