Forensic acquisitions must have the following aspects.
PALADIN stands as a no-cost, bootable forensic Linux distribution rooted in Ubuntu, thoughtfully presented by SUMURI. The boot sequence has been adapted to ensure the preservation of computer and device internal or external media, avoiding any alterations or mounts. The PALADIN system is accessible through either a DVD or a USB drive.
Upon initiation, users will gain access to a diverse array of precompiled open-source forensic utilities designed for diverse tasks. Notably, the heart of this toolkit is the PALADIN Toolbox, meticulously engineered to consolidate and simplify multiple forensic operations into an intuitive GUI (graphical user interface), requiring minimal training and obviating the need for command-line interaction. Powering the PALADIN Toolbox is a compilation of applications, well-established and endorsed by forensic examiners and investigators over the years, their reliability having been tested and upheld in numerous court proceedings.
Download the PALADIN ISO?
- Navigate to www.sumuri.com.
- Sign into your account via the “My Account” menu. If you do not currently have an ac-count you will need to register for a free account.
- Navigate to the PALADIN page via the “Products” menu.
- Select the version of PALADIN that you would like to download.
- Name your price then select “Add to Cart”.
- Review your “Cart” then select “Proceed to Checkout”.
- Provide the requested information and select “Place Order”
In order to safely boot PALADIN on standard PCs (non-Macs) please make sure that you are comfortable with the following:
- Disabling Secure Boot
- Setting Boot Options within the BIOS/UEFI
- Accessing the Boot Manager
After successfully accessing the BIOS/UEFI Setup Utility, navigate to the “Security” menu. Inside this menu, you’ll be able to deactivate the Secure Boot feature and preserve the alterations. With Secure Boot disabled and your modifications saved, proceed to shut down the computer. Upon restarting, you can begin using PALADIN.
Acquiring Evidence using PALADIN
Step 1: Establish a connection with the bootable Paladin OS.
Step 2: Choose the Forensic Mode.
Step 3: PALADIN will initiate its desktop interface upon booting.
Step 4: Navigate to the bottom-left corner and click on the “App Menu.” and Select “Paladin Tool Box” from the menu.
Step 5: The Tool Box will open.
Step 6: Select Source HDD to be acquired
Step 7 : Next, proceed to choose the desired image type.
Step 8: After selecting the image type, a new window will appear.
Step 9: Enter the case number and provide all the required details in the provided fields.
Step 10: Choose the destination drive, which must be another HDD connected via USB.
Step 11: Enter the label and then initiate the process by clicking “Start.”
Select this if you would like to divide your forensic image file into
smaller segments or “chunks”. Due to Linux FAT32 limitations (VFAT), 2000 Mb is the largest size allowed.
Step 12: You will be able to observe the progress bar during the operation.
There are two main types of logs in PALADIN:
1. Task Logs : keep a historical record of the “tasks” that have been executed within a single PALADIN Toolbox session.
2. System Logs : display information to assist with troubleshooting.
3. Module Specific Logs : Logs show information relating to the current module being used and typically shows live information. For example, in the image below you are seeing Module Specific Logs for the Imager Module (“Imager 1” and “Imager 2”).
Upon completion, the interface will resemble the screenshot below.
The destination folder will have log files of acquisition, which will also contain hash.
The main focus of this blog is on students and entry level professionals