Digital forensics

New Linux Distro for Mobile Security, Malware Analysis, and Forensics

Jay Turla
August 16, 2012 by
Jay Turla

Yes, you read the title right and I hope I just grabbed your attention! A new GNU/Linux distribution or distro designed for helping you in every aspect of your mobile forensics, mobile malware analysis, reverse engineering and security testing needs and experience has just been unleashed and its alpha version is now available for download for you to try out.

Guys, meet the new Santoku Linux! Santoku is a general purpose kitchen knife which originated from Japan. Santoku means "three virtues" or "three uses" (Wikipedia). This distribution is not from Japan, but

the name was suggested by Thomas Cannon of viaForensics (who happens to be the project leader of Santoku Linux) because the distribution was crafted specifically for Mobile Forensics, Mobile Malware Analysis, and Mobile Security Testing. The current alpha release is based on a fork of the OWASP (Open Web Application Security Project) MobiSec Ubuntu distro thus making this alpha release an OWASP MobiSec Remix (released under GPL) with added tools from viaForensics and some of its contributors or supporters. This project or platform is sponsored and launched by viaForensics which is a known and very innovative digital forensics and security firm that focuses or specializes on computer and mobile forensics, mobile application security, enterprise security, information security and penetration testing, and forensics training.

Learn Digital Forensics

Learn Digital Forensics

Build your skills with hands-on forensics training for computers, mobile devices, networks and more.

Learn Digital Forensics

Learn Digital Forensics

Build your skills with hands-on forensics training for computers, mobile devices, networks and more.

The Three Virtues or Three Uses

Like I said, Santoku Linux is aimed at Mobile Forensics, Mobile Malware Analysis, and Mobile Security Testing; these three aims are called the three virtues or the three uses of the said distribution and is the very foundation for the existence of this new distro. With these three virtues, users can use the free and open source tools and some of the commercial tools of Santoku Linux to forensically acquire and analyze data, examine mobile malware, detect malicious softwares, and support security assessment of mobile applications because of the increasing amount of malware that has plagued the users of mobile phones or smart phones. If you are into mobile security and mobile forensics then this distribution is definitely right for you.

Mobile Forensics:

  • Firmware flashing tools for multiple manufacturers
  • Imaging tools for NAND, media cards, and RAM
  • Free versions of some commercial forensics tools
  • Useful scripts and utilities specifically designed for mobile forensics

Mobile Malware Analysis

  • Mobile device emulators
  • Utilities to simulate network services for dynamic analysis
  • Decompilation and disassembly tools
  • Access to malware databases

Mobile Security Testing

  • Decompilation and disassembly tools
  • Scripts to detect common issues in mobile applications
  • Scripts to automate decrypting binaries, deploying apps, enumerating app details, and more

List of Tools for the Alpha Release

Aside from the platform's three endeavors which are Mobile Forensics, Mobile Malware Analysis, and Mobile Security Testing, this platform can also be used for Application Security Testing and Penetration Testing. As of this moment, the tools included in the July 2012 alpha release are categorized into Development Tools, Reverse Engineering, Penetration Testing, Wireless Analyzers, Device Forensics, and Mobile Infrastructure.

Development Tools:

  • Android SDK Manager
  • Apple Xcode IDE
  • BlackBerry JDE
  • BlackBerry Tablet OS SDK
  • BlackBerry WebWorks
  • DroidBox
  • Eclipse IDE
  • Windows Phone SDK
  • Android 2.3.3, 3.2, and 4.0.3 Emulators
  • SecurityCompass Lab Server (HTTP and HTTPS)
  • BlackBerry Ripple
  • BlackBerry Simulators

The set of tools for this category contains software development kits (SDK) or devkits plus the Eclipse IDE (Integrated development environment) in order to create or code applications for mobile software packages. Aside from the development environments, it also comes with emulators and simulators for the Android OS and the Blackberry. Thus, you can test the versions 2.3.3, 3.2, and 4.0.3

for the Android OS for your hacking needs.

Penetration Testing:

  • CeWL
  • DirBuster
  • Fierce
  • Nikto
  • nmap
  • Burp Suite
  • Mallory
  • w3af Console
  • w3af GUI
  • ZAP
  • BeEF
  • Ettercap
  • iSniff
  • Metasploit Console
  • Metasploit GUI
  • NetSed
  • SET
  • SQLMap
  • SSLStrip

With the addition of the tools for the Penetration Testing category, users can do penetration testing easier without the hassle of installing your favorite pentesting tools for web applications and servers. Because pentesting is very important. And so, Fire it all up!

