The rise in technology related crime – from criminal cases, civil disputes, employee misconduct, to acts of terrorism, etc. – has generated an urgent need for a new type of “skills”. Digital forensics is a field of great interest for users, developers, CxO, law enforcement agencies, prosecutors, judges, lawyers. Whether it is internal incident response in our companies or law enforcement’s investigations, it is very important to know the technical and legal bases of digital forensics. Very often digital forensics we see in companies or in the courtrooms is of the “black box” type: hardware or software tools of renowned producers are used without awareness. This subverts the principle of scientific investigation, where every instrument and every move that is performed must be well known, fully managed and controlled by the researcher and his peers. The talk will present some of the main Linux Live distributions for Digital Forensics, based almost entirely on free software, as well as practical examples of acquiring digital memories with the Guymager software. The landscape of open / free software forensic investigation tools (Autopsy, Linux Leo, Photorec, etc.) will also be presented.

1. © D.S.A. S.r.l. SFSCONF 14-11-2019
Open Source Digital Forensics
Open Source digital investigations
Alessandro Farina

3. What is digital forensics
NIST (National Institute of Standards and Technology - Special publication - 800-86)
Forensic science is generally defined as the application of science to the law. Digital forensics, also known as computer and
network forensics, has many definitions.
Generally, it is considered the application of science to the identification and collection, examination, analysis, reporting
of data while preserving the integrity of the information and maintaining a strict chain of custody for the data.
Data refers to distinct pieces of digital information that have been formatted in a specific way. People and organizations have
an ever-increasing amount of data from many sources.
For example, data can be stored or transferred by standard computer systems, networking equipment, computing peripherals,
personal digital assistants (PDA), consumer electronic devices, and various types of media, among other sources.

4. What is digital forensics
NIJ (U.S. Department of Justice – Office of Justice Programs – National Institute of Justice)
Collection: identifying, labeling, recording, and acquiring data from the possible sources of relevant data, while following
procedures that preserve the integrity of the data.
Examination: forensically processing collected data using a combination of automated and manual methods, and assessing
and extracting data of particular interest, while preserving the integrity of the data.
Analysis: analyzing the results of the examination, using legally justifiable methods and techniques, to derive useful
information that addresses the questions that were the impetus for performing the collection and examination.
Reporting: reporting the results of the analysis, which may include describing the actions used, explaining how tools and
procedures were selected, determining what other actions need to be performed (e.g., forensic examination of additional data
sources, securing identified vulnerabilities, improving existing security controls), and providing recommendations for
improvement to policies, procedures, tools, and other aspects of the forensic process.

5. Galileo and Open Source

7. Fantastic closed and proprietary tools

8. Black box forensics

10. Tsurugi Linux is a new DFIR open source
project that is and will be totally free,
independent without involving any
commercial brand
Our main goal is share knowledge and
"give back to the community“
A Tsurugi (剣) is a legendary Japanese
double-bladed sword used by ancient
Japan monks

12. Guymager

13. Guymager

15. Bitstream imaging with open source tools
HANDS ON
GUYMAGER

16. Non religious approach

18. Thanks
http://www.linuxleo.com/
(very good introduction to DF)
Alessandro Farina
forensics@dsa.it