DFLAB NEMESIS is a bootable forensic Linux distribution based on Ubuntu and is developed and provided by DFLAB. The boot process has been modified to assure that the internal or external media of computers and devices are not modified or mounted. Once booted, the user will find a host of precompiled open-source forensic tools that can be used to perform various tasks.

Disabling Secure Boot

Secure Boot is a security standard found in modern computers that only allows software trusted by the PC manufacturer to boot the computer. If Secure Boot is enabled on a PC it will most likely need to be disabled to boot NEMESIS which is based on Linux. To disable Secure Boot you will need to enter the BIOS/UEFI Setup Utility.

This is done by powering on the PC and pressing a “catch” key. This “catch” key can be different for every PC. The “catch” key is usually displayed for a couple of seconds after pressing the power key to turn on the PC. Common examples of BIOS/UEFI Setup Utility “catch” keys are: ESC, F1 or F2 keys.

Once you have safely entered the BIOS/UEFI Setup Utility you will need to find the “Security” menu where you can disable the Secure Boot option and save the changes. Once the Secure Boot option is disabled and the changes are saved you can then power off the computer, restart and boot with NEMESIS OS.

Accessing Boot Manager

Many PCs have a “catch” key to display a Boot Manager where the boot device can be selected without entering the BIOS/UEFI Setup Utility. Common examples of Boot Manager “catch” keys for some PCs are: F10 or F12. Once the Boot Manager is displayed choose the device where the NEMESIS-OS USB is inserted.

Quick Summary

Default username and password for NEMESIS-OS:

Username: user
Password: 1234

$ sudo apt update && sudo apt upgrade -y

Screen Recording

There are many reasons why anyone working in the digital forensics/incident response profession should have the ability to record the screen of their computer. Whether it is recording the actions taken during an investigation so another person can replicate them, recording an adversaries activity on a victim machine, or simply creating some training videos, screen recordings are a great source of information.

Screen recordings are a much better solution than trying to do a live demonstration of technology and it allows the presenter to be confident in the results.

Configure Screen Recorder

Left Click

Start Recording

Right Click: Start/Stop

The forensic imager contained in this package, guymager, was designed to support different image file formats, to be most user-friendly and to run fast. It has a high speed multi-threaded engine using parallel compression for best performance on multi-processor and hyper-threading machines.

The application is based on libewf and libguytools. Guymager is included in many popular distributions.

• Fast due to multi-threaded, pipelined design and multi-threaded data compression.
• Easy user interface available in different languages.
• Makes full usage of multi-processor machines. The internal structure is based on separate threads for reading, MD5 calculation, writing and includes a parallelised compression engine. This makes full use of multi-processor and hyper-threading machines.
• Generates flat (dd), EWF (E01) and AFF images, supports disk cloning.
• Extended acquisition info file.

Click on the "Autopsy" icon on the desktop. Follow the on-screen instructions.

Step 1- Open Disk Utility

Step 2- Open Terminal & Mount

• Open Terminal
• Create mounting point
  

$ sudo mkdir /media/$USER/investigation

• Mount Disk As Read Only
  

$ sudo mount -o ro,noatime,noload,loop /dev/drive /media/$USER/investigation && sudo /sbin/blockdev --setro /dev/drive

• Unmount Disk
  

$ sudo umount /media/$USER/investigation

• Remove Mount Directory
  

$ sudo rm -rf /media/$USER/investigation

With the disk mounted as Read Only as described above, open the /dev/loop device.