CASE MANAGEMENT

The Case Management for CSI Linux

This will walk through how to use the Case Management System.
CSI Linux in a nutshell
CSI Linux is a focused Linux distribution for digital forensics. We developed an open-
source 'theme park' for the cyber security industry. It has tons of capabilities for
investigations, analysis, and response! CSI Linux is available in both a Virtual Machine
Appliance and a Bootable distro to use as a daily driver, all for the cost of free. We do have
systems with CSI Linux pre-installed that can be purchased. Currently, we have a Mini-
PC called the CSI Linux Workstation M01.

We believe that having the right tools to do the job is critical for forensic investigators.
That’s why we have created a multi-purpose, all-inclusive, investigation environment
starting with online investigations (OSINT, social media, domain recon, and dark web)
to offline Digital Forensics and Incident Response to Malware Analysis and more. This is
an ideal environment for both training and real-world investigations. Most of our Dark
web/Darknet focus is on Tor, but we also support I2P, Freenet, and Zeronet. CSI Linux
SIEM contains the tools you need for identifying local network threats. What makes this
different than the hundreds of other options out there? Well... CSI Linux was developed
by Computer Forensics, Incident Response, and Competitive Intelligence professionals
to meet the current needs for their clients, government agencies, and the industry.

There is a plethora of information on the Internet and a lot of it is useful during

reconnaissance, OSINT, SOCMINT or Dark web analysis. Tracking a suspect? Want to
know what an APT will know about you? Need to link user accounts to prove collusion?
These are some of the many challenges many of us face every day. CSI Linux is making
this easier and, in many cases, cheaper than ever before.

If a hacker or an APT is your target, how do you catch them? What do you do once you
identify the threat? With a combination or state of the art technology and good old-
fashioned investigative know-how, CSI Linux is a low-budget solution for making your
cyber triage and emergency response easier and more streamlined.

If you need a solution for classic computer forensics also known as “Dead Box” or
“Postmortem” forensics or need to recover data from a drive with bad sectors, CSI Linux
helps you with that.
The current version has been built using an Ubuntu 22.04 LTS version for long-term
support. There have been many upgrades in the applications, and additional
applications have been added. The original CSI Gateway has been retired, and we are not
using Whonix. We have also built our own TOR Gateway into the platform (runs like

© CSI Linux – csilinux.com 1

Tails), called the CSI TorVPN. This will encapsulate all your traffic through a Tor “VPN”
adapter when it is turned on. We will cover these in a future section.

CSI Linux is a constantly evolving investigation platform for cyber forensics focusing
mostly on open-source tools to help keep costs down while adding many levels of
capabilities to your arsenal. It was built for those in the DFIR, Law Enforcement,
Investigative Journalism, and Researcher fields.

Therefore, we built our proprietary Case Management system and many of our custom
tools to pull data from common third-party tools into the case folder and keep your
investigation data segmented while minimizing contamination of evidence We have
added a list of communication tools to help and encryption tools to keep your
information safe. This platform covers online investigations, OSINT, SOCMINT, Dark
Web, Incident Response, Digital Forensics, Mobile Forensics, Malware Analysis, Threat
Intelligence, Threat Hunting, and more.

© CSI Linux – csilinux.com 2

Using CSI Linux in a Virtual Environment
Evidence collection and preservation are essential when doing any investigation or
forensic examination. Within the CSI Linux environment, several mechanisms are in
place to provide for the preservation and integrity validation of the evidence while
collecting evidence for a case. The virtual appliance opens the door for an excellent
method to secure evidence.

System Requirements
• A system that supports virtualization
• 64 GB free space minimum
▪ This is for file downloads and installation.
• 4GB Ram minimum
▪ The VM has 4GB pre-allocated.
• Internet for internet-related tools and updates

Installing the system

1. Download and install VirtualBox. Downloads – Oracle VM VirtualBox
2. Download and install VirtualBox Extension Pack. Downloads – Oracle VM VirtualBox
3. Download the CSI Linux VM.OVA file from the download section.
a. If you use the Torrent file or Magnet link, you will need to use BitTorrent software to open
those. The BitTorrent file downloads the OVA file.
b. After downloading it, please consider leaving it in your torrent application to help “seed”
the torrent to help others download it.
4. Verify that the .ova file has completed downloading.
5. Once the .ova file has been downloaded, double Left click on it, and you should see VirtualBox pop
up with setup information on the screen.
6. Make sure you choose a location that has enough disk space.
For example, some systems have limited space on the C:
drive, so you can install the virtual appliance on your D:
drive or external.
7. Scroll down to make sure the settings match your needs. For
example, you can increase the RAM if you have a lot available
or add more virtual CPUs if your system can handle it. Do
not go above what you have physically available to your
primary OS.
8.

© CSI Linux – csilinux.com 3

9. Left click on Import.
10. Left click on Agree.
11. Wait until CSI Linux is installed. This may take a few minutes. Sit back or take a break.
12. You should now see CSI Linux as a system in VirtualBox.
13. Double Left click on the CSI Linux VM.

14. The VM should start in a new window. When it gets to the login prompt, enter the username and
password.
a. User: csi
b. Pass: csi
15. Press or click “Log In.”
16. You should now be in CSI Linux.

© CSI Linux – csilinux.com 4

Optional - Changing Disk Size
If you want more space within CSI Linux, you can increase it to meet your needs.

Step 1

• Make sure the CSI Linux Virtual Appliance is

turned off.
• Left click on “File.”
• Left click on “Virtual Media Manager.”
• You should now see a new window pop up. Left
click the CSI Linux VM drive.

Left click on “Properties.”

• Towards the bottom, you can either slide the scale
or type in the exact size you want the drive to grow.
• Then Left click “Apply.”

Step 2.

• When the virtual media window closes, start the CSI Linux VM.
• Log into CSI Linux
• Open a terminal window by left clicking on the terminal icon.
• Type in the following and press enter.

© CSI Linux – csilinux.com 5

 sudo gparted

• Use the password “csi.”

• Right click on the CSI Linux drive (example: 30.00 GB). Then l,eft click on “Resize/.”ve”.

• Slide the slider bar to the far right or type in “0” for the “Free space following (MiB)” and
press enter. This should now fit the new size you created in step 1.

• Left click“Resize” and then Left clickthe check icon.

• Left click “Apply”. When it is done, Left click “Ok”, then close Gparted.

You can now start using your investigation environment with more disk space.

© CSI Linux – csilinux.com 6

Methods of using the CSI Linux Virtual Appliance

There are two ways to use the CSI Linux virtual appliance for cyber investigations. The
most common method is to use one instance of CSI Linux for multiple cases. The case
management system separates the cases into their folders, makes an MD5 hash of all the
files in the case, and compresses them into the archive folder when you are done with
your tools.

The second method is to use one CSI Linux instance for one case. This is a popular
method for Law Enforcement and other organizations that need to ensure
Confidentiality, Integrity, and Availability of the evidence. When the case is done, an
archive that instance and save that as your evidence container. This way, the
environment is only used for one case, and there is no possibility of accidental cross-
contamination if you enter the wrong case information. When a case is closed, you can
move it to a “Closed Cases” group within VirtualBox. When you need to clear up space or
officially archive the cases, you can create an OVA appliance of the CSI_Linux_CaseName
virtual machine, copy it to two locations (backup redundancy), and remove the CSI Linux
instance from VirtualBox.

We are going to walk through both methods.

1. CSI Linux for multiple cases

2. CSI Linux for one case (Sandboxed)

You need to download and install VirtualBox and VirtualBox extensions from
virtualbox.org/wiki/Downloads. Then you need to download the “.OVA” file for CSI
Linux from csilinux.com/download

CSI Linux for multiple cases

Step 1

1. Double Left click on the CSI Linux .ova file.

2. Go through the setup wizard.
3. Wait for it to install.

Note: You should see a CSI Linux instance in VirtualBox. Start the virtual machine,
and you are good to go.

