Review: CSI Linux + Training
Disclamer: This is not a sponsered post. Nothing related to this post unless noted is provided by CSI Linux, its employees, or affliates.
Introduction
CSI Linux is another DFIR and cyber investigation Linux distribution in line with CAINE, Tsurugi, and SIFT Workstation. It has been developed over the last few years by the team at Information Warfare Center, who also run the Cyber Secrets YouTube channel.
In addition, training is provided for overview of CSI Linux providing two free courses:
- Getting Started with CSI Linux
- General Linux Administration
They also provide several paid courses in Open-Source Intelligence (OSINT), Social Media INvestigation (SOCMINT), and Darkweb Investigation.
If you want to skip the courses, you can view CSI training materials on the Cyber Secrets YouTube channel in the provided CSI Linux playlist.
Course: Getting Started with CSI Linux
I recently took the "Getting Started with CSI Linux" and it covers the following topics:
- What is CSI Linux?
- Downloading and installing CSI Linux
- Updating CSI Linux
- System Settings
- The Case Management System
- Case Mnaement Report TEmplate
- Importance of Anonymity
- Communication Tools
- Connectiong to Tor
- Online Video Collection
- 3rd Party Commerical Apps
The overview of topics are specifically tailered to basic usage of CSI Linux and directly related to solving particular types of cases.
Lets get the good and the bad out of the way first. I will update this list as the course updates. I will state that none of the Bad stuff should stop you from taking this course but be aware of a few things with the course.
Good
- Best Feature is CSI Case Management
- Videos (with voice audio) and general information is well thought out.
- Tor connectivity and background change are great and seem to integrate well with the platform.
Bad
- OVA is only installable in VirtualBox
- Navigation in the course is horrible at times. This is apparent after completing a quiz or reading some of the secured documentation.
- Some documentation is shown as PDFs instead of as HTML which makes some text hard to read and inline screenshots nearly impossible to understand.
Case Management
One of the features that I have not seen before in other DFIR distros, is a case management feature. This feature is not related to something like Autopsy or another DFIR suite, but it is created specifically for CSI Linux.
Creating cases is fairly stright forward by using the "Start a Case" link on the desktop. After inputing your case information (which is stored in "caseinfo.txt"), you get a folder structure like above. An investigator can run the tools directly from the CSI Case Management screen and the output of the tools are stored in the proper folders.
The idea of having this pre-built case structure is great. If you keep within the case management system, every tool you run will save within these folders.
If you are using CSI Linux, check out and test this area of the distro. It might change how you handle case files.
Course: Open-Source Intelligence (OSINT)
Introduction
After completing the Getting Started course above, I dove right into the OSINT course using a beta code. The covers the following topics:
- Base Process of Investigations
- Perserving Online Evidfence
- Phone Numbers and Info
- Ip Addresses, Proxies, and VPNs
- DNS, Domains, and Subdomains
- Importance of Anonymity
- Online Investigations Subjects
- Setting up an Online Web Persona - Sock Puppet
- Using your persona to investigate
- Website Collection
- 3rd Party Commerical Apps
- OSINT Frameworks (tools)
- Tracking changes and getting alerts
- Public Records Searches
- Geolocation
- Online Investigation with Images
- Social Media Sites
- Video Evidence Collection
- Market Places
- Crypto Currency
- Writting the [Investigation] Report
- Case Studies
- Practicing OSINTand Resources
Good
- Videos (with voice audio) and general information is well thought out. This extends to nearly all videos. Some great content found from all over YouTube centered in a single place.
Bad
- Navigation in the course is horrible at times. This is apparent after completing a quiz or reading some of the secured documentation.
- Some documentation is shown as PDFs instead of as HTML which makes some text hard to read and inline screenshots nearly impossible to understand.
Video Resources
As before, let me talk about one thing that really adds to the information in the course, the videos attached to each area. There is the videos on YouTube at CSI Linux playlist. However, there are videos from others as well:
For each of these channels (and others in the course), you should go follow on YouTube, Twitter, or other social media platforms.
Security research and information is a community effort and sometimes there are resources out there that should be spotted lighted. Resources such as using a particular tool or product provided by the developers such as in the cause of Hunchly and Maltego. I find it humbling that these resources are added to the course with additional information to make easy to follow and understand.
Practicing OSINT Skills
There are two places you can freely practice your skills:
First, TraceLabs provides a gamified way to pratice helping find missing persons using ONLY passive intelligence gathering.
You can be either a Judge or a participate during the CTF. You can read my take on these from a while back: "Trace Labs CTF Judge vs Member". They have ongoing operations and other ways to support and practice OSINT.
On the other hand, @quiztime twitter account posts images and videos (sometimes other things) that people can solve. Some people have some great solves and you can read them on quiztime's blog. You might also find information on how to improve your skills (example).
Conclusion
Who are these classes for? First, the Getting Started course (free) really show cases the distro and what it can and cannot do. If you are curous about it, start here. If have no idea or want to know the basics to some intermediate level information on OSINT, take the OSINT course. There are problems with some issues as outlined above but the developers are working on fixing them.
I did not find any of the issues a complete show stopper but just annoying at times (such as the navigation).
Where to go next?
If you want to move towards more digital forensics, you can try out Cyber5W. Disclaimer: I am partnered with them as a technicial reviewer. You want to check out DFIR Diva's site which contains a bunch of resources as well.
As for OSINT information, the people in the course (and partly listed above) have good resources. There is more advance OSINT training from The OSINTion which you can get one course for free if you particpate as a Judge for TraceLabs. The training provided is mainly for OSINT on people.