Is Tsurugi Linux a SANS SIFT killer ?

5 min readNov 30, 2019

As per the website, Tsurugi Linux is a new DFIR open source project that is and will be totally free, independent without involving any commercial brand. Our main goal is to share knowledge and “give back to the community”.

A Tsurugi (剣) is a legendary Japanese double-bladed sword used by ancient Japan monks.

Tsurugi Linux team is headed by Giovanni ‘sug4r’ Rattaro, who was developer on the DEFT Linux, a distro for digital forensics.

Types

This distro is released in three variants, as per the requirements of the DFIR community. And I think that this is really the important for a DFIR distro as it provides much needed flexibility .

Tsurugi Linux [Lab] — Full version with all tools.

Tsurugi Acquire — Lighter version for live disk acquisitions

BENTO — Portable version for live analysis

Tsurugi Linux [Lab]

This is the full version of the distro and contains all open source tools with a wide range of capabilities such as imaging, malware analysis, crypto currencies and OSINT investigations. Here is the download link.

Let’s look at the specifications and features of Tsurugi Linux [Lab] version.

Specifications

64 bit Linux distribution
Based on Ubuntu 16.04 LTS version
Patched kernel 5.1.15 (custom kernel)
Download Size : 4 GB

Features

Let’s look at some of its features.

Custom Boot Options

Note: In live mode, during the boot phase, it’s possible to disable specific graphic drivers in case of visualization problems or potential crashes

Each time the system boot, a cleaner script (tsurugi_cleaner) runs to kill programs that have been started because of new updates. This feature has been designed to limit memory waste

Six Investigation Phases

As per the developers of the distro, it is based on the six phase investigation model.

Main Menu & Tools Classification

The tools are neatly organized and can be accessed from the Main Menu. Lets look at some of them.

Imaging Menu

There is an extensive list of tool to support you during imaging of a system.

Artifact Analysis

Artifacts analysis menu contains all of the tools you need for an investigation. It is further classified into various sub menus such as Browser, Email, File system, Registry etc.

Malware Analysis

There is a dedicated menu for malware analysis.

Network Analysis

This menu contains tools for network analysis.

Computer Vision

There is an interesting menu called “Computer Vision” which has tools related to facial recognition systems.

Mobile Forensics

Tools for Android and iOS can be found in Mobile Forensics.

OSINT

Information gathering tools are available in the OSINT menu.

Crypto Currency

This is a unique menu with tools for crypto currency, which are now increasingly becoming popular.

Other Tools

Some more miscellaneous tools can be found in this menu.

Kernel Write Blocker

One of the key features is the Kernel Write Blocker.

A Write Blocker system has been enforced at kernel level to avoid device write access and integrity alteration.

All connected devices by default are in READ ONLY mode.

OSINT Profile Switcher

OSINT Profile Switcher (profile_switcher_tsurugi) it’s a feature that allows to quickly switch from DFIR to OSINT profile.

The difference is that the Tsurugi menu becomes lighter, only a few categories useful for OSINT activities are shown to user. To easily differentiate the two profiles, the default wallpaper also changes.

Graphical Dashboard

A graphical dashboard is available on desktop with many real time information (if needed it’s possible to reset it by “Dashboard reset” button or “dashboard” command on Command Line Interface)

Some More Features

Device automount / autoexec disabled
System hibernation disabled
After each session starts the defaults custom values are set
Automatic set HI-DPI
Mouse keys switch
Boot cleaner script
RAM saturation workaround

SANS SIFT killer ?

Both the SANS SIFT and Tsurugi Linux are Ubuntu based DFIR focused distros. SANS SIFT has also been developed by industry veterans and has undergone many versions, which makes it a really robust OS. As a DFIR focused distro the bar is set very high by the SANS SIFT Workstation.

Tsurugi is a feature rich OS and tries to provide flexibility to the analyst with different flavors. It does a good job at bringing a wide range of open source DFIR tools on a single platform, but the overall experience feels like a work in progress. It is definitely going to take some time for Tsurugi to catch up to SANS SIFT. As per the website, another version is due to be out soon, and things are definitely looking up for them. The effort put in by Tusurgi Linux team will surely be appreciated by the DFIR community.