© CSI Linux – csilinux.com 7

CSI Linux for one case (Sandboxed)

Step 1

• Double Left click on the CSI Linux .ova file.

• Go through the setup wizard.
• Wait for it to install. You should then see a CSI Linux instance in VirtualBox.
• Right click on the virtual machine group “CSI Linux.”
• “Rename Group” to CSI Linux Master. This will act as your “golden image.” Keep the
original OVA file and archive it in case there is a reason you need to backdate your CSI Linux
Master.

Note: We do this because we will use the CSI Linux Master as the baseline image to lone
new cases from. When you update the CSI Linux Master, the new cases will also contain
the updates.

Step 2

Now, for our first case.

• Right click the CSI Linux VM (in this instance, it is CSI Linux 2021.2)
• Left click on “Clone.”

Change the following to meet your environmental needs:

• Name: Needs to be a unique case name

• Path: Point to a large enough disk to store your cases.
• MAC Address Policy: Switch to “Generate new MAC addresses for all network adapters.”

• Left clickNext

© CSI Linux – csilinux.com 8

 • Make sure “Full clone” is chosen.
• Left-click Clone
• Now wait.

• Once done, you should have a second CSI Linux instance.

• Right-click on the new case instance and Left click on “Group.”

• Right click on the new group and rename the group to “Active Cases”.

• Drag the new case instances into the Active Cases group and not onto another VM instance.
If you do, it will create a new subgroup. Rinse and repeat.

© CSI Linux – csilinux.com 9

Step 3

Archiving the cases is very similar. If this is the

first time you are archiving a case, Right click on
the VM instance you want to archive from the
Active Cases and Left click on “Group”.

• Right click on the new group

• Rename the group to “Active Cases”. You
can also rename it “Closed Cases” if that
makes more sense or makes it more visually
different to minimize potential miss
grouping.

• Drag the new case instances to archive into the Archived Cases group and not onto another
VM instance. If you do, it will create a new subgroup. Rinse and repeat.

Step 4

You export the VM instance to move the cases off the

investigation system for offline storage. To do this:

• Right click on the VM instance

• Left click on “Export to OCI”.

Change the following to meet your environment needs:

• Format: Open Virt Format 0.9

• File: Point to a disk that is large enough.
• MAC Address Policy: Leave the default.
• Additional: Check Write Manifest file.

• Left click “Next”.

• Left click“Export”.

© CSI Linux – csilinux.com 10

Creating a CSI Linux Bootable Drive
The new CSI TorVPN (runs like Tails) will encapsulate all your traffic through a Tor
“VPN” adapter when it is turned on.

This forensically sound bitstream copy of CSI Linux was created as a RAW dd copy to
ensure that everything installed worked exactly like the system it was imaged from. This
means that you can take imaging software and copy the dd file to a disk and should boot
just like it did before it was imaged. The Raw copy is 54 GB and compressed to 5GB for
download speed. This should allow it to be copied on ANY functional 64 Gb USB.

You must be able to

• Edit your computer BIOS.

• Allow for legacy booting.
• If booting off an external drive, change your boot device or order your boot device.

Requirements
• 64 GB free space minimum
o This is for the file download and extraction of the 32GB image.
• 64+GB hard drive or USB up to a 2 TB drive. This will be the boot device.
• 6GB Ram minimum
• Imaging tool that can copy a RAW (DD) forensic image to a disk.
o HDDRawCopy is included in the download if you would like to use it.
• Internet for the internet related tools and updates

Installing the system

1. Download the CSI Linux 2021.1 Bootable file from the download section.
a. If you are using the Torrent file or Magnet link, you will need to use BitTorrent software to
open those. The BitTorrent file downloads the files required.
b. After it is downloaded, please consider leaving it in your torrent application to help “seed”
the torrent to help others download it.
2. Verify that the .7z file has completed downloading.
3. Once the .7z file has been downloaded, extract the files.
4. Make sure you choose a location that has enough disk space. For example, some systems have
limited space on the C: drive so that you can install the virtual appliance on your D: drive or
external.
5. Open HDDRawCopy1.10Portable.exe.
a. The first page is for the source disk/image to copy. Verify it says “SOURCE.” If not, close
the application and restart. If it does, double-click on “File: Double-click to open the file.”

