Santoku 0.5 Released: Mobile forensics, Security and malware analysis

Santoku linux is used mainly for the Penetration testing, Application security testing, Mobile forensics and Malware Analysis purpose. Cyber forensics investigator or the Threat response engineer needs to understand all the security and Reverse engineering tools to detect the origin or the source of the spam or threat. The Santoku is one of the tool which used for Security analysis and reverse engineering purpose. Penetration testing is the method of testing the standalone web or desktop application to identify the loopholes in the system. The role of security Engineer is to detect the loopholes and patch the vulnerability holes with code patches. Lets talk about Santoku linux operating system which used for Forensics purposes.


How to Use the Santoku –

You can Install the Linux as a base operating system but If you don’t want to install the Santoku inside the Base system then you could have option to install right inside the virtual box or VMware. Inside the VMWare click on File and Click on Create new virtual Machine and select the Linux Santoku Image file and Start Installation. Assign the Space as per your usage need. Start Using the Newly available features including the Mobile forensics, wireless analyzers, Pen testing, reverse engineering, malware analyzers and much more.

Whats New Inside Santoku 0.5 –

Santoku 0.5 includes the several Updates and fixes to the Android testing open source tools. Have a look at the below Updates on the previous version.

Moved to Lubuntu 14.04 base
Added f2fs support
Added yaffs2 support
Fixed missing dependancy on w3af
Updated udev rules
Fixed Android Studio auto update issue
Updated Android Studio
Fixed missing menu entries
Added the unyaffs command line tool, which allows to extract files from a YAFFS2 file system image.
Added Yaffey, a GUI utility that allows reading, editing and creating YAFFS2 images

Download the New version – Santoku 0.5

These are the fixes to the existing version and Its more for the Android Devices. Hope this would helps the Security Testers and Malware and forensics analyzers to get the more accurate results by using the several tools like Burp suite, SSL strip, nmap, Android Brute force encryption, iPhone backup analyzer, Android sdk manager and much more on the device forensics, wireless analyzers, P.T and R.E.

Also Read – Cyber Forensics Tools and Digital Investigation Process .
Santoku is the large collection of open source tools. Its better to understand the Above guide on the Computer forensics and how to perform the digital investigation using the common tools. I recommend you to go through the above link and start following the guide and then Install the Santoku in Virual Environment and use it as your security Testing suite.

Use the Santoku-0.5 and review it !

Anti forensic Techniques to secure Web Activities – Harden Forensic Investigation

Web browsers are used to perform different activities over the Internet. People use them to search for information, shop online, communicate through emails or instant messaging, and join online blogs or social networks, and many other functions. Web browsers are designed in a fashion that enables them to record and retain a lot of information related to their users’ activities. This included caching files, visited URLs, search terms, cookies, and others. These files are stored on the local computer and can be easily accessed and retrieved by any person who uses the same computer. This also makes it relatively easy for forensic examiners to investigate a suspect’s Internet activities in cases where questionable web sites were visited or criminal acts were conducted through the Internet. Every Professional investigator must follow the Forensics Investigation Process.

In recent years many popular web browser companies suggest their users to use private browsing to secure the web browsing activities. Here i am reveling some forensics techniques which allows the forensic investigator to collect evidences from the system even after the use of the Private browsing session.

Cyber Forensics Analysis Techniques like RAM analysis, Swap (Paging) file analysis which includes capturing of live data from the system and collecting trails as an evidences. Several tools and techniques used by the examiner. I used two browsing mode Normal and Private and checked the effectiveness of both.

Forensic artifacts collections after normal browsing include the analysis of common places where the traces left behind. And After the Private browsing analysis done with forensically sound tools and hidden system files also analyzed to collect evidences. So after collecting evidences  from the computer system in both normal and Private Browsing mode, I checked for the Anti forensics techniques which wipes all the evidences from the system completely and it can’t be recovered by the any of the method. So if you want end-level security then Only using Private Browsing is Not the Enough !

See How Forensics and Anti-forensics Test and Analysis Performed.

  • Disabling Paging File
  • Encrypt Paging File
  • Clear Page File
  • Using Linux Distribution
  • Secure Wiping (Using Several Passes)

Use the Suggested Anti forensics Techniques to secure the web activities. I performed the test and analysis on each and every technique above after the Private Browsing mode and picked up the best Technique from all the mentioned to secure the maximum End Level Security.

Also know Best Anti-Forensics Techniques and How to Use it Properly.

Here i Proposed the Proper research flow to analyze the artifacts in every critical condition and compared every technique to check for the effectiveness and concluded the best anti-forensics solution.

Free Computer Forensics Tools and Digital Investigation Process

Cyber Forensics is the Very Large Domain to Work into And Having Several branches of Digital Forensics. For digital investigation of any computer system after the cyber crime it is important to first Know the Forensics Investigation Process. Every Forensics investigator must know the Computer Forensics Tools and techniques to investigating the case through their skill sets. If you are the Investigator then you must know the every technique to solve the case related to computer crime and professional forensics Investigator knows every tools and techniques in Linux and windows systems because cyber crime can occur from any operating system.
Let me give you some important and useful Computer Forensics Tools names and its usages. I have performed the Computer forensics using all that tools so it easier for me to explain how to use that tools to collects the evidences as a trails.

AccessData FTK Imager

This is the first and very popular computer forensics tool that you should know as a professional forensics Investigator. This tool allows you to capture the evidences from the computer system and also having interface to analyze the captured evidences inside that tool. From the File menu you can capture the Live memory of the RAM also and then you can open the captured RAM Dump into the AccessData FTK Imager from File Menu by using the “Add Evidence Items” Option. Which allows to add the ‘content of a folders’ and you can analyze the dump.mem file to find what happened in computer. There are also more usage of this tool but you can learn more by using it more and more.

MEM Dumpx64 (RamCapturer) –

Memory dump is the tool which used to capture the Live memory which we can do by using the FTK Imager as mentioned above. RAM capturing is the only function of this tool. It is also available as the name with RamCapturer.

NirLauncher (NirSoft) –

This Computer forensics tool is the large collection of small small utilities and is used most frequently by the most of the computer forensics investigator because it is having the Network monitoring tools, Password recovery utilities, Web browser tools, System utilities, Disk utilities, Internet utilities, command line utilities, office utilities and much more. It is the Computer forensics suite having large number of useful tool sets.


OS (Operating System) Forensics is best and used in professional investigation process because it contains the case management facility. Like you can create the case with number and description and all that evidences are arranged in the same folder. It is having features and utilities like Hashing, SQLite DB browser, Web browsers, Passwords, Hash Sets, Create and verify the file signature and much more. You can also call it as suite.


This is the best tool for the Computer Database Forensics. Yes it analyse the .sqlite file inside your computer. You can open your sqlite file created by the Firefox or any web browser located at the AppData folder of the computer system drive. It is the hidden file location inside the system drive which contains the .SQLite file. Even after deleting the browser history you’ll find some evidences from that file like browsing URL and date and time along with.


Sys Internals suite is same as the Nirsoft and having large collection of utilities which are helpful in any case. Utilities like RootkitRevealer, ShareEnum, Tcpvcon, Tcpview, ZoomIt are the most popular and most used utilities of it.

WEFA (WebBrowser Forensics Analyzer) –

It is the best Forensics tool and used most for the Browser related crime. It revels the Actual URL access by the User directly or Indirectly and also tells the Date and Time along with the type of the webpage(Blog, News, Website etc.) accessed by the user. The most powerful feature is that it can also carve the Index.dat file of the Internet Explorer and restore the old browsing content by the User even user deleted it from the computer system. This is the very Under ground forensics tools that no one is talking about but best Browser Forensics Tool.

Windows Registry Forensics

Windows Registry Forensics is the Tool which is used to analyze the newly created and edited entry of the Windows registry. It revels all the modified entry with date and time.

Autopsy (The Sleuth Kit) –

For windows it is Autopsy and For Linux it is The Sleuth Kit. It is the open source toolkit and having the several forensics utilities like Hash Filtering, Timeline Analysis, File System analysis and more. Here you can also create new case and load the file to be analyzed and save the case so you can re-open it.

Linux Reader

This is the nice utility which works as the bridge between windows and Linux file system. For quick access of any file system it is important and very useful and does not allows you to record the activity data in the partition so it is safe to work and also available for free.

SANS SIFT Kit/Workstation

It is the Linux Ubuntu based Forensics system and is collection of linux forensics tools like dd file analysis, log2timeline, data carving, examine recycle bin and much more. You can get it from available official website.


This is the best utility for malware analysis and having the good capability of volatile memory analysis which includes running Network process, Network sockets, DLL files, cached Registry hives and more. This is one of the best command line utility and used most frequently by Incidence response team for malware analysis or forensics examination of volatile data.

Linux DD

DD (Disk Duplication) comes as default in most of the Linux distribution. You must use this utility with care otherwise you lose all your important data by wrong selection of partition. You can run the Terminal in Linux and start using it by typing the ‘dd’ command inside. It is having several features like Digital evidence acquisition, Pattern writing, Hashing, Split output files, Pattern writing etc.

Oxygen Forensic Suite

This is best tool for Mobile Forensics. It is having several mobile data and information extraction features like IMEI, Manufacturer, OS, Serial, email, contacts and more. File browser allows to view the videos, photos and mobile databases. It is best for the mobile forensics. It is available free to download.

Neo Hex Editor

Free hex editor neo allows you to find data patterns in large files, Regular expression search, make file patches and multiple core processing and is available for free. This is mostly used in the Malware Analysis by the Incidence response team.


