Almost two months have passed since Stefano Fratepietro released the ‘100% Italian’ forensics distribution, DEFT Linux v5X. With support to its development given by the Italian Information System Forensics Association, this 660MB+ Xubuntu-based distribution is one not to miss.

• Start-Up

Similar to the high number of *buntu derivatives, the boot screen presents the option to start DEFT, run the Memtest utility or boot the hard disk after asking for the preferred language. No time wasted on the booting screens; plain-text from the 2.6.31-14-generic kernel scrolls by to a text-based prompt. Nothing appears out of the ordinary here but those with sharp eyes may notice this message displayed:

ramzswap disk size set to 127340KB
Adding 127340k swap on /dev/ramzswap0

This is not activating swap partitions available on the hard disks but creating one from the leftover RAM at /dev/ramzswap0. Also among common forensic issues with Linux booting, the output is confirmation that ext3 partitions — such as the CD image and hard disks — are mounted as ext2, even at this stage. This ensures that journals are not used to modify the partitions, as noted in my earlier post on CAINE v1.5. Rest assured that the booting process does not compromise its forensic reliability, as the hashing of disk drives with ext3, FAT32 and NTFS partitions surrounding its boot-up and shut-down yield identical results.

When the system has booted — noticeably snappier than other Live distributions, might I add — DEFT automatically presents the user with the root command prompt, with advice to type startx to get graphical. While admins everywhere may find this harsh, a low-memory computer may benefit from such a preference and many applications can still be used. One would imagine that should this be necessary, the text prompt would be a fall-back option anyway. Unfortunately no more information was given about this prompt, so the X graphics system was started without hesitation.

• Desktop & Applications

The LXDE/Xfce desktop is presented without complaint, after one startx command. Despite the overwhelming control provided by the root user, the privileges are given to ensure system-level applications work effectively. The desktop is well presented and comprises the file manager, terminal, MountManger, CD writer and an ‘Evidence’ folder. I am unsure of this tactic to give the user a default location for collected files in memory: first-time users may incorrectly assume that the folder is permanent storage but conversely could lead to the exact opposite when it is obvious the folder is not stored on the users’ usual media.

The Computer Forensics menu contained applications one would expect to find, such as Autopsy, Guymager, Ophcrack, WireShark and a hash calculator, GHash. There were also a few applications I had not found in other distributions, specialist or otherwise, such as:

• Gigolo
  easily connect to remote file-systems (SSH, FTP, WebDav etc.)
• SciTE
  text editor
• ClamTK
  virus scanner
• XPlico
  comprehensive network traffic capture with an Autopsy-like interface

The inclusion of these applications allow DEFT users to perform more on-site tasks than with other distributions, extending its usefulness beyond simple acquisition, verification and light analysis. Future issues can be identified such as viruses, the transmission of network data and data collection from remote sources.

A number of user-friendly additions appear in the Preferences menu, such as easy network file sharing — prompting installation of services if they are not present — and desktop configuration. (If these are recent additions in the (X)Ubuntu base I cannot say, as I’ve very little experience with it.) The toolkit is further improved with support for AFF and EWF files and their utilities, LVM utilities and desktop recording. These applications and libraries make DEFT a highly mature and worthy toolkit for forensics and incident response.

It was the third desktop icon drew my attention before any other: MountManager is a QT-based file-system mounting application. Unfortunately this is not so user-friendly; littered with per-file-system options to select, it lists the storage media available to the system in a check-box heaven. While the DEFT developers can do nothing about this, the interface is nothing short of horrendous on any resolution below 1200 pixels.On my first run, I conducted a test to simply mount ext3, FAT32 and NTFS partitions from MountManager, as if on a suspect system. Unfortunately to no avail, without indication of why the partitions simply did not respond. My mistake was perhaps using MountManager’s default /mnt mountpoint, as the MM worked using /media instead. When the PCMan File Manager was used, however, the partitions were mounted with default R/W options in the /media directory. Quite why neither application defaults to read-only mounting is an issue hopefully answered in future releases and made with great warning to current users.

A point worth discussing seems to appear in all manner of contemporary operating systems: memory usage. After my trail exploration of DEFT, the free -h command told of a 400-megabyte usage of the half-gigabyte allocated to the virtual machine. This was confirmed after a restart where the output was still 325 megabytes by just the desktop and terminal. Both these figures seem unnecessarily high considering any acquisition or similar task will consume more than its fair share of resources. This did not affect normal running of the desktop and applications, they were performing to expectations at these levels. However when the virtual machine’s RAM was decreased to a lowly 256 megabytes, 240 was used; similarly, only 2 megabytes remained free from 128. This led to a sluggish desktop and near-impossible application experience on low-end specifications, compounded with the noticeably-increasing starting and working times. This is arguably unanimous with CD-based live distributions but still worth considering in situations where memory is not up to contemporary standards.

• Conclusion

One would imagine the wide-ranging collection of software given in DEFT are of particular importance to the parties using the distribution; one can assume they need more than the generic acquisition and analysis of systems while remaining in the scope of live response. This is extended with the inclusion of extra libraries and more fully-featured tools. Moreover, DEFT now raises the bar set by the competition. These show a generous amount of time and consideration have been put into the development of DEFT. One could argue performance will be hampered at lower-specification systems, especially if any intensive tasks are completed, but this seems a weakness on many similar distributions. Despite this, its relevance to IR is commendable and has become a mature and highly useful distribution.