The Penguin Sleuth Kit
by: Ernest Baca
PLEASE READ THIS PAGE BEFORE USING!!!
What is The Penguin Sleuth Kit?
The Penguin Sleuth Kit is a re-master of the KNOPPIX distribution of Linux. I have been very impressed with this distribution being that it all fits on a single CD and is so user friendly. It offers a GUI environment as well as the good old fashion command line environment fitting the novice user to the experienced user. So what is different about Penguin Sleuth? First of all my attitude is why re-invent the wheel if we already have a good wheel to start with. I also tried to keep most of the software installed, leaving a software rich environment for the heck of it. I changed several features that make KNOPPIX more forensic friendly which I will explain. I also added several additional network security auditing tools as well as forensic tools which I will list.
I hope you find this Bootable CD as useful as I have. Any suggestions are welcome please come visit me at www.linux-forensics.com. This CD and software is being offered free of charge to the Linux Forensics community under the GNU Public License.
Also note that I have included a first responders guide to previewing a computer using KNOPPIX which can be used with the Penguin Sleuth Kit. This manual was written by Arthur Bowker of the United States Probation Department and is a good resource for using this CD to do live previews of computers.This manual is on the CD and can be found by clicking on the link below or it can be found at www.linux-forensics.com.
KNOPPIX Live Preview Manual by: Arthur Bowker
Please note that this CD boots in to a user account called knoppix. For live previews this is ok but for advanced users some of the tools, even the graphical ones, require that you run them as root. You can accomplish this by going to the K menu and running it through a root shell or you can boot in to root to a command line by typing knoppix 2 at the boot prompt then typing startx from the command line for the graphical tools. Otherwise you can run all the command line utilities without running a GUI.
Support GNU and enjoy a life of FREEdom!!!!
Changes in KNOPPIX structure
Changed KNOPPIX so it wouldn't automatically mount swap partions (If you want to use swap you have to turn it on manually (Which for forensics isn't suggested). I use a thumb drive or USB external drive to set up swap using the mkmsdosswap command or from the KNOPPIX tools in KDE for older machines I am trying to preview (KDE is very memory intensive and it helps to make a swapfile on external media).
Removed most language modules to make space for new software (listed below).
Added several security auditing tools and forensic tools.
Cosmetic changes to add my own feel to the Distro.
QCAD -Another large package that I decided to take out.
Almost all of the language modules
List of Forensic and Network Security Tools installed - If listed as a command line tool you can run a root shell from the K menu under KNOPPIX. Most of these tools are not graphical.
Sleuth Kit - Command Line Forensic Tools - www.sleuthkit.org
autopsy - Part of Sleuth Kit
foremost - Command line data carving tool. Config file in /foremost directory. Need external storage to run properly - foremost.sourceforge.net
glimpse - Command line data indexing and searching tool. Need external storage to run properly - www.webglimpse.net
wipe - Command line utility to securely wipe hard drives and files - wipe.sourceforge.net
dcfldd - Enhanced DD imager with built in hashing. Works like dd from command line. For more info read the man page (man dcfldd).
etherape - Visual network monitor - etherape.sourceforge.net/
fenris - Multipurpose tracer - razor.bindview.com/tools/fenris/
honeyd - Command line honypot program - www.citi.umich.edu/u/provos/honeyd/
snort (Default Rules) - Command line network intrusion tool - www.snort.org
dsniff - Command Line network auditing and penetration testing tools - www.monkey.org/~dugsong/dsniff/
John The Ripper - Command Line Password Cracking tool - www.openwall.com/john/
Nikto - Webserver scanner - www.cirt.net/code/nikto.shtml
nbtscan - Command-line tool that scans for open NETBIOS nameservers - www.unixwiz.net/tools/nbtscan.html
xprobe - Command line remote operating system fingerprinting tool - www.sys-security.com
Ngrep - Command line Network grep Function - www.packetfactory.net/projects/ngrep/
Nemesis - Command Line network packet injector - www.packetfactory.net/Projects/nemesis/
fragroute - Command line network intrusion testing tool - monkey.org/~dugsong/fragroute/
fping - Command line multiple host ping utility - www.fping.com
TCPtraceroute - Command line traceroute TCP packages - michael.toren.net/code/tcptraceroute/
tcpreplay - Command line utility that replays a tcp dump - tcpreplay.sourceforge.net
Nessus - Graphical Security Scanner - www.nessus.org
Ethereal - Graphical Network analyzer - www.ethereal.com
Netcat - Command line tool to read and write over network - www.atstake.com/research/tools/network_utilities/
tcpdump - Command line tool that dumps network traffic - www.tcpdump.org/
hping2 - Command line packet assembler / analyzer - www.hping.org
ettercap - Command line sniffer / interceptor / logger for Ethernet networks - ettercap.sourceforge.net
openssh - Secure remote connection utility - www.openssh.com
Kismet - Graphical wireless network sniffer - www.kismetwireless.net
airsnort - Graphical wireless network intrusion tool - airsnort.shmoo.com
GPG - Encryption utility - www.gnupg.org/
OpenSSL - Secure remote connection utility - www.openssl.org/
lsof - Command line utility that lists all open files - read man page (man lsof)
hunt - Command line TCP / IP exploit scanner - lin.fsid.cvut.cz/~kra/index.html
stunnel - SSL connection package - stunnel.mirt.net
arpwatch - Command line Ethernet monitor - read man page (man arpwatch)
dig - Command line tool for querying domain name servers - read man page (man dig)
chkrootkit - Looks for signs of root kit - www.chkrootkit.org
Forensic issues to be aware of!!!!
I attempted to change the default user to root at startup in to KDE. It worked but the file manager crashed often. It seems more stable as user knoppix. You can go to a root shell from the KNOPPIX tools in KDE if you need to run commands as root. If you use the default boo up for NTFS and FAT 32 previews it shouldn't make a difference. Now if you want to run some KDE applications as root. You can boot KNOPPIX with the knoppix 2 command at the boot prompt. The 2 switch indicates that you will boot to the command line. Then if you startx from the command line that will boot you in to KDE as root.
There may be a law enforcement evidence issue using this CD for live forensic previewing of suspects computers that have EXT3 or reiserfs partitions installed. I currently did a KNOPPIX validation study which you can read here or on my web site. I have discovered that when mounting EXT3 and reiserfs partitions read-only the MD5 hash value for that partition changed. I have narrowed it down to a Linux problem not a KNOPPIX problem. After my discovery I did this same testing with other Linux distributions with the same results. Now I have only tested FAT32, NTFS, EXT2, EXT3, and reiserfs file system partitions. FAT32, NTFS and EXT2 partitions did not change. This is an issue that law enforcement needs to be aware of. At this time I only use this as a preview tool on known FAT32 and NTFS computers. This is only in reference to doing a live preview. Imaging and other forensic tasks can be done on a computer with this CD without changing the drive state (As long as you don't mount EXT3 or reiserfs partitons. EVEN READ-ONLY!!!). When in doubt I always use a hardware write blocker to be safe.
This CD has worked for the author on many occasions. The writer does not guarantee that it will work in every case. The world of computer forensics presents many different scenarios that cannot be guaranteed by this process. This is also a method that should only be utilized by experienced computer forensic examiners. The writer also takes no responsibility as to any damage that this procedure may cause. It is recommended that you have good backups of your computer before attempting this. The opinions of this author are his sole opinions. The author is in no way associated with KNOPPIX. This paper is not an endorsement for this products.