Post

Installing Tsurugi Linux for DFIR Work

Security and Pentest Home Lab Environment

Posted Updated
By SCipher143
6 min read
Installing Tsurugi Linux for DFIR Work

In this module, we are going to set up Tsurugi Linux, an OS pre-configured with many Digital Forensics & Incident Response tools. Before deploying the VM, weโ€™ll create a new interface in pfSense named SECURITY. This segment will isolate DFIR tools from the rest of the network.

โž• Add New Interface in VirtualBox

VirtualBox only allows 4 adapters via the GUI, but we can add more using the command-line. Before proceeding:

  • Ensure your pfSense VM is powered off
  • Confirm the VM name (e.g., "pfSense")

๐Ÿ”ง Create the Interface via PowerShell

Run the following in PowerShell:

1
2
3
4
5
6
7
8
9
10
11

# Attach a new internal network
VBoxManage modifyvm "pfSense" --nic6 intnet

# Set adapter type to virtio-net
VBoxManage modifyvm "pfSense" --nictype6 virtio

# Name the internal network "LAN 4"
VBoxManage modifyvm "pfSense" --intnet6 "LAN 4"

# Mark the interface as connected
VBoxManage modifyvm "pfSense" --cableconnected6 on

๐Ÿงฎ Assign Interface in pfSense

  1. Start the pfSense VM
  2. At the terminal prompt, press 1 to Assign Interfaces
  3. When asked about VLANs โ†’ type n

Assign the interfaces:

  • WAN: vtnet0
  • LAN: vtnet1
  • OPT1: vtnet2
  • OPT2: vtnet3
  • OPT3: vtnet4
  • OPT4: vtnet5

Type y to confirm and onboard the new interface.

๐ŸŒ Configure Interface IP

  1. Back at the pfSense terminal, press 2 to Set interface(s) IP address
  2. Choose interface 6 (OPT4)

Configure the settings:

  • IPv4 Address: 10.10.10.1
  • Subnet Bit Count: 24
  • Skip upstream gateway (just press Enter)
  • IPv6: Disabled

Enable DHCP Server:

  • Start Range: 10.10.10.11
  • End Range: 10.10.10.243

Decline HTTP switch: n

OPT4 is now active and ready for segmentation.

โœ๏ธ Rename OPT4 to SECURITY

  1. Log in to the pfSense web UI
  2. Navigate to: Interfaces โ†’ OPT4
  3. Set Description to: SECURITY
  4. Scroll down โ†’ Click Save
  5. Click Apply Changes when prompted

๐Ÿ›ก๏ธ SECURITY Interface โ€“ Firewall Rules

Go to: Firewall โ†’ Rules โ†’ SECURITY

๐ŸŸฅ Rule 1 โ€“ Block WAN Access

  • Action: Block
  • Address Family: IPv4+IPv6
  • Protocol: Any
  • Source: SECURITY net
  • Destination: WAN net
  • Description: Block access to WAN

Click Save. Ignore popup for now.

๐ŸŸฅ Rule 2 โ€“ Block LAN Access

  • Action: Block
  • Address Family: IPv4+IPv6
  • Protocol: Any
  • Source: SECURITY net
  • Destination: LAN net
  • Description: Block access to LAN

Click Save. Ignore popup.

โœ… Rule 3 โ€“ Allow Internet & Internal Traffic

  • Action: Pass
  • Address Family: IPv4+IPv6
  • Protocol: Any
  • Source: SECURITY net
  • Destination: Any
  • Description: Allow general traffic

Click Save, then Apply Changes on the popup.

๐Ÿ”„ Reboot pfSense

To apply the firewall changes:

  1. Navigate to Diagnostics โ†’ Reboot
  2. Click Submit

After reboot, pfSense will return to the login page, confirming changes have been applied.

๐Ÿ“ฅ Download Tsurugi Linux

  1. Visit the official download page: Tsurugi Linux - Downloads
  2. Choose one of the mirror links and download the latest ISO (e.g., tsurugi-linux-2023.2.iso)
    • The ISO is ~16GB, so allow time for download.
  3. Once complete, youโ€™ll have a .iso image file ready for VM creation.

๐Ÿ’ป Create Tsurugi Linux VM

  1. In VirtualBox, click Tools โ†’ New.
  2. Name the VM and select the downloaded .iso as the startup disk. Click Next.
  3. Set Base Memory to 4096MB โ†’ Click Next.
  4. Set Hard Disk size to 150GB
    • โš ๏ธ Tsurugi will fail to install with less than 110GB of storage.
  5. Click Finish once the summary looks correct.

