Professional Documents
Culture Documents
CSI Linux - Setting It Up and Using Case Management
CSI Linux - Setting It Up and Using Case Management
CSI Linux - Setting It Up and Using Case Management
This will walk through how to use the Case Management System.
CSI Linux in a nutshell
CSI Linux is a focused Linux distribution for digital forensics. We developed an open-
source 'theme park' for the cyber security industry. It has tons of capabilities for
investigations, analysis, and response! CSI Linux is available in both a Virtual Machine
Appliance and a Bootable distro to use as a daily driver, all for the cost of free. We do have
systems with CSI Linux pre-installed that can be purchased. Currently, we have a Mini-
PC called the CSI Linux Workstation M01.
We believe that having the right tools to do the job is critical for forensic investigators.
That’s why we have created a multi-purpose, all-inclusive, investigation environment
starting with online investigations (OSINT, social media, domain recon, and dark web)
to offline Digital Forensics and Incident Response to Malware Analysis and more. This is
an ideal environment for both training and real-world investigations. Most of our Dark
web/Darknet focus is on Tor, but we also support I2P, Freenet, and Zeronet. CSI Linux
SIEM contains the tools you need for identifying local network threats. What makes this
different than the hundreds of other options out there? Well... CSI Linux was developed
by Computer Forensics, Incident Response, and Competitive Intelligence professionals
to meet the current needs for their clients, government agencies, and the industry.
If a hacker or an APT is your target, how do you catch them? What do you do once you
identify the threat? With a combination or state of the art technology and good old-
fashioned investigative know-how, CSI Linux is a low-budget solution for making your
cyber triage and emergency response easier and more streamlined.
If you need a solution for classic computer forensics also known as “Dead Box” or
“Postmortem” forensics or need to recover data from a drive with bad sectors, CSI Linux
helps you with that.
The current version has been built using an Ubuntu 22.04 LTS version for long-term
support. There have been many upgrades in the applications, and additional
applications have been added. The original CSI Gateway has been retired, and we are not
using Whonix. We have also built our own TOR Gateway into the platform (runs like
CSI Linux is a constantly evolving investigation platform for cyber forensics focusing
mostly on open-source tools to help keep costs down while adding many levels of
capabilities to your arsenal. It was built for those in the DFIR, Law Enforcement,
Investigative Journalism, and Researcher fields.
Therefore, we built our proprietary Case Management system and many of our custom
tools to pull data from common third-party tools into the case folder and keep your
investigation data segmented while minimizing contamination of evidence We have
added a list of communication tools to help and encryption tools to keep your
information safe. This platform covers online investigations, OSINT, SOCMINT, Dark
Web, Incident Response, Digital Forensics, Mobile Forensics, Malware Analysis, Threat
Intelligence, Threat Hunting, and more.
System Requirements
• A system that supports virtualization
• 64 GB free space minimum
▪ This is for file downloads and installation.
• 4GB Ram minimum
▪ The VM has 4GB pre-allocated.
• Internet for internet-related tools and updates
14. The VM should start in a new window. When it gets to the login prompt, enter the username and
password.
a. User: csi
b. Pass: csi
15. Press or click “Log In.”
16. You should now be in CSI Linux.
Step 1
Step 2.
• When the virtual media window closes, start the CSI Linux VM.
• Log into CSI Linux
• Open a terminal window by left clicking on the terminal icon.
• Type in the following and press enter.
• Right click on the CSI Linux drive (example: 30.00 GB). Then l,eft click on “Resize/.”ve”.
• Slide the slider bar to the far right or type in “0” for the “Free space following (MiB)” and
press enter. This should now fit the new size you created in step 1.
• Left click “Apply”. When it is done, Left click “Ok”, then close Gparted.
You can now start using your investigation environment with more disk space.
There are two ways to use the CSI Linux virtual appliance for cyber investigations. The
most common method is to use one instance of CSI Linux for multiple cases. The case
management system separates the cases into their folders, makes an MD5 hash of all the
files in the case, and compresses them into the archive folder when you are done with
your tools.
