A few things to do after you've gotten CSI Linux up and running for the first time: basic needful updates, and a few additional customizations.
CSI Linux already comes pretty packed with just about everything you need, but there's room for a few more "improvements" to help life along. We'll go over a couple of these customizations and how to do them.
powerup
This is the "main" update tool for CSI Linux. You can go ahead and use apt to update Linux and all packages installed though that, but CSI Linux has a few appimages and additional tool not installed through apt, and this take those tool in to consideration. On a very old image, you might need to run through the update process twice, but for the most part, it's a one-and-done kind of update command. My only gripe is that it suggests/urges(/requires) a reboot when it is done, regardless of whether or not anything was actually upgraded. If you've done it 3 times, you are most certainly all up-to-date.
Update pip
Comically enough, of all the things that are updated with the powerup command, pip isn't one of them. Update pip with the following command:
sudo python3 -m pip install --upgrade pip
Yes, run it with sudo, we are installing it "globally".
Update Discord
Sadly not included in the powerup update command either. There's a few ways you could go about it, but personally I found that the easiest way to be sure to consistently get THE LATEST version is to just open Discord (Start -> Internet -> Discord) and let it redirect you to download the latest .deb package. Once downloaded, install it with the following command:
sudo dpkg -i ~/Downloads/discord*.deb
Be sure to change the directory if you downloaded and saved the .deb package elsewhere. Feel free to delete the .deb file afterwards.
Replace youtube-dl with yt-dlp
As discussed in the CSI Linux Certified Investigator training, youtube-dl comes pre-installed. Sadly, though its roots are downloading youtube videos, due to legal issues it can no longer actually download anything from youtube. This is a great shame. Fortunately, the project was forked (many times) and one such fork, which continues to be actively maintained, is yt-dlp. For the most part (with the exception of some of the more advanced commands and arguments), the two programs should be 1:1 compatible. I'll be honest, this one's pretty hacky. The "proper" solution here would be to go through all the CSI tools' code and properly replace youtube-dl with yt-dlp. And maybe we'll be able to convince them to do so. Maybe they have deliberately chosen not to in order to avoid potential legal issues. I don't know... Either way, we can't do the "proper" solution here-and-now, so off to our hacky solution.
First off, we install yt-dlp:
sudo python3 -m pip install yt-dlp
Next, we "backup" the current youtube-dl:
sudo mv /usr/bin/youtube-dl /usr/bin/youtube-dl.ORIG
Finally, we create a link pointing to yt-dlp:
sudo ln -s /usr/local/bin/yt-dlp /usr/bin/youtube-dl
And now you can download youtube videos for evidence!
I tested the youtuble download option in the CSI Linux Case Management Tool, as well as a few custom commands, and they all worked just fine. There might be other things in CSI Linux that uses youtube-dl which *MAY* break, but given the level of compatibility between the 2 and their commands, I doubt it.
ipinfo Command Line
I'm a big fan of IPInfo.io. Mostly because I can copy an IP Address to my clipboard, open a browser, type in "ipinfo.io/" and then paste the IP Address I want to investigate. It's super simple, very easy to use, and has lots of good info. Lo and behold, they have a CLI app as well that essentially functions the same way, but works on the command line, and can make copy/pasting and documenting the results a little easier and nicer.
echo "deb [trusted=yes] https://ppa.ipinfo.net/ /" | sudo tee "/etc/apt/sources.list.d/ipinfo.ppa.list"
sudo apt update
sudo apt install ipinfo
In my opinion, it is certainly worth signing up for an account with IPInfo. Mostly to be able to check IP Addresses in bulk. I won't go through the IPInfo.io signup process here, it's pretty easy. Part of the signup process actually has you copying your API access key. When you get to that part, do so, then run:
ipinfo init
Select option 1, then enter your API key (it's like a password field, so you won't see the password characters).
Install AutoRecon
https://github.com/Tib3rius/AutoRecon
I suppose there's an argument that this might betting away from the strict DFIR, but in terms of "fingerprinting" a remote host, it does perform an nmap scan, grabs screenshots of landing pages, and a whole lot more. All while saving and documenting everything along the way. So in those regards, it's a solid addition to the mix.
sudo apt install seclists curl dnsrecon enum4linux feroxbuster gobuster impacket-scripts nbtscan nikto nmap onesixtyone oscanner redis-tools smbclient smbmap snmp sslscan sipvicious tnscmd10g whatweb wkhtmltopdf
**SOME prerequisite packages missing from package manager
Install SecLists
https://github.com/danielmiessler/SecLists
On one hand, I can understand why this is not included by default, it takes up a lot of space. And when the disk image is as big as it is, it might just be TOO big to include by default. BUT, it can be an invaluable tool (set of wordlists) for any kind of password or hash cracking. Yes yes yes... we should probably be tailoring our own wordlists to the individual situation at hand, which you can still do, but sometimes you just need a quick start with some low-hanging fruit.
wget -c https://github.com/danielmiessler/SecLists/archive/master.zip -O SecList.zip
git clone https://github.com/danielmiessler/SecLists.git
sudo mkdir -p /usr/share/wordlists/seclists
sudo mv SecLists /usr/share/wordlists/seclists
Technically speaking, you can move the SecLists files to any other directory, but since I am quite familiar with Kali Linux, I opted to move it to the same location.
