Tag Archives: workflow

Building a Linux based Digital Forensic Workflow – Part 2 – OS & Communications

The overall title of this series has been based around the “Digital Forensic Workflow” – I mean this in it’s broadest sense. This isn’t just about the imaging / examination side of things – but the full life cycle. From first client contact to the final report ( and billing ! )

Possibly you read a pair of articles that I wrote on Forensic Focus – Part 1 and Part 2 here – in which I mentioned that I’ve “put out to pasture” my old Mac Book Pro and obtained a shiny Lenovo X1 Carbon – just before the Superfish scandal hit. That particular issue didn’t bother me overly as, I never even booted the machine into Windows – as soon as it came out of the box it had Fedora Core 21 installed on it from a USB stick ( yep, no optical media drive on the Lenovo ). Everything on the laptop seems to work without any tinkering – even the fingerprint reader flashes away when authentication is required, although I have not made use of it … yet …

I’m a fan of Fedora – this is news to no-one by now I suspect – and it has been my choice of Linux flavour since it came out. My youngest daughter’s laptop runs Ubuntu ( 14.04 I think – I can’t remember what I installed ) and my workhorse desktop is currently running Antegros ( an Arch based distro – to be fair, as a mix between an experiment and the fact that I couldn’t actually get Ubuntu running satisfactorily on it with a dual-Nvidia dual-monitor setup ). There are many more machines kicking around – not least a rather substantial1 HP rack-mount server that is currently running VMWare ESXi – that are awaiting conversion.

For now though we are going to focus on my mobile computing platform (!) – the others will get their own write up in due course.

So, what exactly does one use a laptop for then ? Well, in my case the list pans out pretty much as follows:

  1. E-mail – a lot !
  2. Writing – which breaks down to:
    1. Blogging ( like this )
    2. Word-Processing
  3. Social Media type stuff – Twitter, Facebook etc.
  4. System Administration of other things
  5. Research ( web, but also other more “hand-on” things )
  6. Coding
  7. Skype (?) / Instant Messaging (?)

I don’t really play games on my laptop – not even solitaire, so I’ve left that off the list – although, again, may come back to that one later2 !

Staring at the top, but not particularly promising to continue in any given order …Thunderbird E-Mail

I used to use Outlook on the Mac and on Windows – clearly this isn’t one that I can transfer across, being both unavailable for Linux3 so I need to find something else. That something else is Thunderbird ( at least it is at the moment, and so far, so good ). Thunderbird is the sister application of the Firefox web browser from Mozilla. Mozilla, for those of you who are interested in this sort of thing4, has a heck of a pedigree – created in 1998 when the source to the Netscape browser was released (in the 90’s Netscape Communicator was the dominant browser by a long shot) – it has since grown again to a powerhouse with Firefox, Thunderbird and Firefox OS even on phones.

Thunderbird is great for me – not dissimilar in it’s tabbed approach to e-mails to that which I’ve seen in Lotus Notes 9+ lately, I’d like tabbed composition of e-mails as well, rather than pop-outs, but I think I’ll either have to wait or write it ! To be honest, an e-mail client is an e-mail client pretty much – the basic concepts have to be there, otherwise it isn’t an e-mail client ! So effectively it is the enhancements – in the case of Thunderbird, called “Extensions” – that make the difference. I’m working with four that I like that are managing to make things easier for me.

Enigmail

Enigmail is the extension that manages the PGP encryption and signing of e-mails. Provided that you have PGP installed on your system, when you kick it off it talks you through the creation of a public / private key pair, and even uploads the public part for you to a key server. Then it is a matter of selecting the sign or encrypt icons in the compose window and you are done. Emails that come in, either encrypted or signed, are managed automagically and the decryption and / or authentication of signature is seamless.

Thunderbird Conversations

This is more of a pretty-fication rather than an actual tool – it sorts e-mails into conversations – so that you can see the back and forth of an e-mail chain all in the same place, rather than scattered over time. I like it – others may not. It also adds the feature of a “quick reply” in the same tab so that e-mails can quickly be responded to. The problem with that is that Conversations and Enigmail don’t want to talk to each other, so there are no signing / encryption options on the replies.

TaQuilla

This is an interesting one – I’m experimenting with this at the moment. Tagging allows you to assign a given message to a specific category ( for both visual separation – you specify the colour of the tag ) and for tag filtering. E.g. ( As is in mine ) Personal = green, Work = orange, Social Media = Purple etc. It makes it easy to carry out a quick scan. TaQuilla is a bayesian tag adder … This means that rather than you tagging the message, or having set rules to tag a message ( all e-mail from the better 1/2 becomes “Personal” ) it learns from the e-mails that you have already tagged. So, because I have tagged all messages from better 1/2, children, sibling and parents as green – it recognises the common features of _that type of e-mail_ so that when an e-mail comes that doesn’t necessarily match a specific rule ( e.g. a child sends from school e-mail rather than personal ) that it can recognise the e-mail with a degree of certainty and tag it as personal … Still training this one a little, but it is getting there.

Lightning

calendar

This is the calendar extension for Thunderbird – required in order to replace Outlook in my opinion. I could make use of another, separate calendaring application to track time, but I happen to like it as I tend to add things to my calendar most often when I’m with my e-mail so it makes sense for me ! I happen to have bound my calendar in Thunderbird to the online one that I have with my Google Account – it wasn’t my first choice, I actually wanted to continue to use my hosted Exchange calendar as my primary source – but it turns out that Microsoft doesn’t want to play particularly nicely with open standards for calendars, Apple won’t let me use iCal unless I make it public to everyone. So fine, I’m using Google. This means that I can sync the calendar across all my devices – laptop, iPhone & Android, which really is great as I’m bound to have one of the above around at any given time !

Thunderbird itself is configured to pick up and send my e-mail to and from Exchange over SSL/TLS IMAP and SMTP. So far, I have to say that it is proving to be a most viable option.


1. For home use anyhoo …

2. With the streaming features of Steam, even though the laptop itself doesn’t have the graphical oomph to pull of gaming. I may, once I get the main desktop machine running to my liking, give this a go …

3. Yes, I know about Wine and CrossOver … but why would I want to in this case ?

4. https://www.mozilla.org/en-US/about/history/details/

Tagged , , ,

Building a Linux based Digital Forensic workflow – Introduction

For the whole time that I’ve been doing Digital Forensics, I’ve been using Windows for it. This seriously irks me ! I’ve been in love with open source / free software since I installed my first Linux box at University. The original reason for the install was to avoid having to walk to the CS/AI labs in winter, in Edinburgh. I like being warm and dry as much as the next person – something that doesn’t happen often outside in Scotland in Winter. Linux emulated the SunOS / IRIX environment well enough that I could carry out my C / Prolog work without hypothermia.

Since then, I’ve always had _at least_ one Linux machine running at any one point in time – but since I stopped being a UNIX SysAdmin and started being a Security / Forensics Consultant, usually not as my main machine. I tried for a while to assuage my guilt by using Macs – well documented below – ‘cos at least they are “UNIX” machines when running OS X. Windows though has been an ever present thorn in my side, firstly for the running of proprietary forensic tools ( Oxygen, XWays Forensics & other odds and ends ), secondly for the running of games ( I don’t play many, but enough … ) and finally for the suite that is Office – something that has been required day-in-day-out for far, far too long …

Until now, I haven’t actually _tried_ to get rid of it though – having enough bits of hardware around to run Windows, MacOS and Linux both physically and in virtualised environments has meant that I don’t need to do it. The gnawing feeling that this is wrong has been exacerbated by tuning into a number of Linux podcasts ( I recommend Jupiter Broadcasting, Linux Action Show and Linux Unplugged ) and this had drawn to my attention that perhaps Linux is now “desktop ready”. And now Steam ( at least in theory ) works on Linux for some games in my library ( Bioshock Infinite ), there really is no excuse any longer.

This is it, I’m biting the bullet and removing Microsoft and Apple from my day-to-day workflow – for _everything_ forensics, security, documents, e-mails, IM/VoIP, games, calendar, phone synchronisation (but not phones themselves – I am aware of the Ubuntu phone and may make the switch at some point, but for now my iPhone remains) etc. etc. etc.

I think that there are some things that won’t be straightforward, I’ll admit that up front – but I sincerely hope that the Open Source Eco-System has solutions to all problems, and I’m not unwilling to dust of the few coding skills that I have in order to get to the end goal.

More to follow as this progresses …

Tagged , , ,