(Reposted and edited from my previous blog)
DEFT Linux is a digital forensics distribution I’ve briefly used, and I found it a very good alternatie to HELIX and several other forensics tools I’ve accumulated.
It loads just like any live CD, and it’s based on a lightweight version of Ubuntu. The difference is it boots into the command line by default, but the GUI can be loaded with the deft-gui command. The desktop environment is very similar to Gnome with few differences, one of them being an Evidence folder, and the way software applications are organised into Disk Forensic and Network Forensic sub-menus.
The developers have put together a good range of applications, alongside components that make up the Digital Forensics Framework included in DEFT. Also available from the project’s site are extra tools that can be added to a DEFT Linux installation, and several variants of the OS.
There are three cases where I reckon DEFT Linux is best deployed. It can be run on a target system to analyse the local storage without affecting it, although I’m not sure whether the same precautions exist as with HELIX for protecting the integrity of the evidence. DEFT has everything needed to image, hash and analyse evidence when installed on a lab workstation with a large array of storage devices connected.
Finally, and most importantly for network security, diagnostics and optimisation, DEFT has tools for analysing the local network and traffic.
* ClamTK Virus Scanner
* MiTec Windows Registry Recovery
* XnView advanced image viewer
* Browser history viewers for IE, Firefox, Opera and Chrome
* GHex hex editor
* GUYMAGER forensic imaging tool
* DHash for creating MD5 and SHA1 hashes
* Digital Forensics Framework
* Autopsy Forensic Browser
* Wireshark network and traffic analysis program