Documentation Tsurugi Linux [LAB]

Tsurugi Linux [LAB] is a heavily customized Linux distribution based on Ubuntu 22.04 LTS version (64-bit with a 6.0.2 custom kernel) and is designed to support DFIR investigations, malware analysis and OSINT activities.

The initial release of Tsurugi Linux was on 03/Nov/2018 at the AvTokyo Security Conference in Japan. In 2019, a special section with many custom tools was added, focusing on computer vision investigations.

The main idea behind the Tsurugi Linux project is to simplifying complex forensic processes; however, to be able to work correctly and efficiently, basic Linux skills are mandatory.


Usually forensics workstations are powerful but if you need you can find here below the minimal recommended hardware configuration we suggest:

• 4 GHz dual core processor or better
• 5 GB RAM (system memory)
• 50 GB of free hard drive space

This is the minimal suggested setup, but keep in mind that many tools need much more power to run properly


To install Tsurugi Linux [LAB] you need before to start in live mode, to be able to unlock the Read Only protection on the local device due to kernel forensic patch. The installer is available on the desktop (red icon) or inside the system menu and you just need to follow the setup prompts.


• The Tsurugi Linux [LAB] live session default user is “tsurugi” and the password has been voluntarily left blank.
• In the virtual machine the default password is “tsurugi” and more details are available in the Virtualization section.

“TSURUGI Linux - the sharpest weapon in your DFIR arsenal”