© CSI Linux – csilinux.com 11

 b. Pick the CSI-Linux-2022.1-RAW.dd file you extracted from the CSI-Linux-2022.1-
RAW.dd.7z file. This will be 32GB in size. If it is only 5GB, it is not the right file. The 32GB
file is inside the 5GB file. Extract it and point this file to the bigger file.

c. Left click on “Continue.”

d. The next window should say “TARGET.” If it does, double click the drive you want to install
CSI Linux onto. This cannot be the drive you are currently booted off of. In this example, it
is the USB: Seagate BUP Slim SL.
e. Left click “Continue.”

f. Left click “Start.”

g. Verify that this is the right source and destination. You can
destroy data you don’t want to lose, and you will have a bad
day if you don't. Left click “Yes” if, you are sure.
h. Now, wait until done. Then close HDDRawCopy.

© CSI Linux – csilinux.com 12

Booting the drive
1. Enter the BIOS of your computer and allow for legacy boot. Many times, this is done by pressing
the “F2”, “Del,” “F12”, or other keys when you first start the computer. Each computer is different,
so you may need to research how to get into your BIOS. Some systems allow you to press “F8” to
pick a drive to boot from on a one-time basis.
2. Boot off the drive.
3. Enter the username and password when it gets to the log-in prompt.
a. User: csi
b. Pass: csi
4. Press or click “Log In.”
5. You should now be in CSI Linux.

© CSI Linux – csilinux.com 13

CSI Linux Bootable “Triage” Drive
If you want to use CSI Linux as an Incident response triage drive, allocate most of the disk
for a second partition with NTFS. This will allow you to plug the triage drive into a live
running Windows computer and run Widows incident response or forensics tools. Tools
like FTK Imager, NirLauncher, and PortableApps are commonly used. We have a
download on the CSI Linux download page with useful tools as an example that you can
use. To set this up, you would install the tools on the Data partition, then add what you
would like to use.

The first step in installing PortableApps on the NFTS partition is to go to the

portableapps.com website and download the PortableApps.com Platform. This is a small
launcher program that allows you to run portable apps from your external drive. Once
the download is complete, open the installer and select the drive you wish to install the
platform on.

Next, you can browse the portableapps.com website and select the apps you wish to
install. For example, I might choose to install HashMyFiles, XnView, and VLC media
player. Once you have selected the apps you wish to install, simply click on the download
button and the apps will be downloaded and installed on your external drive. You can
even install NirsoftLauncher or FTK ImagerLite in the drive:/PortableApps/ folder.

Now you can use your external drive to run your portable apps on any Windows
computer without the need to install them. This can be particularly useful when
conducting investigations, as it allows me to access my tools and evidence from any
computer without the need to install software or leave behind any traces.

We have created a PortableApps package containing many of the tools we use during
DFIR investigations. These are tools used by first responding Law Enforcement units and
corporate security units alike. These tools are for Windows based systems and reside on
the NTFS partition. If you are interested in using what we use, you can download the
compressed archive from our website. Just extract the archive onto your NTFS Data
partition. Just update the software and tools when needed.

CSI Linux Windows Triage Package: https://csilinux.com/download

© CSI Linux – csilinux.com 14

CSI Linux Workstation M01
Welcome to the all-new CSI Linux Workstation with CSI Linux 2023 installed. That’s
right, CSI Linux offers a system with CSI Linux pre-installed so you can start using it right
out of the box.

