CSI Linux: Linux Distribution for Cyber and OSINT Investigation

Intro

In today's world, where cybercrimes are becoming increasingly widespread, it is important to have access to effective tools for investigation and counteraction against these threats. One such tool is the CSI Linux operating system, specially designed for the needs of cybersecurity and cyber investigations. CSI Linux aims to provide users with tools for fast and accurate detection of digital traces and evidence that can be used for criminal investigations or for ensuring cybersecurity in organizations. The developers of this operating system claim that it simplifies the process of collecting, analyzing, and interpreting digital data, making it an important tool for professionals in the field of cybersecurity and cyber investigations. But is it really so? Let's find out...

Basic information

To begin with, I would like to provide some basic information about this distribution.

Official website: https://csilinux.com/

As of the writing of this article, CSI Linux uses Ubuntu 22.04 LTS as its base platform.

CSI Linux is an open-source project, so anyone interested can contribute to making it better.

The installation process is quite simple, and there are many videos on this topic, such as this one.

Although the process has changed slightly now, after downloading the disk image, you simply need to add (Machine -> Add) the virtual disk file in Vbox format to VirtualBox for it to run.

To log into the system by default, use the username "CSI" and the password "CSI."

There is also a whole book dedicated to working with CSI Linux, which can be purchased here.

The terminology, list of all available software in CSI Linux, and other documentation are available at this link.

Previously, CSI Linux had three separate packages on the CSI Linux Investigator platform, but now CSI Linux Gateway and CSI Linux Analyst are merged into one package, while CSI Linux SIEM is available as a separate image on the official website. All distributions can also be downloaded from the official website.

For a better understanding, let me describe the three components of CSI Linux mentioned above:

CSI Linux SIEM: This is a virtual machine included in the CSI Linux Investigator distribution. In fact, it is an Ubuntu distribution that includes a configured Zeek IDS and ELK Stack (Elasticsearch, Logstash, and Kibana). It is used as an intrusion detection system to protect other virtual machines (CSI Linux Analyst and CSI Linux Gateway), process logs, and display data on the management panels of CSI Linux Analyst.

CSI Linux Gateway: This is a TOR user gateway that operates in a "sandbox" using utilities such as AppArmor, Jailbreak, and Shorewall Firewall. When using CSI Linux Analyst + CSI Linux Gateway, all traffic will pass through the TOR node.

CSI Linux Analyst: This is the "core" of this distribution. It is a virtual machine running Ubuntu with a large amount of pre-installed software grouped by categories. We will discuss the list of categories later.

It's worth noting that in the Incident Response menu, there is a section for CSI SIEM, but it is not active and displays "CSI SIEM Installer and Launch utility coming soon…" indicating a likely intention to integrate it with the third distribution. However, in any case, you can install and run SIEM separately using virtualization in VirtualBox, allowing you to have the full set of packages on the same server.

Functionality review

Now, let's get a bit closer to the mentioned operating system. To start working, we create a case (click on the "Start a Case" icon on the desktop or go to Menu -> CSI Linux Tools -> Start a Case). Then, all subsequent operations can be performed within the created case, where the results will be stored. Upon creation, you are immediately prompted to start work, and there are several options in the CSI Case Management Menu.

It's important to know that most of the software is not pre-installed, and an automatic installation script is launched when selecting a program. Now, let's quickly go through the list of programs (both pre-installed and not) in each available category:

CSI Linux Tools:

A set of programs for system updates, management of CSI Tor VPN and Whonix Gateway for traffic routing, working with API resources used in CSI Linux, downloading videos, creating screenshots from various online resources, and much more.

Secure Comms:

This category includes "secure" online messengers.

Encryption:

Everything for decrypting hashes, password cracking, storing passwords, and personal data.

OSINT/Online Investigations:

A fairly large category where everyone can find the necessary tools for OSINT tasks. Among the most interesting are social media searches, phone and email searches.

Dark Web:

If the investigator encounters connection problems, this category is suitable. 'TOR > VPN,’ 'WHONIX'’ and so on, all for pleasant surfing.

Incident Response:

Everything for incident investigation, malware scanners, network analysis (Wireshark), and more.

Computer Forensics:

Computer forensics (data recovery and file analysis).

Mobile Forensics:

Mobile forensics tools for analysis and work with mobile phones.

Vehicle Forensics:

A set of utilities for working with the CAN (Controller Area Network) protocol. CAN is a network technology widely used in automation, embedded devices, and the automotive industry.

Malware Analysis and Reverse Engineering:

For the analysis of malicious scripts and programs, reverse engineering.

SIGINT:

A set of programs for radio channel analysis, hacking, and programming (FM, WiFi, etc.).

Virtualization:

A set of managers for virtualization.

Threat Intelligence:

Threat reconnaissance, cybercrime maps worldwide, and more.

Practice

Below are some screenshots of CSI Linux in action, demonstrating several tools and functionalities. You'll find attempts to search for individuals by username and email, showcasing the system's capabilities in gathering information from various sources.

Conclusion

After a basic introduction to the system and conducting several tests searching by phone, email, and username, I can say that CSI Linux partially works out of the box, but in most cases, you need to configure the software you're trying to investigate. There's an issue with blocking bots, through which criminalization occurs, as Tor VPN IP addresses have a poor reputation, or maybe sites identify it as bot activity and quickly block connections. The system is noticeably geared towards working with the world's most famous resources and social networks, but it lacks "out-of-the-box" support for local ones, which may be the most significant in a particular country. The set of programs is quite interesting, although not everything works right away, as already noted. For example, when I searched for data using my email, Buster found an article from 15 years ago on "Economic Truth" mentioning my address and Skype account. However, a simple Google search can find the same and even more. Furthermore, a search by username produced a bunch of irrelevant and unreliable information, which theoretically could be useful if filtered manually.

Now I would like to add a little comparison with a competing system to CSI Linux and a more well-known operating system. Kali Linux, a Linux distribution, is popular in the cybersecurity community and is a basic tool for many cybersecurity specialists. However, comparing these two systems, we can say that the software offered by default in each of them is quite different. It's essential to understand that all the software presented in CSI Linux can be installed on Kali Linux and vice versa, as both are based on Ubuntu/Debian and are essentially extensions of the base. As the developers themselves claim, Kali Linux, with its set of programs, is more geared towards tasks such as penetration testing, security research, computer forensics, and reverse engineering. As soon as you log in and look at the main menu, you'll find mostly software for testing websites, social networks, or servers for vulnerabilities or hacking. There are many different bots, attackers, network analysis programs, and so on.

So, these two systems are based on the same foundation but are created and configured for different tasks, although they can replace each other. CSI Linux has the right to exist, and it is definitely improving, but much needs to be "fine-tuned" to fit its needs, and one should be prepared for that. The "breakthrough" through the set of programs exists, but it lacks a wow effect and has quite a few inconsistencies.

I hope you found this article interesting. By the way, I should mention that the CSI community has its own academy where you can take a course on various aspects of the project. Details are available at the CSI Linux Academy.