TwitLonger — When you talk too much for Twitter

James Martens · @lrn2dfir

19th Sep 2020 from TwitLonger

Tsurugi Linux - First Impressions

I've been a UNIX/Linux system admin for 20+ years, and laterally moved over to a DFIR team about 2 years ago now. It's been a lot of fun, and I've learned a lot from my colleagues (and had a few incidents along the way, oof). Of course, with a new position comes new responsibilities, and the best part - new tools!

At work I generally used the 'desktop of the day' as a daily driver as required - Win7/Win10 - but I'd always have Cygwin tucked into a little corner in case it was needed (which is was...a lot), plus I always had several VM's in my homelab running Linux if I needed to do anything on that front. After moving to the blue team, though, I was given a nice and shiny analysis machine that I get to put anything on to test (read: destroy at will). Of course, said analysis machine is isolated within my home network (vlan malware) and can't reach anything else on the LAN except to get out to the Internet. For my first 3 months, that machine had Win10. I got sick of that pretty quickly, and pulled out Kubuntu (I'm a sucker for KDE, what can I say) in various revisions up until 24 hours ago.

I decided to give Tsurugi Linux a try, as it is backed by several Deft Linux/Backtrack veterans, and who are all united in giving a DFIR focused distribution to the community (I'd consider other distros like Kali sort of fit into that mix, but it seems to be more geared towards pentesters).My first surprise was that it was based on Ubuntu 16.04.7 LTS (as of today), which is supported until April 2021 (if I read the release support like). As I've been using 20.04 LTS more recently, I winced a little at that..but I had no reason to worry, as you'll see.

The largest problems I've had was with installation - mostly because my HP Zbook 17 G3 is a absolute pain to get to work (I don't know if HP just has a screwy implementation of UEFI, or what - but it took several hours to get a working boot via pendrive to install, plus issues actually creating a ext4 filesystem on a secondary disk in the system (kept throwing errors - I actually installed Win10, rebuilt a NTFS filesystem on that disk, deleted it, and then rebuilt it on Kubuntu Live CD and was finally able to make the fs I wanted). I don't think that was a Tsurugi issue, though - probably more my hardware.

Over the past 24 hours, I've been taking notes on my experiences with Tsurugi, and would be happy to hear peoples suggestions or responses. Like I mentioned before, it's based off 16.04.7 LTS, which is a little long in the tooth which may cause you to wince (ngl) - however, in my experience so far it's been nothing but fast on response, with no lag to speak of (and a plus, at least for me: no snaps). The default desktop is using MATE, and the default layout..is..beautiful, with my laptop going to max resolution with no issues. I did receive a DM on Twitter about a user having issues with disk encryption, but didn't choose that as an option on installation.

I love the samurai background (the opening audio did startle me the first time), and the desktop is pretty tastefully designed. Everything was very clear and concise - and it was very easy to find what I was looking for via the upper menu (Applications/Places/System), with a primary selection TSURGI holding many, if not all, of the DFIR tools in this release. The rest of the tools were right at your fingertips via menu, or if you're like me and like some ALT-F2 to just run something, that pops up with a list of known applications in a small window.

Primary/most used selections are on the desktop, with informational notes popping out of the nooks and crannies of the system desktop (the system monitoring in the top bar, a single click screen lock, plus network up/down monitoring, cpu information, and the standard bluetooth, networking, sound, battery, time/date info in the upper right round it out. The greatest thing I found, however, was the transparent SYSTEM window on the right side of screen, with a plethora of system information available at a glance. A 10/10 on the UI design!

I'll probably get into more of the DFIR tools in the distro, and did use several of the built in tools which do need updating (pdfparser installation in this is 0.6.8, which means it doesn't have the 0.7.0+ -O function to inspect object streams, ddrescue complained it was downlevel and to move to 2.1.1), but these were not showstoppers (I updated pdfparser immediately, though).

The odd thing is there was one feature - just one! - that made me both love and be annoyed at the same time - and that is the TSURUGI device unlocker. This stands in front of everything attaching to the system, and from what I can tell, BLOCKS r/w access to a device until you enable r/w on the device. Don't get me wrong - this is a GREAT thing if you don't have a write blocker available to you, and as it's automatic you won't have an accidental brain fart causing you to want to imitate Homer Simpson ("Whoops, I just overwrote a ton of data for an incident. Oh, well. Time for a break and a pink sprinkled donut!").

If you're just working with a disk here or there, it won't bug you that much. if you're moving around a USB key/portable drive in order to get data from one device to another (again, since I'm on a isolated network) a lot, this is going to annoy the heck out of you, especially when you forget to click the radio button to enable r/w, and you've already tried copying the data to it (get ready for permissions errors, kids!). Today, I spent a lot of time working on an incident, and this tripped me up several times after trying to copy data. I know it's a behavior thing - over time, it'll become second nature - plus, the ONE time it may save you from destroying a bunch of work will make it absolutely worthwhile. I'll see how this works out in the future.

So that's my 24h review of Tsurgi. All in all, I think it's great. Polished, very intuitive, and with all your DFIR tools located in logical groupings - you may never want to use something else again. I would really recommend if you want to try something new to give it a shot - it may just surprise you. I'll give another update in a month. Will see how it goes up to then!

Be well, everyone.

Reply · Report Post