Open Source Forensics with Kali Linux

In this post, we shall look at an inexpensive of learning to capture a forensic image utilizing a write blocker in the Advanced Forensics Format (AFF) and loading it into the Digital Forensics Framework on Kali Linux.

The first stage in any forensics examination is capturing an image of the drive/s in question utilizing a write blocker.

One of the most popular makes of write blockers are made by Tableau, but these are quite expensive around the £250 mark which puts them out of reach of a student / hobbyist budget.

I came across this USB3 drive bay with write blocking support made by Coolgear. The drive bay supports SATA and IDE drives in both 2.5″ and 3.5″ format and only costs $38.00.

The problem was that it could not be brought in the UK as there were no stockists, but a quick bit of goggling solved the problem.The images below shows the Coolgear setup for both a SATA 2.5″ and an IDE 3.5″drives.



The next stage is to use Guymager to create an image of our target drive in AFF format. The video below shows how to do this.

Kali Linux does not have AFF file support built into the Digital forensics Framework,so first we need to install the AFF development libraries and then build the Digital Forensics Framework from source as per the last stage in my previous post here

We now have our binaries in /usr/local/bin/dff-gui, if start this from a terminal we can now see that we have DFF with AFF support as shown in the video below.

The combination of Kali Linux and the Coolgear write blocker gives us a forensic solution for under £50 that allows a student or any person interested in digital forensics to get started. There are also a number of forensic images available on the net for those interested in digital forensics, these are often in the form of a challenge.