Asbru Connection Manager
Asbru is a connection manager. It can handle SSH, RDP, VNC, and a few others as well. It has some nice Cluster options for SSH, some fancy tie-ins to Keepass... it even has a local CLI terminal option, and I will sometimes replace my terminal shortcut with Asbru. The website covers it's own set of features and uses better than I will, but suffice to say, it is (and has been) of great use to me and my investigations.
Once upon a time, the only "real" option to install this on my Linux boxes was to mess around with the apt package sources. I have had mixed successes (mostly failures) with messing about with the package sources. Fortunately, there is a way to "install" this app withOUT messing around with the sources, but updating the app isn't "included" as part of a usual apt update/upgrade. To be honest, I'm not sure why Asbru isn't already in the existing Debian and/or Ubuntu package sources, it's such a useful tool.
First, we install a few prerequisite packages:
apt install perl libvte-2.91-0 libcairo-perl libglib-perl libpango-perl libsocket6-perl libexpect-perl libnet-proxy-perl libyaml-perl libcrypt-cbc-perl libcrypt-blowfish-perl libgtk3-perl libnet-arp-perl libossp-uuid-perl openssh-client telnet ftp libcrypt-rijndael-perl libxml-parser-perl libcanberra-gtk-module dbus-x11 libx11-guitest-perl libgtk3-simplelist-perl gir1.2-wnck-3.0 gir1.2-vte-2.91
Then we create a directory to save and clone the repository:
mkdir ~/bin
cd ~/bin
git clone https://github.com/asbru-cm/asbru-cm.git
The running it is as simple as:
~/bin/asbru-cm/asbru-cm
Though I would encourage you to create a shortcut rather than running the command manually. In the next section, we'll go over creating a Start Menu shortcut; feel free to do the same for this if that's your jam.
Updating Asbru is rather simple:
cd ~/bin
git pull https://github.com/asbru-cm/asbru-cm.git
In a perfect world, Asbru (or a link or script or something) would get "installed" in to one of the directories already in the PATH or something, and the git pull command would get included in the "powerup" updating command. But I'm not sure not sure what the best option would be to fit in with the powerup and the rest of the CSI Linux design ethos. Maybe someday if and when the CSI Linux community and Team agree with including this, it can be nicely integrated like that, but for now, this is how I have it going.
Install Additional Apps
A few additional apps to make life better:
Firefox - Web Browser. I have found it of great use to have options for browsers, not just 1. Also, I hate Google and thus Chrome.
glogg - A real nice GUI log explorer. VERY useful for analyzing large (gigabyte and larger) log files.
Liferea - A nice RSS reader and aggregator. I use it to fetch multiple RSS feeds and display the goods.
Kget - A nice GUI download manager. Can be useful for downloading (and managing those downloads) multiple large files, namely disk images, but it does not do uploads.
Double Commander - It's primary design is essentially a file browser, but it has some really nice file transfer queuing, and can do "uploads". Again, super useful for those particularly large files.
sudo apt install firefox glogg liferea kget doublecmd-gtk
Unfortunately, Firefox doesn't get a Start Menu shortcut added, so we'll need to go in and create one ourselves. I'm sure there's probably some fancy command we can run or file we could edit to do this for us, BUT I don't know what that would be so we're just doing it manually:
- Right-click the Start Menu button, click "Properties"
- In the "Applications Menu" window, click the "Edit Menu" button.
- In the Menu Editor, scroll down to the "Internet" folder, and click on it.
- Up in the top-left section of the window, click the "+" button, and then select "Add Launcher".
- In the details section on the right, click the Icon, and then select "Browse Icons...".
- Scroll down this list until you find the Firefox icons. Pick the one you want. I went with just the plain ol' Firefox one. Double-click your selection.
- Back in the details, click the "New Launcher" section, and change that to "Firefox".
- Change the "..small descriptive blurb..." section to "Firefox Web Browser" (or some other description of your choosing).
- The command will be "/usr/bin/firefox".
- Flip the "Use startup notification" switch on.
- Now, we could click the Save button and call it at this, but I'm a bit of a perfectionist so we're going to add a few more details.We're going to essentially mirror the other 2 browsers already present (Brave and Chrome), so feel free to copy/paste some of the similar details.
