Linux Computer Forensics: Deft Linux 8.0b

Deft Linux 8.0b is out and it's looking great.
Deft Linux 8.0b is out and it’s looking great.

A month or so ago I did a walk-through of some simple computer forensics using Deft 7 Linux (Carve and Sift: My Primer to Linux Computer Forensics). There have been several other versions of this distro to come out since then, but now that the beta for 8.0b has been released publicly, it marks a slight shift in the way Deft handles.

While my previous guide is still valid, there are a few additions that really place this version above its predecessors. Now, I’m not going to go through every change, you can do that by going to their website, but there are some really neat features that I’d like to point out.

New Feel

The first thing that will hit you when you start Deft 8.0b is the new layout. While the base operating system is still Ubuntu (Lubuntu to be precise) the LXDE desktop has been further customized from its 7.x version and now looks and feels like its own OS rather than a 1-off from an Ubuntu derivative. The menu is themed for Deft 8.0 with a little 8-ball and more icons have been added to the bottom panel.

The Desktop is more reserved and better organized.
The Desktop is more reserved and better organized.

[Screenshot of Deft 7]
(Opens in a New Window)

The desktop still has the LXTerminal (a must) and the evidence folder, but gone is the “Install” option. Since this is a beta version it is unclear whether this is gone forever or if it will be back later. 8.0b is certainly installable as the boot menu attests.

Guymanager, a very nice disk managing/imaging tool, has been added as well as the file manager for quick access. You’ll see in my screenshots that there is a “Get Screenshot” icon on the desktop, but that was added by me for this article and is not default.

The menu panel is almost entirely new, with only LxKeyMap being carried over with the standard desktop selector. There is a whole host of new software moved in, some from previous versions of Deft but were housed in the menu (like Autopsy) or on the command line. All-in-all this is a good move, as the most used programs are put front and center and the more specialist and less-used are in the easily navigable menus.

New Software

GuyManager is a welcome addition to Deft 8.
GuyManager is a welcome addition to Deft 8.

Deft 8.0b brings a lot of new software to the distro by default and the latest versions of most of it. This version is 64-bit only, and able to work in up to 256TB of RAM. Previous versions could only “see” 4GB because of the 32-bit limitation.

Again, their post on the update gives a broader view of the changes, but there are a few that I wanted to note in summary:

  • Cyclone is now at 0.2 and appears to be mostly the same as before. I’m assuming the changes are back-end.
  • Sleuthkit 4.0 stable is now included, but the Deft devs say that 4.1 will be on the official 8.0 release. [Website]
  • Guymanager 0.7.1, mentioned before, is a very nice forensics tool/disk mounting utility. [Website]
  • Tor is now available pre-installed with browser. I’ve not much use for this, but it is an increasingly-popular internet-access method. [Website]

Skype Xtractor is also new and is probably my favorite addition to Deft 8. While I’m not a criminal investigator, and I’m generally only using the distro for file-recovery, its future utility could be invaluable. Skype Xtractor is a command-line program that extracts the tables from Skype’s main.db and chatsync files and outputs them to html. So far, you can only get it on Deft 8, but it’s so useful I can’t imagine that it won’t show up elsewhere.

New Everything Else

SciTE is a new-ish text editor to Deft 8 and is the sole resident of the new Programming menu.
SciTE is a recently added text editor and is the sole resident of the new Programming menu.

Almost every other piece of software has gotten an update since Deft 7 and some have been given GUI front-ends, which is nice for beginners or those not terribly familiar with Linux command-line. The focus on 64-bit architectures with this version will mean that it probably won’t supplant my use of Deft 7 completely; there are quite a few machines in use out there that are single-core systems.

If you’re familiar with Deft 7, then I’d recommend getting 8 and using it on your 64-bit machines when able, since everything that was in the previous version is in this one (even though it’s beta) and better. Switch back to 7 only if you have to do so. However, if you’re new to computer forensics then I’d recommend sticking to 7 or waiting for the official Deft 8 release which should be very soon.

-CJ Julius

Syncing Between Linux and Windows with BitTorrent

Skip the insecure Cloud with BitTorrent Sync
Skip the insecure Cloud with BitTorrent Sync

I’ve always been a DIY kind of guy when it came to technology, and the idea of giving my data to cloud services such as Dropbox or (and whoever has access to that data besides them) seemed a little iffy. The cloud, as great as it is for some things, isn’t really built for too much security. Keeping data private on an internal system is hard enough, but throwing it out to the internet only multiplies these issues.

That’s where BitTorrent Sync comes in. Built by BitTorrent Labs (and using the BitTorrent Protocol), this solution boasts that it will allow you to sync between different OSes, securely, and without throwing any of it out to the cloud. This increases security incredibly, and isn’t that hard to set up. I put it on my Linux laptop (Stu) and a Windows 8 desktop (Zer0), both of which I’ve used in previous projects. It works, but it has a few caveats as you’ll see below.