About this Item

• [AMD A9 9400 2.4 GHz up to 3.2 GHz Mini PC CSI Linux]

ATOPNUC CSI Linux mini pc comes with the AMD A9 9400
processor, 2C/2T, 2.4 GHz, up to 3.2 GHz, pre-installed CSI
Linux system.
• [Large Capacity & Flexible Storage Expansion] AMD A9 9400
minicomputer is equipped with high speed 8GB DDR4 and
128GB SSD, allowing the small computer high performance
handles the multi-task at the same time.
• [Dual 4K UHD Screen Display] The Mini desktop computer
has two HDMI ports supporting 4K UHD display and connects with up to two display monitors for
multi-tasking to save time and improve your work efficiency.
• [Fast Transmission & Multiple Function] Small portable pc employs 1x USB-C port, 2x USB 3.0 ports,
and 2x USB 2.0 ports for multiple use. USB-C (Data only) supports 10 Gbps ultra-fast and stable data
transfer. Bluetooth 5.0, 1000MB/s LAN, WIFI 2.4G+5G dual band for stable and reliable
networking.
• [Quiet Fan Reliable Service] The Mini PC built-in quiet cooling fan helps cool down the
minicomputer’s hardware to reduce hardware loss.
• You can Upgrade to 16GB Ram and an additional slot to add a 2.5-inch SSD/HDD for increased
storage.

© CSI Linux – csilinux.com 15

Optional Changing the Disk Size
Step 1

1.) Log into CSI Linux

2.) Open a terminal window by left clicking on the terminal icon.
3.) Type in the following and press enter.

sudo gparted

4.) Use the password “csi.”

5.) Right click on the CSI Linux drive (example: 30.00 GB). Then Left click on “Resize/Move.”

6.) Slide the slider bar to the far right or type in “0” for the “Free space following (MiB)” and press enter.
This should now fit the new size you created in step 1.

7.) Left click “Resize” and then Left click the check icon.

8.) Left click “Apply.” When it is done, Left click “Ok,” then close Gparted.

You can now start using your investigation environment with more disk space.

© CSI Linux – csilinux.com 16

List of tools in CSI Linux
CSI Linux Tools
• Start a Case
• API (Website for Services)
• CSI API Management
• Powerup
• CSI Tor VPN
• CSI Gateway - Using Whonix
• What is my IP address?
• CSI Social Media Search
• CSI Domain Information Search
• CSI Dark Web Investigation
• CSI Geolocator
• CSI Website Screenshot
• CSI Video Downloader
• CSI Video Conversion

Secure Comms Encryption

• Messaging Applications • Encryption Tools
• Discord • Ccrypt
• Element • GPA
• Pidgin Instant Messenger • KeePassXC
• qTox • Zulu Mount
• Signal Messenger • Zulu Crypt
• Slack • Veracrypt - plausible deniability
• Telegram • Online/Remote Password Cracking
• WhatsApp • Medusa
• Zoom • XHydra
• LinPhone • Offline Password Cracking
• Anbox – Android in a Box • Hashcat
• John the Ripper, GUI, CSI 2john GUI
• Ncrack
• Chntpw
• OphCrack
• Steganography
• OutGuess
• StegHide
• StegSnow
• StegSuite
• StegCracker

© CSI Linux – csilinux.com 17

Computer Forensics
• Forensic Disk Imagers
- Guymager
- DCFL DD
- DC3 DD
• Data Recovery Imagers
- DD Rescue GUI
- RecoverDM
• File Recovery
- Foremost Data Carver
- MagicRescue
- PhotoRec
- RecoverJPEG
- RecoverMOV
- RecuperaBIT - NTFS
- Scalpel Data Carver
- Scrounge-NTFS
• File Analysis
- * FFMpeg GUI (WinFF)
- RegRipper - NT Registry
- Vinetto
- PDF Info
- PDF-Parser
- PDF Detach
- PDF Separate
- EXIF Data
- XnView - Image
Analysis
- Forensic Registry Editor
(fred)
- DumpsterDriver
• CSI Image Mounter

