Monday, January 5, 2015

Mash That Key Releases LosBuntu

Mash That Key Releases LosBuntu

What it is...

   LosBuntu is a Live DVD Linux distribution (distro) that can be used to assist in data forensic investigations. LosBuntu is the result of our desire to have a bootable forensic distro with all of the tools and features that we like, installed by us, controlled by us, and built by us. LosBuntu was built using a clean installation of Linux Ubuntu 14.04 64 bit. Once the foundation was created, many open source forensic tools were installed and tweaks were made to turn the installation into LosBuntu. LosBuntu was then turned into a Live DVD using the tool remastersys.

   LosBuntu has been tweaked to never automount media. Although it will boot a computer without mounting its drives, it does not write block them (LosBuntu may write to a pre-existing swap partition). The distro was primarily designed for analyzing images and not booted computers. Validated Linux distributions designed for acquisition have already been released and should be used for that purpose. Remember to always validate your results.

What it is not....

   LosBuntu is not better and should not be argued as better or worse than any other distro. LosBuntu is simply another forensic distro. One that was designed the way that we like it, and released to the public in an attempt to give back to the forensic community. LosBuntu will save you the time and trouble of having to install the tools listed below.

One neat usable feature...

   Because remastersys was used to turn LosBuntu into a Live DVD, you can re-use remastersys to create your own live DVD distro. This means that you can install LosBuntu to the hard drive, add just about any tool that you wish to add, and then run remastersys to create a new version of LosBuntu with any and all of the tools and tweaks you installed, in essence, creating your very own version of LosBuntu. Change the background, add or remove tools, do anything that you please. LosBuntu was released to you so that you can use it, tweak it, and improve it.

This is the list of packages that we have added to LosBuntu:

7zip, Abiword, Archivemount, Autopsy, Bkhive, Bleachbit, BTRFS-tools, Bulkextractor, Chntpw, Chromium-browser, Clamtk, Dcfldd, Dconf, DFF, Efw-tools, Exfat-fuse, Fileinfo, Filezila, Flashplugin-installer, Foremost, FRED, Furiusisomount, Gddrescue, Gparted, Guymager, Hexedit, Hfsprogs, Hfsutils, Jacksum, John, libbde-alpha-20141023, libevt-alpha-20141229, libewf-20140427, libfuse-dev, libfvde-experimental-20140907, libfwevt-experimental-20141026, liblnk-alpha-20141026,
libpff-experimental-20131028, libsmraw-alpha-20141026, libvhdi-alpha-20141021, libvmdk-alpha-20141021, libvshadow-alpha-20141023, Log2timeline, Nautilus-open-terminal, Pasco,
Python-TK, Rar, Regripper plus plugins, Rifiuti2, Samdump2, Scalpel, SSH, Testdisk, Truecrypt 7.1a,
Vinetto, VLC, Volatility, W3m, Wine, Wireshark, Xmount, Zenmap

UPDATE on 4/26/2015:  Packages added
aircrackng, bless, curl, lvm2, macchanger, nautilus-wipe, proxychains, pv, reaver, seahorse tools, sshfs, tor, traceroute, Volatility 2.4, whois, wifite

UPDATE on 8/29/2015:  Packages added
recordmydesktop, libevtx, vmfs-tools, open-scsci, boot-up-manager

UPDATE on 11/17/2015:  Packages added
hashcat, ntdsextract_1.3, lxde, libesedb, rdesktop

UPDATE on 12/14/2015:  Packages added
nbd-client, gdebi-core, veracrypt

UPDATE on 02/01/2016:  Packages added
hashid, git, hashcat2.0, newbackground, SMB Access

UPDATE on 05/13/2016:  Packages added
mdadm, dmraid, dos2unix, libqcow, libfvde, TorBundle5.5.5

UPDATE on 09/27/2016:  Packages added
xor.exe, plaso 1.5, ubuntu-zfs

The distro is 2.4 GB in size. The password is “mtk”, without the quotes. The MD5 of the ISO is 90bcdff015f81071283847b9b2916a38 LosBuntu_2018_01_04.iso

Download it from this link:  LosBuntu

Special thanks go out to my old friends at the lab Mark B, Paul I, Pete M, and John T. for the corny name, ideas, and testing. You guys are the best in the State, keep doing what you do best.

If this tool helped you during your investigation, we would definitely like to hear from you. You can leave a comment or reach me on twitter: @carlos_cajigas

Useful Links:

- LosBuntu used to analyze an MS12-020 RDP Crash Dump with Volatility.
   Link to - ComputerSecurityStudent

- LosBuntu used to mount and convert a VMDK virtual disk to raw, on-the-fly.  YouTubeVideo

- LosBuntu used for physical disk, image acquisitions using guymager.  YouTubeVideo

- LosBuntu used to wipe and validate sterilization of physical disks.  YouTubeVideo

- LosBuntu used to Activate & Set Windows 7 Admin Password.
   Link to - ComputerSecurityStudent