๐Ÿ“‚ Organize the VM into Groups

  1. Right-click the VM โ†’ Move to Group โ†’ New
  2. Right-click the new group โ†’ Rename Group โ†’ Security
  3. Right-click the Security group โ†’ Move to Group โ†’ Home Lab
  4. Final structure should look like:

โš™๏ธ Configure the VM

  1. Select the VM โ†’ Settings โ†’ System โ†’ Motherboard
    • Boot Order: Ensure Hard Disk is first, followed by Optical
    • Uncheck Floppy
  2. โœ… For Tsurugi Linux 2024.1+, enable Enable EFI under Motherboard
  3. Go to Network โ†’ Adapter 1
    • Attached to: Internal Network
    • Name: LAN 4
  4. Click OK to save.

๐Ÿ“€ Install Tsurugi Linux

  1. Start the VM โ†’ Press Enter to boot into GUI mode.
  2. On the desktop, double-click Displays โ†’ set resolution to 1600x1050 โ†’ Apply โ†’ Keep This Configuration
    • ๐Ÿ“ This is required to view installer buttons.
  3. Double-click Install Tsurugi Linux 2023.2 to launch the installer.
  4. Scroll down in the window โ†’ Choose Language โ†’ Continue
  5. Select Keyboard โ†’ Continue
  6. Enable:
    • Install third-party software for graphics and Wi-Fi hardware and additional media features โ†’ Click Continue
  7. Click Install Now โ†’ Continue to write changes
  8. Set timezone โ†’ Continue
  9. Create user and password โ†’ Continue
  10. After installation completes, click Restart Now

If prompted with a removal message, just press Enter to continue. Login with the configured credentials.

๐Ÿ”ง Post-Install Configuration

๐Ÿ“ฆ Install Guest Additions

  1. Go to Devices โ†’ Insert Guest Additions CD Image
  2. Authenticate with your password when prompted.
  3. Click the CD icon in the top-right โ†’ Select Mount VBox_GAs
  4. If the icon doesnโ€™t appear on the desktop, double-click the CD icon from the file manager
  5. Select Tools โ†’ Open Current Folder in Terminal
  6. Run the install command:
1

sudo ./VBoxLinuxAdditions.run

๐Ÿงฉ Finalizing Setup

๐Ÿ–ฅ๏ธ Enter Fullscreen Mode

After Guest Additions installation:

  1. Press Right Ctrl + F to enter Fullscreen Mode.
    • Press the same keys again to exit fullscreen.
    • The VM display will scale automatically to your monitor size.
  2. In the top-right corner of the VM window, click the CD icon โ†’ Select Eject VBox_GAs to safely remove the Guest Additions ISO.

โป Shutdown the System

To properly shut down the VM:

  1. Click the power icon next to the clock
  2. Select Shut Down from the menu
  3. Confirm by clicking Shut Down again

๐Ÿ”„ System Update

Keeping Tsurugi up to date is essential for tool compatibility and security.

  1. Open the Terminator terminal app from the desktop.
  2. Run the following command:
1

sudo apt update && sudo apt full-upgrade

If prompted during the update:

  • Press Enter to begin the installation
  • Enter your password when requested

This will ensure your Tsurugi system is fully up-to-date with the latest packages and patches.

๐Ÿงท Creating a VM Snapshot

Before proceeding to the next lab module, itโ€™s good practice to save your VMโ€™s current state.

  1. Shut down the Tsurugi VM
  2. Click the hamburger menu next to the VM name โ†’ choose Snapshots
  3. Click Take
  4. Enter a descriptive name like Tsurugi Clean Install
  5. Click OK
  6. Return to the main view via the Details tab

Creating a snapshot lets you quickly revert to this clean baseline if needed.

โญ๏ธ Whatโ€™s Next?

In the next module, weโ€™ll set up:

  • Ubuntu Linux
  • Download and install Splunk
  • Deploy the Splunk Universal Forwarder on the Domain Controller

This integration allows us to collect event logs and security telemetry from Windows systems in our Active Directory environment.

Next ๐Ÿ‘‰ Setting Up Splunk: Basics & Configuration

Project Work, Home Lab
HL
This post is licensed under CC BY 4.0 by the author.