Documentation Tsurugi Linux [LAB]

Tsurugi Linux is a heavily customized Linux distribution (first release 03/Nov/2018 at AvTokyo security conference in Japan) based on Ubuntu 16.04 LTS version (64-bit with a 5.4.2 custom kernel) and is designed to support DFIR investigations, malware analysis and OSINT activities. Since 2019 has been added also a special section dedicated to computer vision investigations with many custom tools.

Two repositories (master and development) have been created to be able to deliver bugfix, improvements and custom updates. Other security updates are guaranteed by officials Ubuntu repositories.

The main idea behind the Tsurugi Linux project is about simplicity as far as the topics can be really complex, however basic Linux skills are mandatory to be able to work correctly and make the most of it.


Usually forensics workstations are powerful but if you need you can find here below the minimal recommended hardware configuration we suggest:

• 2 GHz dual core processor or better
• 4 GB system memory
• 30 GB of free hard drive space


To install Tsurugi Linux [LAB] you need before to start in live mode, to be able to unlock the Read Only protection on the local device due to kernel forensic patch. The installer is available on the desktop (red icon) or inside the system menu and you just need to follow the setup prompts.


• The Tsurugi Linux [LAB] live session default user is “tsurugi” and the password has been voluntarily left blank.
• In the virtual machine the default password is “tsurugi” and more details are available in the Virtualization section.

“TSURUGI Linux - the sharpest weapon in your DFIR arsenal”