It is the large collection of forensic utilities like Data Recovery, Mobile Forensics, Network forensics etc. It gives nice user friendly experience and is available as Linux live CD to download. You can boot up to test it on your existing system.


Deft is also the Linux live CD distribution Having the large collection of tools and you can say it as suite. Same as the CAIN you can use it on your machine with booting it up with live Linux image. very Large collection of tools of Mobile Forensics, Network forensics, File analysis and hashing etc.

Bulk Extractor

It is best and popular tool for analyzing image, file and contents of the directory at a time to extract the useful information from it. Extracted information contains Email, Zip, Contacts and much more. It is more speedy response tool because it ignores the file system structure and examine the different part of the disk in parallel. Bulk Extractor can be used to collect the information from the Memory cards, digital camera, Mobile phones, Optical media and more. If you haven’t used this then its worth to give it try.


Helix is the Linux live distribution based forensics system. Used as incidence response and digital forensics. It is collection of several open source tools including Carving, Hex editors, hashing and more. You can boot directly to use or you could also install on your machine if you need daily.


HxD allows to view and allows low level memory editing. It handles large file very smoothly and having features like Search, replace, checksums, shredder and more. It is very user friendly and most popular hex editor.


Xplico is the network forensics analysis tool which allows to analyze the network traffic. It supports protocols like TCP, UDP, HTTP, IMAP, SIP etc. Output data file can be generated in SQLite or mysql database. After successful installation you can use it by accessing the URL in the Browser like Http://IP:port and then by logging with normal user it gives you the interface to work with. Now you can create the new case to start working.

Digital Forensic Framework

It is the open source digital investigation software. It is used by professional more and you can also use it to collect, preserve and reveal evidences from the system. Having several cool features like VM disk reconstruction, Linux and windows forensics, Access local and remote drives, Recover hidden and deleted digital artifacts and much more.


PlainSight is the environment which allows inexperienced  forensic practitioners to work using powerful tools. It can perform operations like Collect hard disk and partition info, Firewall examination, user and group extraction, Discover USB storage info, Physical memory dumps examination and much more.

Mandiant RedLine

Mandiant is used for specific host analysis and gives signs of malicious activity through memory and file analysis. By using it you can collect all host running processes, memory drivers, registry, event log, metadata of file system,  web history and much more. It is best for malware analysis ans used by Incidence response team more frequently.

P2 eXplorer

It is the Image mounting tool you can use by just mounting as read only local logical and physical disks. Then after mounting you can analyze the deleted data, unallocated and slack spaces of the image. It is having Mounting features as Mount smart images, Mount encase images, mount Paraben’s Forensic Replicator images (PFR), Mounts vmware snapshots, Mounts RAW images from Linux DD & other tools and more mounting features, also Mount several images at a time, MD5 hash verification, Auto-detects image format, Write-protection for preserving evidence and much more.

These all are the Computer forensics tools which helpful in several digital forensics branches like Database Forensics, Mobile Forensics, Network Forensics, Browser forensics and more. As a professional crime investigator you must follow the Digital Forensics investigation process.

I hope you found this guide helpful and helps to discover more using this Forensics Tools.

Thanks 🙂

Cyber Forensics and Forensic Investigation Process

Computer forensics is the application of investigation and analysis techniques to collect and preserve evidences from a specific computing device in a way that is suitable for presentation in a court of law. The goal of computer forensics investigator is to perform a structured investigation while maintaining a chain of evidence in documented form to find out exactly what happened on a device and who was responsible for it.


Forensic Investigation Flow

Forensics Investigation can be performed on several digital equipments if they are used for the commission of the crime.  Generally criminals are doing crime related to the web and they are using internet for their threaten activities. Criminals are doing crime for their financial benefits. They perform the malicious activities through the web browsers and target the system or the network. After the commission of the crime investigation needs to be performed and Professional Forensic Investigator performs the investigation with set of rules and laws.

Forensics investigator first securing the place and then photographing the place at the Crime scene and then use their tools and techniques to investigate the case. Investigation performed by checklists to collect evidences and finally forms the document which is suitable for the courts. As a proof Investigator takes the snapshot of each and every evidence and maintain the files from beginning to end such that it becomes easy to evaluate the case.

Branches of Digital Forensics

Cyber or Digital Forensic is the very large domain to digg inside and not one expert knows all the forensic branches and investigation methods. Experts are varied from areas to areas. There are several branches of the Digital forensics.

1. Disk Forensics
2. Printer Forensics
3. Network Forensics
4. Mobile Device Forensics­­­
5. Database Forensics
6. Digital Music Device Forensics
7. Scanner Forensics
8. Browser Forensics
9. Social networking Forensics
10. PDA Forensics

Expert in any area possess the core and advanced knowledge of that field. You can have expertise in any of the above and have better carrier options.