The second method is to use one CSI Linux instance for one case. This is a popular
method for Law Enforcement and other organizations that need to ensure
Confidentiality, Integrity, and Availability of the evidence. When the case is done, an
archive that instance and save that as your evidence container. This way, the
environment is only used for one case, and there is no possibility of accidental cross-
contamination if you enter the wrong case information. When a case is closed, you can
move it to a “Closed Cases” group within VirtualBox. When you need to clear up space or
officially archive the cases, you can create an OVA appliance of the CSI_Linux_CaseName
virtual machine, copy it to two locations (backup redundancy), and remove the CSI Linux
instance from VirtualBox.
You need to download and install VirtualBox and VirtualBox extensions from
virtualbox.org/wiki/Downloads. Then you need to download the “.OVA” file for CSI
Linux from csilinux.com/download
Step 1
Note: You should see a CSI Linux instance in VirtualBox. Start the virtual machine,
and you are good to go.
Step 1
Note: We do this because we will use the CSI Linux Master as the baseline image to lone
new cases from. When you update the CSI Linux Master, the new cases will also contain
the updates.
Step 2
• Right click the CSI Linux VM (in this instance, it is CSI Linux 2021.2)
• Left click on “Clone.”
• Left clickNext
• Right click on the new group and rename the group to “Active Cases”.
• Drag the new case instances into the Active Cases group and not onto another VM instance.
If you do, it will create a new subgroup. Rinse and repeat.
• Drag the new case instances to archive into the Archived Cases group and not onto another
VM instance. If you do, it will create a new subgroup. Rinse and repeat.
Step 4
This forensically sound bitstream copy of CSI Linux was created as a RAW dd copy to
ensure that everything installed worked exactly like the system it was imaged from. This
means that you can take imaging software and copy the dd file to a disk and should boot
just like it did before it was imaged. The Raw copy is 54 GB and compressed to 5GB for
download speed. This should allow it to be copied on ANY functional 64 Gb USB.
Requirements
• 64 GB free space minimum
o This is for the file download and extraction of the 32GB image.
• 64+GB hard drive or USB up to a 2 TB drive. This will be the boot device.
• 6GB Ram minimum
• Imaging tool that can copy a RAW (DD) forensic image to a disk.
o HDDRawCopy is included in the download if you would like to use it.
• Internet for the internet related tools and updates
Next, you can browse the portableapps.com website and select the apps you wish to
install. For example, I might choose to install HashMyFiles, XnView, and VLC media
player. Once you have selected the apps you wish to install, simply click on the download
button and the apps will be downloaded and installed on your external drive. You can
even install NirsoftLauncher or FTK ImagerLite in the drive:/PortableApps/ folder.
Now you can use your external drive to run your portable apps on any Windows
computer without the need to install them. This can be particularly useful when
conducting investigations, as it allows me to access my tools and evidence from any
computer without the need to install software or leave behind any traces.
We have created a PortableApps package containing many of the tools we use during
DFIR investigations. These are tools used by first responding Law Enforcement units and
corporate security units alike. These tools are for Windows based systems and reside on
the NTFS partition. If you are interested in using what we use, you can download the
compressed archive from our website. Just extract the archive onto your NTFS Data
partition. Just update the software and tools when needed.
sudo gparted
6.) Slide the slider bar to the far right or type in “0” for the “Free space following (MiB)” and press enter.
This should now fit the new size you created in step 1.
7.) Left click “Resize” and then Left click the check icon.
8.) Left click “Apply.” When it is done, Left click “Ok,” then close Gparted.
You can now start using your investigation environment with more disk space.
Mobile Forensics
• Android Logical Imager
• APK Tool
• * ALEAP
• Heimdall – Samsung Devices
• Whatsapp Messenger Version 2.20
• Android Free Forensic Toolkit
• * iLEAP
• ISO Logical Imager
Malware Analysis
• APK Tool - Android APK
• Binwalk
• PDFID
• *JD-GUI
• * GDB
• * EDB Debugger
• UPX
• * ImHex
• wxHexEditor
• Ghidra
• * IDA Free
• Radare2
• Radare2 - Cutter GUI
• RetDec
A case management system is a software tool that allows investigators to store, organize,
and manage all the evidence and information related to a specific case. It can include a
variety of features such as case notes, file storage, and report generation. The system can
be used to store digital files, such as images and videos, as well as physical evidence, such
as documents and devices.
One of the key features of a case management system is the ability to organize evidence
into specific case folders. This allows investigators to easily locate and access the
evidence they need, without having to search through a large number of unrelated files.
For example, if I am investigating a cybercrime case, I can create a case folder for that
specific case and store all of the relevant evidence, such as website logs, chat logs, and
screenshots, in that folder.
For example, let's say an investigator is trying to track down a suspect involved in
financial fraud, the investigator would use the case management system to store all the
evidence related to the case such as bank statements, transactions, and suspect
information. The investigator can use the system to generate a report that summarizes
the case, including a timeline of the suspect's activities, and a list of all the evidence
collected. This report can then be shared with other members of the investigation team
to help them build a case against the suspect.
The case management system built in CSI Linux was built to assist cyber forensics
experts during digital investigations. The interface has evolved based off needs of real-
world investigations and through forensic training.
When the program opens, you should see a similar screen to this.
If you are starting new case, left click “Start New Case”
If you are opening an existing case, left click “Open Existing Case”
We are going to start a new case at this step. You should now see a case wizard pop up
like the image below.
• Case: Case001
• Investigator: Your name
• Case Type: Hacking Case
You should now see a new window that looks like below.
At this point, you can pick what type of investigation you want to start with. Many cases
will start with OSINT/SOCMINT/Online Investigation and that will be located in the
OSINT section.
/home/csi/Cases/Case001
or
~/Cases/Case001
• Export
• Forensic Evidence Images
• Report
• Tools
• Video
The Folders:
Now, let’s get back to the program. We should see several different options. Each should
follow a flow of an investigation. For example, it is common to start an investigation off
with an online investigation or intelligence gathering to gain probable cause to start an
investigation. After Probable Cause is given, there Forensic Imaging, then the
Forensic/Analysis options. Reporting is next within the Document Templates and
Encryption is last to securely store the data. Each main section is based around the
forensic framework flow. The secondary sections are subject specific.
If you click on Open Source Intelligence (OSINT) / Online, you will see a window that
looks like this.
This opens the Domain Recon Window. Within this window, you will have several
options to collect evidence from webservers and services. This includes:
If you click on Geolocation IP/SSID/BSSI, the CSI Linux Geolocation app will open and
allow you to search for wireless access points using the Wigle API and search for the IP
address using the Shodan.io API.
SOCMINT
If you click on Social Media (SOCMINT), you should see a window like this open:
If you need to capture a video for evidence, you can pull down both downloads and
streaming media.
When the case closes, every file in the case folder will be hashed. Then the entire folder
gets added to a zip archive with the case name and timestamp and saved into the
~/Cases/Archive/ folder. This gives you a backup or snapshot of your case every time
you close the case management program.
Note: the case will grow over time, and you may collect a lot of archive files. You may
need to clean up the archive folder on a regular basis to save on space.
You can also move the Case folder to another location within the Case Management >
Settings > Move Case option. What this does is moves the Case folder data to the new
location. It will then replace the folder with a link. As far as any tools or normal usage
go, it will act like the original folder at ~/Cases.
So, to review. When you start a case, it will create your case folder with the name of the
case you chose in the beginning. Each folder is designed to hold specific types of
information including an isolation folder for tools like Hunch.ly, Autopsy, and more.
This helps organize the evidence you acquire during investigations and minimizes the
possibility of cross contamination.