Open in app

Sign in

Write

Sign in

Tsurugi Acquire — Linux distro for Live Disk Acquisitions

Shoaib Arshad
2 min readDec 1, 2019

--

Tsurugi Acquire is lighter 32 bit flavor of the Tsurugi DFIR Linux distro, created specifically for live disk acquisitions. It is aimed at providing the basic tools needed to boot a PC and acquire mass storage devices.

You can read all about the Tsurugi DFIR Linux distro here.

Types

Tsurugi Linux is released in three variants, as per the requirements of the DFIR community. And I think that this is really the important for a DFIR distro as it provides much needed flexibility .

Tsurugi Linux [Lab] — Full version with all tools.

Tsurugi Acquire — Lighter version for live disk acquisitions

BENTO — Portable version for live analysis

Let’s look at the specifications and features of Tsurugi Acquire.

Specifications

32 bit Linux distribution
Based on Ubuntu 16.04 LTS version
Patched kernel 4.18.5 (custom kernel)
Download Size : 1.1 GB

Features

Let’s look at some of its features.

  • Aimed at providing the basic tools needed to boot a PC and acquire mass storage devices.
  • A small subset of tools is installed to make the whole ISO smaller.
  • Its main purpose is to easily reside in RAM, be fast at boot and support as many architectures as possible.
  • The installer has been deleted and it runs only in live mode.
  • The kernel it’s 32 bit to grant more compatibility and easily run on oldest devices.
  • A screen resolution detection system is present, to automatically adapt the size of icons and menus in Retina and 4K screens.
  • It’s possible to put the whole image to fit in RAM, letting the user remove the pendrive/DVDROM after boot and use the system at high speed, sparing one USB port or the optical reader/writer.

Kernel Write Blocker

One of the key features is the Kernel Write Blocker.

A Write Blocker system has been enforced at kernel level to avoid device write access and integrity alteration.

All connected devices by default are in READ ONLY mode.

Main Menu & Tools Classification

It has only three menu items, Imaging, Hashing and Mount.

Here is a list of all the tools in Tsurugi Acquire.

Imaging

  • guymager
  • Cyclone
  • dc3dd
  • dcfldd
  • dd
  • dd_rescue
  • ddrescue
  • ewfacquire
  • ewfacquirestream
  • ftkimager

OTHER TOOLS

AFF

  • affcat
  • affcompare
  • affconvert
  • affcopy
  • affcrypto
  • affdiskprint
  • affinfo
  • affix
  • affrecover
  • affsegment
  • affsign
  • affstats
  • affverify
  • affxml

EWF

  • ewfdebug
  • ewfexport
  • ewfinfo
  • ewfrecover
  • ewfverify

RAW

  • dd BufferSize Calculator
  • ddrescuelog
  • ddrescueview

Hashing

  • FUZZY HASH
  • ssdeep
  • hashdeep
  • md5sum
  • sha1sum
  • sha256sum
  • sha512sum

Mount

  • BITLOCKER
  • bdemount

OTHER TOOLS

  • fdisk
  • mmls
  • affuse
  • ewfmount
  • fusermount
  • mount
  • xmount
  • ccze
Linux
Dfir
Infosec
Cybersecurity
Incident Response

--

--

Shoaib Arshad

Written by Shoaib Arshad

13 Followers

DFIR | Infosec | IT Audit | Biker | Bitcoin Hodlr

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams