Skip to content

How to install Skadi from a USB Drive

Jump to bottom
@AlanOrlikoski edited this page Nov 18, 2018 · 10 revisions

Written by: Filip Vlasic @s4vgR

About Skadi

Couple a weeks ago I learned about Skadi developed by Alan Orlikoski @AlanOrlikoski. Skadi is a free, open source Ubuntu based VM that enables the collection, processing and advanced analysis of forensic artifacts and images. It contains the following great tools:

  • Plaso
  • CDQR
  • CyLR
  • Docker
  • ElasticSearch, Logstash, Kibana (ELK)
  • Redis
  • Neo4j
  • Celery
  • Cerebro

The issue

Skadi is available as a VMDK machine and there is also an option to install it on an existing Debian based server. I wanted to install it on a physical server but it wasn’t possible since Debian-based repositories are blocked in my company by security. So, the only option was to build a bootable USB stick.

Creating a bootable Skadi USB/ISO

First try

First, I tried to make an bootable ISO image using this tutorial:

https://www.turnkeylinux.org/blog/convert-vm-iso

But I was unsuccessful because of several problems. Tklpatch package is no longer available in Ubuntu repository. I solved this problem by downloading its scripts from github. It seemed to be okay, but every time you jump over one wall, another appears. In short, I tried it on Ubuntu and also on CentOS but with no success.

Reading the comments part of the tutorial it’s actually obvious that the process is outdated but as I’m an optimistic person and gave it a try.

22nd try

Then a simple idea came into my mind: “Wait a moment…This is Ubuntu. There must be some tool to make a bootable image. And I found one – Systemback. It is an open source, system backup and restore application but has also the functionality I needed – creating bootable disks/images.

This is a tutorial how to use it:

https://www.techrepublic.com/article/create-a-live-system-iso-for-your-ubuntu-based-linux-machines-using-systemback/

Unfortunately, I wanted to make an image of Skadi Server version, but because the Systemback feature I needed is only available in its GUI version, I had to use Skadi Desktop.

Some install tips

After creating a bootable USB stick, proceed to install Skadi on a physical server. Installation is a typical Ubuntu one:

Create a new user.

Here it is recommended to define two partitions. One smaller for the system, other one for logs and images (aka evidence). In this example there are two partitions with equal size:

It is also important to check the checkbox "Transfer user configuration files".

I would also like to invite everybody interested to join Join the Skadi Community Slack

Download

Download ISO Image

ISO to USB Program

There are many programs to transfer the ISO to make a bootable USB drive.

  • Using Linux: Systemback can create the bootable USB
  • Using Windows: Rufus can create the bootable USB
Clone this wiki locally