Mobile Forensics
• Android Logical Imager
• APK Tool
• * ALEAP
• Heimdall – Samsung Devices
• Whatsapp Messenger Version 2.20
• Android Free Forensic Toolkit
• * iLEAP
• ISO Logical Imager

Malware Analysis
• APK Tool - Android APK
• Binwalk
• PDFID
• *JD-GUI
• * GDB
• * EDB Debugger
• UPX
• * ImHex
• wxHexEditor
• Ghidra
• * IDA Free
• Radare2
• Radare2 - Cutter GUI
• RetDec

There is a lot more tools in the platform.

© CSI Linux – csilinux.com 18

Case Management
As a computer forensics specialist with a background in online investigations and
OSINT, I understand the importance of being able to effectively organize and manage the
evidence collected during an investigation. A case management system is a tool that
helps investigators to do just that. In this article, I will explain in detail what a case
management system is, and how it can help to organize the evidence and build reports.

A case management system is a software tool that allows investigators to store, organize,
and manage all the evidence and information related to a specific case. It can include a
variety of features such as case notes, file storage, and report generation. The system can
be used to store digital files, such as images and videos, as well as physical evidence, such
as documents and devices.

One of the key features of a case management system is the ability to organize evidence
into specific case folders. This allows investigators to easily locate and access the
evidence they need, without having to search through a large number of unrelated files.
For example, if I am investigating a cybercrime case, I can create a case folder for that
specific case and store all of the relevant evidence, such as website logs, chat logs, and
screenshots, in that folder.

Another important feature of a case management system is the ability to generate or

build reports. This can include a variety of different types of reports, such as case
summaries, timelines, and evidence list. Reports can be generated in various formats,
such as PDF or Excel, and can be easily shared with other members of the investigation
team.

For example, let's say an investigator is trying to track down a suspect involved in
financial fraud, the investigator would use the case management system to store all the
evidence related to the case such as bank statements, transactions, and suspect
information. The investigator can use the system to generate a report that summarizes
the case, including a timeline of the suspect's activities, and a list of all the evidence
collected. This report can then be shared with other members of the investigation team
to help them build a case against the suspect.

The case management system built in CSI Linux was built to assist cyber forensics
experts during digital investigations. The interface has evolved based off needs of real-
world investigations and through forensic training.

© CSI Linux – csilinux.com 19

Starting a Case
To start a case in CSI Linux, you will use the “Start a Case” Icon on the desktop or the one
located on the bottom left of the screen.

When the program opens, you should see a similar screen to this.

Left click on “Start a Case”

© CSI Linux – csilinux.com 20

Now for the case…

If you are starting new case, left click “Start New Case”

If you are opening an existing case, left click “Open Existing Case”

We are going to start a new case at this step. You should now see a case wizard pop up
like the image below.

© CSI Linux – csilinux.com 21

The highlighted sections in the “Start a new case” form is required for each case. It is
suggested to fill in the rest of the information because this will be saved in the case for
the document templates and reports. In this example, we are using:

• Case: Case001
• Investigator: Your name
• Case Type: Hacking Case

Once the information is filled in, left click on “OK”.

You should now see a new window that looks like below.

At this point, you can pick what type of investigation you want to start with. Many cases
will start with OSINT/SOCMINT/Online Investigation and that will be located in the
OSINT section.

© CSI Linux – csilinux.com 22

Now to explain what just happened in the background… When that last window popped
up, it created a case folder called “Case001” and a folder called Archive in the Cases folder.
This ls located in the csi user home folder.

/home/csi/Cases/Case001
or
~/Cases/Case001

Let’s look in the Case001 folder.

The most used folders are going to be the:

• Export
• Forensic Evidence Images
• Report
• Tools
• Video

The Folders:

• The “Export” folder is where most of the

online evidence is going to be stored.
• The “Forensic Evidence Images” folder is
where you would store your forensic
images of drives.
• Reports is the folder where your Document
Template reports will be stored.
• The “Tools” folder is where programs like
Hunch.ly and Autopsy will store their case
data and databases. This keeps all the data related to the case using those tools in the Case folder
and makes backing up and isolates the evidence data to minimize contamination of evidence from
other cases.

© CSI Linux – csilinux.com 23

The Files
• The “audit.log” file keeps track of tools that were used during the investigation.
• The “caseinfo.txt” stores the information you entered when starting the case.
• Case001.MD5 stores the hashes of all the files in the folder. This gets created when the case
program is closed and has not been created yet.

Now, let’s get back to the program. We should see several different options. Each should
follow a flow of an investigation. For example, it is common to start an investigation off
with an online investigation or intelligence gathering to gain probable cause to start an
investigation. After Probable Cause is given, there Forensic Imaging, then the
Forensic/Analysis options. Reporting is next within the Document Templates and
Encryption is last to securely store the data. Each main section is based around the
forensic framework flow. The secondary sections are subject specific.

Here is a reminder list of the options:

• Open Source Intelligence (OSINT) / Online
• Dark Web Investigations
• Video Capture Tools
• Make a Logical copy of a Mobile device
• Mount a Forensic Image or Virtual Machine
• Computer Forensics
• Network Forensics
• Malware Analysis
• Document Templates for the Case
• Use Encryption

If you click on Open Source Intelligence (OSINT) / Online, you will see a window that
looks like this.

© CSI Linux – csilinux.com 24

Let’s walk through the OSINT Tools.

Domains and Websites

This opens the Domain Recon Window. Within this window, you will have several
options to collect evidence from webservers and services. This includes:

• Gather Domain Information

• DNS information and Subdomains
• NMAP Domain
• Basic portscan a domain or IP address
• Get Links from a page
• Capture all the links from a URL and save them to a file
• Metagoofil
• Download files (PDF, Doc, etc…) from a domain
• HTTrack
• Mirror or capture an entire website
• Web HTTrack (GUI)
• Graphic User Interface for HTTrack
• CSI Website Screenshot
• Take a screenshot of a URL and save it as a graphic
• GEO Location
• Opens up the CSI Geolocation application for IP/SSID/BSSID

© CSI Linux – csilinux.com 25

Geolocation

If you click on Geolocation IP/SSID/BSSI, the CSI Linux Geolocation app will open and
allow you to search for wireless access points using the Wigle API and search for the IP
address using the Shodan.io API.

SOCMINT

If you click on Social Media (SOCMINT), you should see a window like this open:

© CSI Linux – csilinux.com 26

Capture Video

If you need to capture a video for evidence, you can pull down both downloads and
streaming media.

Dark Web Investigations

For Dark web Investigations,

© CSI Linux – csilinux.com 27

Closing a Case

When the case closes, every file in the case folder will be hashed. Then the entire folder
gets added to a zip archive with the case name and timestamp and saved into the
~/Cases/Archive/ folder. This gives you a backup or snapshot of your case every time
you close the case management program.

Note: the case will grow over time, and you may collect a lot of archive files. You may
need to clean up the archive folder on a regular basis to save on space.

You can also move the Case folder to another location within the Case Management >
Settings > Move Case option. What this does is moves the Case folder data to the new
location. It will then replace the folder with a link. As far as any tools or normal usage
go, it will act like the original folder at ~/Cases.

So, to review. When you start a case, it will create your case folder with the name of the
case you chose in the beginning. Each folder is designed to hold specific types of
information including an isolation folder for tools like Hunch.ly, Autopsy, and more.
This helps organize the evidence you acquire during investigations and minimizes the
possibility of cross contamination.

© CSI Linux – csilinux.com 28