Digital evidence and forensics toolkit Linux

Digital Evidence and Forensics Toolkit (DEFT) Linux comes in a full version and a lighter version called DEFT Zero. For forensic purposes, you may wish to download the full version as the Zero version, does not support mobile forensics and password-cracking features.

• Homepage: http://www.deftlinux.net/about/
• Based on: Ubuntu Desktop
• Distribution type: Forensics and incident response

Like the other distros mentioned in this list, DEFT, as shown in the following screenshot, is also a fully capable live response forensic tool that can be used on the go in situations where shutting down the machine is not possible and also allows for on-the-fly analysis of RAM and the swap file:

When booting from the DEFT Linux DVD, bootable flash, or other media, the user is presented with various options, including the options to install DEFT Linux to the hard disk, or use as a live-response tool or operating system by selecting the DEFT Linux 8 live option, as shown here:

In the previous screenshot, it can be seen that there are several forensic categories in DEFT Linux 8 such as Antimalware, Data Recovery, Hashing, Imaging, Mobile Forensics, and Network Forensics, Password recovery, and Reporting tools. Within each category exist several tools created by various developers, giving the investigator quite a variety from which to choose.

For a full list of the features and packages included in the Digital Evidence Forensic Toolkit (DEFT) Linux OS at the time of this publishing, please visit the following link:

http://www.deftlinux.net/package-list/