Installation on Linux

Linux installation is fairly easy, if a bit obtuse. Instead of an installer of any kind, the package for BitTorrent Sync comes with a License.txt file and a single btsync binary. To start up the software, simply unpack it, navigate to the containing folder in a terminal and run the ./btsync command. That’s it.

[code]$ cd /Location/of/File
$ ./btsync[/code]

The Linux binary can be configured through the webGUI (kinda) or the more robust sync.conf file.
The Linux binary can be configured through the webGUI (kinda) or the more robust sync.conf file.

However, unlike it’s Windows and MacOS brethren, there’s no independent GUI to use. You’ll need to open a browser and head to a webpage to administer it. In most cases you can use the address

From there you can select the folder you want to sync as well as generate a secret key for said location. The key is to allow other computers on your network to access the folder securely. Barring any conflicting firewall settings on your local machine, this should just be a matter of putting in the secret when you add a folder.

If you need the key from a folder you’ve set up previously, you can get it again from the gear icon next to the listing in BitTorrent Sync. Also, if you head to the Advanced tab you can grab a “Read-Only” secret. If you use this key when setting up another computer, it will read from the folder but never write to it. This is useful if you want the updates to go only one way or you want to give someone the ability to see what’s on your machine without running the risk of them deleting or altering the files.

Installation on Windows

Next, I went to Zer0, my Windows machine, and installed the software. From what I understand, the Windows and MacOS versions are pretty much the same, so other than the intricacies of the Mac platform the installation and use should be very similar.

The Windows application is a little plain, but gets the job done.
The Windows application is a little plain, but gets the job done.

After running the installer, you’ll be presented with a page that has several tabs. Go to the “Shared Folders” tab and click on “Add”. Put in the secret from the share that we want to access and click “Okay”. It should have all the information it needs to connect and start syncing. Mine did it automatically and pulled the four or so test files with no further work on my part.

You can also add a local folder and sync it here. By default it’s the btsync folder in your Documents directory. I just left this as it is for my testing purposes.

Tweaking the System

Now that it’s set up, you can do a few more things to shape it to your preferences. As you first may have noticed you can add any number of folders to sync, for no cost unlike most cloud services. So if your primary concern is just moving files back and forth behind the scenes (as I do) then that’s probably this setup’s greatest strength beyond security.

There are further options as well that fall into the more advanced users’ category. On the Preferences page in both the Linux WebGUI and the Windows application, you can set rate limits, alter whether the software loads at boot and some other odds and ends. In the Advanced section, you can do even more. Here’s a quick rundown of these options:

The conf file has pretty good explanations for every editable line
The conf file has pretty good explanations for every editable line

disk_low_priority: If True, BitTorrent Sync will set itself to Low Priority on the system. Turn this on if you’re noticing serious speed problems when using BitTorrent Sync

lan_encrypt_data: If True, BitTorrent Sync will encrypt data sent over the local network. Turn this on if you want to hide your traffic from others who may be using the same network as you.

lan_use_tcp: If True BitTorrent Sync will use TCP instead of UDP for local transfers. Will use more bandwidth but will be (at least theoretically) more reliable.

rate_limit_local_peers: If True, BitTorrent Sync will apply rate limits (set in General Preferences) to local users. By default rate limits are only applied to external peers (those not on your network).

In Linux, these options as well as a few others are all stored in the configuration of btsync. You’ll need to go to the folder that you have btsync running in to access it. First, you’ll probably want to output a sample configuration and open it in a text editor to see all options you have. There are quite a few.

[code]$ ./btsync –dump-sample-config > sync.conf
$ gedit sync.conf[/code]

It’s pretty self-explanatory, but I want to direct your attention to the username/password fields. Remember that webpage we went to earlier to set up the shared folder on Linux? Well it’s actually hosted from your machine, meaning that anyone who as the access to the network can pull up your BitTorrent Sync options and mess with them. So it might behoove you to set this option.

Once you’ve organized things the way you want them in your sync.conf file, save it. Now, you can import it back into the BitTorrent Sync application by running btsync with the modified conf file as such:

[code]$ ./btsync –config sync.conf[/code]

Worth the Effort?

And that’s pretty much the ins-and-outs of the BitTorrent Sync application. I imagine that I’ll be using this not as my primary software to sync things between machines or as backups, but I will have it move files and folders from one machine to another periodically. Perhaps one could set up a backup drive on a server that just copies one way from all the machines that are linked to it. I imagine that could be a project for a different day.

On the whole this is a nice piece of software that pretty much does what it says it’s going to do, and securely. I know it’s Linux, but the lack of a real GUI and the complication of editing advanced options by way of the .conf file is kind of a downer. I’m totally fine with using the command line (in some cases I prefer it), but that drags down the score a bit on this one because it’s not very user friendly. Still, a fine piece of software that I will definitely be utilizing in the future.

Rating: 4.5/5 – Pretty darn good. However, the Linux version takes a little work to get customized and the Windows/MacOS advanced pages are a little confusing at first.

-CJ Julius