- Down in the "Categories", we're going to remove the 2 "X-Xfce..." options.
- Click the "+" button.
- Click on "Select a category", then choose "Network" and then "WebBrowser".
- Next, go to the "Actions" tab.
- Click the "+" button, the Name will be "New Window", and the command "/usr/bin/firefox".
- Click the "+" button again, and this Name will be "New Private Window", and the command "/usr/bin/firefox --private-window".
- Lastly, the Advanced tab:
- Generic Name: Web Browser
- Mimetypes: application/pdf;application/rdf+xml;application/rss+xml;application/xhtml+xml;application/xhtml_xml;application/xml;image/gif;image/jpeg;image/png;image/webp;text/html;text/xml;x-scheme-handler/http;x-scheme-handler/https;x-scheme-handler/ipfs;x-scheme-handler/ipns;
- Finally, we can click the Save button and we're done! Close out all the windows.
Remote Accesses
Now these last customizations may be a bit controversial for some. There will certainly be those who will want, need, and appreciate this kind of access and usage options. Some may say that this may be highly insecure, and from another perspective, they may be right. A "full" and "Proper" setup should probably include something like fail2ban and a proper configuration there. Maybe some kind of firewall rules and editor. I dunno... What I DO know is that this is starting to get a bit beyond my simple convenience need, and may have other impacts on other tools and functionality within CSI Linux that I am not yet aware of. Suffice to say, if you do this, be aware of the potential security implications.
Laptop Lid
If it is installed on a laptop, we'll first need to make sure that it doesn't go in to standby when we close the lid. Otherwise, if it is a desktop, NUC, VM, or anything of the like without a laptop lid, you can pass this by, but doing this won't bring any harm if you are unsure.
sudo nano /etc/systemd/logind.conf
Find, uncomment, and change the following line from:
#HandleLidSwitch=suspend
to:
HandleLidSwitch=ignore
SSH
This one's pretty simple, just enable and start the ssh service:
sudo systemctl enable ssh
sudo systemctl start ssh
Keep in mind that the SSH server is listening on port 2222.
RDP
As previously mentioned, not without it's own sets of potential controversies. But I have a use-case need, and here's how I fulfilled it:
sudo apt install xrdp
sudo nano /etc/xrdp/startwm.sh
edit /etc/xrdp/startwm.sh and add these this lines before the lines that test and execute Xsession:
unset DBUS_SESSION_BUS_ADDRESS
unset XDG_RUNTIME_DIR
Enable the base XRDP server and the XRDP session manager start automatically on boot:
sudo systemctl enable xrdp
sudo systemctl enable xrdp-sesman
Start XRDP:
sudo systemctl start xrdp
sudo systemctl start xrdp-sesman
CAVEAT
There's a caveat with RDP in that it isn't always recognized as a "proper display" for some GUI apps and CLI commands that launch GUI apps. For the most part just about everything works fine over RDP, and its mostly some specialized and/or old/ancient software that really has this problem, but just something to keep in mind when working over RDP.
Complete the Look
Purely cosmetic. But we're trying to be professional here, and part of being professional is having a clean finish.
The Desktop background or wallpaper.
The CSI Linux wallpapers can be found here:
/opt/csitool/wallpaper/
My 2 cents, pick a DIFFERENT wallpaper from the direct KVM one, it will be a visual reminder of which you are using.
TODO: Polkit
When connected via RDP, it seems that the Power and Reboot options are not available; they're greyed out and not clickable. Running sudo reboot or sudo poweroff run just fine. This makes me suspect it's a Polkit permissions issue. While I understand the security reasons why polkit exists, I've never had any real success dealing with it. On my Kali hackbox, I just use this really super secure solution:
https://github.com/GabrielRamirez/Raspbian-Remote-Polkit-FullAccess
Ideally, I would be able to customize the permissions to deal with these access over RDP. I'm not really a fan of this kind of ham-fisted approach. For a hackbox that needs rebuilding every few months? Yeah sure whatever. For a finessed professional approach like CSI Linux? Ehhhh.... I'd rather not. There also seems to be a few other random issues (like scanning WiFi networks when clicking the WiFi icon in the top-right) that are similarly affected, so it's a bit more of a challenge than I can handle myself. Also, from a design perspective, CSI Linux doesn't seem to be designed for this kind of remote access. From a local VM with that direct KVM access? Sure. On base hardware either directly or via bootable USB? 100%. But, like, set up on an ESX or VM server and accessed via SSH/RDP? I'm not too sure... Myself I have the use-case for such access, but I'm not sure how/where that fits in with their direct Forensics ideology. So I will just leave this here for those who know what they're doing and need the quality-of-life improvements this brings.
DONE!
And finally, reboot and you're all set! Your CSI Linux is now good to go!
