Looking for DFIR resources for criminal investigations

I am a detective (computer crimes, sex offense related crimes, child sexual abuse material related crimes, and digital forensics incident response) with a medium sized city police department. Approximately ten years ago I began to get into digital forensics related to criminal investigations, including all types of crimes. I started with mobile phones, then external media, and eventually went to training involving desktops and laptop systems. All of the hardware / software I have used and received training on has been based on Microsoft Windows systems with some exceptions for Apple Mac OS systems. Approximately one year ago I become interested in various Linux distros. About four months ago I started making Linux my daily driver, for personal use. Currently I’ve settled on using Pop!_OS.

I’m looking for dependable and reliable, Linux based applications for doing digital forensics of all types (external media, mobile phones, etc.). I’m open and interested in any suggestions related to hardware or software.

I have started to familiarizing myself with Autopsy Digital Forensics and I have attended their basic course online, Autopsy Basics and Hands On (8-Hours). I have also started familiarizing myself with the distro Kali Linux as well.

It can be difficult to get local government funding for hardware, software, and training related to digital forensic investigations even though a mobile phone of some type is involving in almost every investigation.

I’m looking for some people with experience in this field that has come up with Linux based, open source, solutions that I can depend on.

The agency that I work for does received some small amounts of grant money and currently budgets for a license Cellebrite UFED and Cellebrite Physical Analyzer.

Thank you and I look forward to this discussion.

This is definitely a very interesting topic!

I don’t personally have a background here, but I’m hoping that someone else may reply with better info.

I’m sure there are dedicated tools, and take this comment with a grain of salt, but I’m inclined to think that many Linux tools would work well here, even those that aren’t specific to forensics. For example, using dd to take an image of a hard drive would allow you to mount that image and inspect its contents without worry that something may get overwritten. That’s not necessarily the main reason people use dd, but it seems to me as though it would be a good fit for inspecting storage.

Hopefully someone else will have more experience than me.

1 Like

Thank you, and I love your show. My two younger sons and I are getting ready to start watching your series on learning Python. I have three old MacBook Pro laptops, all running Pop!_OS, ready to go and we are all going to watch and code together this summer after the regular school semester ends.


That’s awesome! What an amazing way to spend time with family.

1 Like

In the spirit of helping in the way I can (which may paint me in a negative light), I realize few things are as black and white as people would like them to be, but you may be painting a “stay away” sign on your back among many of the folks that use Linux. Many of them are are also privacy/security conscience and get more than a little uneasy when they hear LE and Cellebrite. Personally, I get fairly uneasy, but not incredibly uneasy :slight_smile:

On the other hand, being open about it and creating relationships is probably your best bet.

I agree, it’s a difficult balance. I try to stay as unbiased as I can though, and I really think this is an interesting topic for sure. Forensics is one of those things that’s highly specialized and I don’t get exposed to it all that often (never).

I am a security professional, but not on the auditing side of the house.

From a security perspective, I’m sure you are already aware of the basics, chain-of-custody, the use write-blockers for imaging while preserving the source. You’ll probably find some decent open-source solutions, but each will have it’s own function or goal. For example, ELK for deep diving through logs. Here’s a link to tools used to detect stenography (not sure if this is part of your work or not):

It’s hard to make specific suggestions for tools without specific use cases. The only thing listed above that I know would be required for your line of work is write-blockers.

Like other here, I’m a huge privacy advocate, but I acknowledge the need to protect others and their rights so I support what you do. But I am most definitely not a fan of Cellebrite.

If you can provide specific use-cases of what you are looking for, I’d be more than happy to help. If you prefer not share this publicly, PM me. I’d be more than happy to help.

I am also a privacy advocate. I do not support government access to software and / or devices (built in "back doors). While I am interested in doing a good job for the community I serve I am not interested in finding my way around people’s rights or the constitution. I support checks and balances for law enforcement, I routinely apply for Search Warrants, Investigative Subpoenas, etc. I understand the public perception of law enforcement at this time; however, I am truly trying to be “one of the good guys.”

A majority of my assigned cases of sex offense investigations or child exploitation. So, most of my investigations involved mobile devices (ex. mobile phones and tablets) and external media (ex. USB flash drives, memory cards).

Other than full examines of mobile phones I am usually looking for image files and video files stored on the device, or in various applications. So I’m looking for resources related to recovering data from mobile phones, recovering image files and video files.

Understood. I support what you are doing.

I don’t have any experience with of any specific applications that fit your needs. Have you tried SIFT (SANs)? Also, CAINE is somewhat popular. If these, or others like them don’t fit your needs, you will probably need to build your own toolbox, so to speak, of undelete utilities or tool that can recover deleted files. I know there are utilities that can be used to mount windows-based drives on linux. I don’t have any experience with mounting Apple devices.

The KDE desktop has a tool named KDE Connect. I have used it to connect to an iPhone and pull pictures. My experience lead me to believe that this app probably works better with Android-based phones. That might be a start.

Any Linux distro should be able to mount USB drives, as mentioned you might need to load NTFS drivers for some windows-based external HDDs/SSDs. If the device is encrypted, well, then you have your work cut out for you. Good luck with that.

The only other thing I could suggest is to search for DFIR related forums or podcasts to that you can network with others.

I wish you well in your fight against these predators.

Thank you I will give SIFT and CAINE a look.

1 Like

You’re very welcome.

Come back and post your thoughts after you have had a chance to review them.