Reverse Engineering:

  • APK Tool
  • Dex2Jar
  • Flawfinder
  • Java Decompiler
  • Strace

With the set of tools for Reverse Engineering, users will be able to reverse engineer third party, closed, binary Android apps and rebuild them easier. Thus, making it your average distro for examining source codes and looking for security weaknesses, decompilation, and debugging. This is very important because nowadays a lot of developers who don't practice or are not aware of safe coding have released their softwares in the Android Market.

Wireless Analyzers:

  • Aircrack-ng
  • Kismet
  • Ubertooth Kismet
  • Ubertooth Spectrum Analyzer
  • Wireshark

Santoku Linux also includes tools for wireless spectrum, packet analysis of wireless devices, sniffing the network, and for monitoring wireless networks. And of course, it can also be used for cracking and retrieving WEP, WPA/WPA2 keys just like other penetration testing distros out there. Thus, eliminating some of your time in installing your favorite Aircrack-Ng suite.

Device Forensics:

  • AFLogical Open Source Edition
  • Android Encryption Brute Force
  • BitPim
  • BlackBerry Desktop Manager
  • Foremost
  • iPhone Backup Analyzer
  • MIAT
  • Paraben Device Seizure
  • Sift Workstation
  • Sleuth Kit
  • SQLiteSpy

The Device Forensic Tools will help you in your endeavor in analyzing data, data recovery, data manipulation and exploration, investigate disk images, seize digital evidences, software auditing, and for testing the security of your mobile phones. The Paraben Device Seizure for example has been giving forensic examiners access to mobile device data for over 10 years and is recognized as the first tool for the forensic analysis of cell phones.

Mobile Infrastructure:

  • BES Express
  • Google Mobile Management
  • iPhone Configuration Tool

These categories will help you with your mobile phone's configuration and installation of its apps or platforms. Take for example the iPhone Configuration Tool which lets you easily create, maintain, encrypt, and push configuration profiles, track and install provisioning profiles and authorized applications, and capture device information including console logs[1]

and the BlackBerry Enterprise Server Express which is a free software to mobilize email platforms for growing businesses[2].

There are tools that are still to be updated or added and if you want a cool tool to be added on the distribution then feel free to drop your message or request in the contact page of the Santoku Linux's official website. Remember, Santoku Linux is by the Community and for the Community. It's still an alpha release so expect more tools to be added and more improvements.

Getting Started (for newbies)

Santoku can be downloaded at (official website) and the full .iso image or file capacity is 3+ GB so be sure you have a fast connection. Santoku is a pre-configured Linux environment so if you want to install it in your computer or laptop as one of your Operating Systems (multi-boot or dual boot) or as your primary Operating System then you need to create a bootable DVD or USB using the ISO image. Then boot the bootable or live DVD by prioritizing it as your first boot device. If all goes well, you should see something like this:

If you really want to install Santoku Linux then choose the third option that says "install - start the installer directly" or if you just want to try it out first before installing it then choose "live - boot the Live System", the installation should let you choose your language, time zone, clock settings, and allow you to erase the entire hard disk or install with other OS's. However, if you have chosen the first option which boots you to the pre-configured Linux environment without installing it, you should see a graphical interface that asks you for a password.

Make sure that you type the word "santoku" in the box that lets you input the password. The next thing you should see is the Desktop Wallpaper of a santoku knife and now you can already play with the distro.

And if want to boot or emulate it with Oracle's Virtualbox then you can just follow this instruction from the official blog of Santoku.

Santoku Pro

You may be wondering why there is a link for Santoku Pro in the download link of the official website of Santoku Linux so let me explain a few things about it. The Santoku Pro version will be released later this year (2012) and this version will offer an easy-to-use interface for mobile application security assessment. So be sure to subscribe to the mailing list in order to be updated for this version and for the new tools update because there are still a lot of tools that will soon be added for this new distribution because the Santoku Community (contributors) is growing. Stay tuned!

Santoku Linux Download Page:

Note: Thanks to Infosec Institute for letting me promote Santoku Linux on their popular and very informative resource page and kudos to Thomas Cannon for heading this project and letting me join his community as a supporter or a contributor.


Learn Digital Forensics

Learn Digital Forensics

Build your skills with hands-on forensics training for computers, mobile devices, networks and more.

Learn Digital Forensics

Learn Digital Forensics

Build your skills with hands-on forensics training for computers, mobile devices, networks and more.

Jay Turla
Jay Turla

Jay Turla is a security consultant. He is interested in Linux, OpenVMS, penetration testing, tools development and vulnerability assessment. He is one of the goons of ROOTCON (Philippine Hackers Conference). You can follow his tweets @shipcod3.