DEFT is a household name when it comes to digital forensics and intelligence activities since its first release way back in 2005. The Linux distribution DEFT is made up of a GNU/Linux and DART(Digital Advanced Response Toolkit), a suite dedicated to digital forensics and intelligence activities. DEFT is touted as a top choice among security and law enforcement agencies for the computer forensic investigations. But what makes DEFT such a capable distro? Let’s take a look.
Depending on the version of DEFT you choose, your installation is going to vary. On the standard edition, the process is quite simple. The system is installed via a standard wizard where the user must answer a few questions. The operation that requires most attention is the partitioning of the mass memory to host the system. The minimum requirements is an X86 CPU 200Mhz and 128 MB RAM. DEFT Zero based on Lubuntu features a different approach since it is a Live MODE edition. All you have to do is boot up and start using.
Both editions of DEFT Linux come with 2 different usage modes; A Text Mode and a GUI Mode. Depending on the choice you boot into, you get either a command line interface or the LXDE “desktop environment.
The most important tools and packages found in DEFT 8.2 include a file Manager with disk mount’s status, full support for Bitlocker encrypted disks, the Sleuthkit 4.1.3, Digital Forensics Framework 1.3, full support for Android and iOS 7.1 logical acquisitions (via libmobiledevice & adb), JD GUI, Skype Extractor 0.1.8.8, Maltego 3.4 Tungsten and a new version of the OSINT browser in addition to a considerable number of Linux applications and scripts. Note that DEFT Zero comes with a fewer set of these tools installed. Password recovery and Mobile Forensic tools are not available by default.
Deft also features the DART suite containing Windows applications (both open source and closed source) which are still viable as there is no equivalent in the Unix world. DART is an application that organizes, collects and runs software in safe mode for the purpose of live forensic analysis and incident response. One of the major features is that to run applications in safe mode an integrity check launches before the start of each program, this way the examiner is sure to run their own tools safely. This excludes any preexisting damage of the binaries by malware.
DEFT Linux also includes some tools for the analysis of mobile devices. SQLite database browser is available to allow the analysis of SQLite databases, used in most applications for Android, Iphone, and Ipad. There is Ipddump for the analysis of backups in BlackBerry devices; iPhone Analyzer for the analysis of iPhone from version 3 to previous versions; iPhone backup analyzer for analyzing backups in iPhone devices; Bitpim that supports a host of Android devices. Note that these are not available by default on DEFT Zero on the live disc.
Other useful and popular software available with DEFT includes Dhash and Guymager for mass memory acquisition, Catfish for finding files and folders. Other notable applications include Midnight Commander, Autopsy, Xplico, Hydra, Keepnote and Maltego. In addition to the security tools, DEFT also comes with a complete suite of desktop productivity applications, including LibreOffice, Firefox and Chromium browsers. Wine is also available for running Windows apps. Once again, almost all of these are not available on the DEFT Zero live disc.
Aside from the security tools, DEFT also comes with a complete suite of desktop productivity applications, including LibreOffice, Firefox 11, Chromium 18, Wine (for running Windows applications) and others that are available on a default installation of Lubuntu. Chromium that ships with it are customized “with several plugins and resources to perform ‘Open Source Intelligence’ related activities.”
There are 2 main variants of DEFT currently available. The latest version of DEFT available is DEFT 8.2. It is available as an ISO and a virtual app. It has been available since 2015. The other variant is a lighter version dubbed DEFT Zero which was released in 2017. The main difference is that DEFT Zero requires a considerably lower space in RAM and on a CD-ROM/Pendrive. It needs about 400 Megabytes, which can even boot in the RAM preloaded mode on an obsolete and low resources hardware. It is based on Lubuntu 14.04.02 LTS and its future releases will be developed in parallel with DEFT full version.
DEFT is a very professional and stable system that includes an excellent hardware detection and the best free and open source applications dedicated for Incident Response, Cyber Intelligence and many other computer forensics and investigations. DEFT is meant to be used by the Military, the Police, Private security professionals, IT Auditors and Individuals as well.The latest release of DEFT are versions 8.2 and DEFT Zero. If you want to take it for a test drive, you may download a copy of the installation image from here. For a full experience, go with DEFT 8.2 as the new DEFT Zero comes with only a handful of the tools in the former. Share your thoughts in the comment section below. Thanks for reading.
Mohd Sohail is a web developer and a Linux sysAdmin. He also loves to write how-to articles, applications reviews and loves to use new Linux distributions.