In today’s world, where cybercrimes are becoming increasingly common, it is crucial to have access to effective tools for investigating and countering these threats. One such tool is the CSI Linux operating system, specifically designed for cybersecurity and cyber research needs. The OS aims to provide users with tools for quickly and accurately detecting digital traces and evidence that can be used in criminal investigations or to ensure cybersecurity in organizations. The developers claim that it simplifies the process of collecting, analyzing, and interpreting digital data, making it an essential tool for professionals in the fields of cybersecurity and cyber research. But is this really the case? Let’s find out.
Basic information about the CSI Linux distribution
To start, here’s some basic information about this distribution. Official website: csilinux.com. As of the writing of this article, CSI uses Ubuntu 22.04 LTS as its base platform. The installation process is quite simple, and there are many videos available on this topic, for example:
However, the process has changed slightly: after downloading the disk image, to launch it in VirtualBox, you simply need to add the virtual disk file in vbox format (Machine -> Add menu). The default login credentials are user – csi, password – csi. There is also a comprehensive book dedicated to working with CSI Linux, which can be purchased, for example, on Amazon.
Previously, CSI Linux had three different packages on the CSI Linux Investigator platform, but now CSI Linux Gateway and CSI Linux Analyst have been combined into a single image. CSI Linux SIEM is now available as a separate image on the official website.
To better understand, let’s describe the three components mentioned above.
Read also: What is a Security Patch and Why Is It So Important?
CSI Linux SIEM
This is a virtual machine included in the CSI Linux Investigator distribution. Essentially, it is an Ubuntu-based distribution that includes configured Zeek IDS and the ELK Stack (Elasticsearch, Logstash, and Kibana). It is used as an intrusion detection system to protect other virtual machines (CSI Linux Analyst and CSI Linux Gateway) and to process logs and display data on the CSI Linux Analyst dashboards.
CSI Linux Gateway
This is a user TOR gateway operating in a “sandbox” using utilities like Apparmor, Jailbreak, and Shorewall Firewall. When using CSI Linux Analyst + CSI Linux Gateway, all traffic will be routed through a TOR node.
CSI Linux Analyst
This is the “core” of the distribution. It is an Ubuntu virtual machine with a large amount of pre-installed software grouped into categories. We will review the list of categories later.
It is worth noting that in the Incident Response section, there is a CSI SIEM section, but it is not yet active and displays “CSI SIEM Installer and Launch utility coming soon…”. However, you can still install and run VirtualBox through virtualization and launch SIEM as a separate virtual machine on it.
Terminology, a list of all available software in CSI Linux, and other documentation are available here.
More about the OS and programs
Let’s take a closer look at the aforementioned operating system. To start, create a case (click the Start a Case icon on the desktop or go to Menu -> CSI Linux Tools -> Start a Case). All subsequent operations can then be performed within the created case, where the results will be stored. Upon creation, you are immediately offered to start working, with several options available in the CSI Case Management Menu.
It’s important to note that most of the software is not pre-installed, and when selecting a program, an automatic installation script is launched. Now, let’s quickly go through the list of programs (both pre-installed and not) in each category.
CSI Linux Tools
A set of programs for system updates, management of CSI Tor VPN and Whonix Gateway for traffic routing, working with APIs of resources used in CSI Linux, downloading videos, creating screenshots from various online resources, and much more.
Secure Comms
This category includes “safe” online messengers.
Encryption
Everything for decrypting hashes, guessing passwords, storing passwords and personal data.
OSINT/Online Investigations
A fairly extensive category where everyone will find the necessary tools for OSINT tasks. Among the most interesting are: searching on social networks, phone, and email.
Read also: RCS protocol: what it is and how to use it
Dark Web
If a researcher has problems with connectivity, this category is right for them.
Incident Response
Everything for incident investigation, malware scanners, network analysis.
Computer Forensics
Computer forensics (lost data recovery and file analysis).
Mobile Forensics
Mobile forensics (tools for analyzing and working with mobile).
Vehicle Forensics
Automotive forensics. A set of utilities for working with the Controller Area Network (CAN) protocol. CAN is a network technology widely used in automation, embedded devices, and the automotive industry.
Malware Analysis and Reverse Engineering
To analyze malicious scripts and programs, reverse engineering.
SIGINT
A set of programs for analyzing, hacking, and programming a radio channel (FM, Wi-Fi, etc.).
Virtualization
Recruitment of managers to work with virtualization.
Threat Intelligence
Threat intelligence, maps of cybercrime around the world, and more.
Below are a few screenshots of CSI Linux. Attempts to search by username.
Read also: All About Frontier Supercomputer
Conclusion
After a basic familiarization with the system and conducting several tests searching by phone, email, and username, I can say that CSI Linux partially works out of the box, but in most cases, you need to configure the software you’re trying to investigate with. There is an issue with blocking bots used for criminal activities since the IP addresses through which the tor VPN operates have a poor reputation, or sites may identify it as bot activity and quickly block connections. The system seems to focus on popular global resources and social networks, but sometimes you want access to more closed resources, which are more popular in specific countries around the world.
Certainly, the set of programs is quite interesting, although not everything works immediately, as already noted. For example, when I searched for data using my email, buster found a 15-year-old article on “Economic Truth” mentioning my address and Skype account. However, a simple Google search can find the same and even more. Furthermore, when searching by nickname, it returned a bunch of irrelevant and unreliable information, which theoretically could be useful if filtered manually.
Next, I would like to add a bit of comparison with a competing operating system. In the cybersecurity community, a Linux distribution called Kali Linux is quite popular and is widely used among cybersecurity professionals. It can be said that the default software offered in each of them differs. It’s important to understand that all the software presented in CSI can be installed on Kali Linux and vice versa, as both are based on Ubuntu/Debian. Kali Linux is more intended for tasks such as penetration testing, security research, computer forensics, and reverse engineering. During the installation of Kali Linux, it is immediately apparent that this software is more geared towards testing websites (and social networks) or servers for vulnerabilities and breaches, as there is a lot of various bots, attackers, network analysis software, etc.
So, in my opinion, comparing these two systems doesn’t make sense, as they are based on the same foundation but created and configured for different tasks. CSI Linux has its place, but it needs to be customized to fit one’s needs. “Breaking through” using the programs is possible, but it lacks a wow factor and has enough drawbacks that can usually be addressed. By the way, they have their own academy where you can take courses on various parts of the project.
Oleksandr Nadtoka
[email protected]
Senior DevOps engineer
Read also: