Tsurugi Linux is a heavily customized open-source distribution focused on supporting DFIR investigations.
The project focuses mainly on live forensics analysis, post-mortem analysis, and digital evidence acquisition. Users can also perform malware analysis, OSINT and computer vision activities.
“We’ve crafted a user-friendly experience, organizing the main menu in a logical forensic analysis sequence. Our menu is your roadmap from device acquisition to integrity checks, artifact extraction, and reporting tools. It’s not just about familiarity; it’s about exploration. Dig into menu categories to discover new tools that cater to your analysis needs. And for the seasoned experts, every tool is at your fingertips, ready to be wielded precisely through the command line console,” Giovanni Rattaro, Tsurugi Linux core developer, told Help Net Security.
Tsurugi Linux has the “OSINT Menu Switcher” feature designed specifically for analysts conducting OSINT investigations. This tool streamlines the user interface by transforming the main menu with a single click, exclusively displaying tools relevant to OSINT. Along with this tailored menu, the wallpaper dynamically adjusts to highlight the shift in the operational profile, emphasizing the focus on OSINT tasks. Furthermore, this system offers extensive customization options, allowing users to create and personalize their unique profiles, ensuring that the interface meets their specific investigative needs.
“The most important feature is the device write blocker at kernel level that by default put every connected device in Read-Only mode to avoid any accidental modification to the artifacts and so potentially compromise the investigation. Running the distro in TEXT mode (CLI) open a special Acquisition Wizard tool we built, based on ncurses, that allow the analyst to easily follow the instructions just using a small amount of resources (CPU/RAM).” Rattaro added.
Tsurugi Linux is available for free on the official website.