Install Eric Zimmerman's forensics tools on Linux

Aug 7, 2024 by Thibault Debatty | 842 views

Forensics Linux

https://cylab.be/blog/355/install-eric-zimmermans-forensics-tools-on-linux

In a previous blog post, I presented the forensics tools written by Eric Zimmerman. Although these tools were originally developed for Windows, you can also run them on a Linux. This allows to run a full forensic investigation using a Linux computer.

Eric Zimmerman is a former Special Agent with the FBI and a renowned digital forensics expert, who developed a collection of tools to assist forensics analysts. The tools cover a broad spectrum of forensic tasks, including registry analysis and file system examination. Although these tools were originally developed for Windows, you can also run them on a Linux, as I will show in this blog post.

eric-zimmerman-tools.png

To do so, I will show how to :

  1. install Wine
  2. install .NET 6
  3. download and run the tools

Wine

To run the tools, you will need a recent version of the wine emulator. So you must install a recent version from the repository of wine.

Enable 32 bit architecture, as it is used by some wine components:

sudo dpkg --add-architecture i386

Import the signing key:

sudo mkdir -pm755 /etc/apt/keyrings
sudo wget -O /etc/apt/keyrings/winehq-archive.key https://dl.winehq.org/wine-builds/winehq.key

Check your Ubuntu release and codename:

cat /etc/os-release

remmina_eric_127.0.0.1:15854_20240807-191853.png

Depending on your Ubuntu codename, add the appropriate repository…

For noble:

sudo wget -NP /etc/apt/sources.list.d/ https://dl.winehq.org/wine-builds/ubuntu/dists/noble/winehq-noble.sources

For jammy:

sudo wget -NP /etc/apt/sources.list.d/ https://dl.winehq.org/wine-builds/ubuntu/dists/jammy/winehq-jammy.sources

For focal:

sudo wget -NP /etc/apt/sources.list.d/ https://dl.winehq.org/wine-builds/ubuntu/dists/focal/winehq-focal.sources

Install wine:

sudo apt update
sudo apt install --install-recommends winehq-stable

For more details, see https://wiki.winehq.org/Ubuntu

.NET 6.0

The tools require the .NET framework version 6. You can download the framework from https://dotnet.microsoft.com/en-us/download/dotnet/6.0

Be sure to download the .NET Desktop Runtime for Windows

Selection_003.png

At the time of writing, the latest version is numbered is 6.0.32, so the file name is windowsdesktop-runtime-6.0.32-win-x64.exe. Yes, a .exe: you can double-click on the downloaded file and it will be executed (and installed) by wine.

remmina_eric_127.0.0.1:15854_20240807-185846.png

Eric Zimmerman’s forensic tools

You can now download the tools from https://ericzimmerman.github.io/

Unlike Windows, there is no installer or updater for Linux. So you must download each tool individually. Each tool is a .zip file that you must extract. Once done you can run the tool with a double-click.

remmina_eric_127.0.0.1:15854_20240807-193313.png

This blog post is licensed under CC BY-SA 4.0

Install Autopsy on Linux and on the SIFT workstation
Autopsy is an open-source digital forensics platform widely used for investigating and analyzing digital media, such as hard drives, memory cards, and smartphones. Developed by Basis Technology, it serves as the graphical front-end for The Sleuth Kit (TSK), a powerful collection of command-line tools for forensic analysis. It also includes additional tools like PhotoRec. Autopsy simplifies the forensic process by offering a user-friendly interface and features like timeline analysis, keyword searching, file carving, and metadata extraction.
Oct 16, 2024 | 226 views
Create your own plugin for RegRipper
RegRipper is a collection of powerful perl scripts that allow to dump the content of a registry hive file into readable text. RegRipper relies on a plugin mechanism. Hence in this post I will show how to create your own plugin for RegRipper. The example will be very basic, and will extract the value of the Current ControlSet.
Oct 15, 2024 | 418 views
Recover lost files with PhotoRec
PhotoRec is file data recovery software designed to recover lost files from hard disks, solid state drives, CD-ROMs and digital camera memory.
Oct 7, 2024 | 410 views
This website uses cookies. More information about the use of cookies is available in the cookies policy.
Accept