Buscador Investigative Operating System

Buscador is a Linux Virtual Machine that is pre-configured for online investigators. It was developed by David Westcott and Michael Bazzell, and distributions are maintained on this page. The current build is 3.5GB and includes the following resources:

Custom Firefox Install and Add-Ons
Custom Chrome Install and Extensions
Tor Browser
Custom Video Manipulation Utilities
Custom Video Download Utility
Recon-NG
Maltego
Creepy
Metagoofil
MediaInfo
ExifTool
Spiderfoot
Google Earth Pro
Metadata Anylisation Toolkit
EyeWitness
EmailHarvester
theHarvester
HTTrack Cloner
Aquatone
Knock Pages
Sublist3r
Twitter Exporter
Tinfoleak
InstaLooter
BleachBit
VeraCrypt
KeePassXC
LibreOffice
VLC
PDF Viewer

Installation Notes

You will need a Virtual Machine application in order to use this system. VirtualBox is free and will suffice for most investigations. Some users prefer a more robust option with VMWare Workstation for Windows or VMWare Fusion for Mac. Any of these options will get you started.

VirtualBox Installation and Configuration:

* Make sure you have latest version of VirtualBox and VirtualBox Extension Pack installed
1) In the VirtualBox menu, click on File > Import Appliance
2) Navigate to the OVA file that was downloaded (Buscador)
3) Choose this file and select "Import"
4) Before starting the new machine, highlight it and choose "Settings"
5) Under General > Basic, rename this machine as desired (Buscador?)
6) Under General > Advanced, change Shared Clipboard to Bi-Directional
7) Under System > Motherboard, increase the RAM if you have ample resources (half of total system)
8) Under Display > Screen, increase the Video Memory to 128MB is available
9) Under Storage, click the small "plus" in the lower left corner, "Add Optical Drive", and "Leave Empty"
10) Under Shared Folders, click the "plus" on the right, choose folder to store evidence, select "Auto-Mount"
11) Click "OK" and launch the new machine
12) Upon boot, log into the user "osint" with the password of osint
13) In the VirtualBox Menu, select Devices > "Insert Guest Additions CD Image"
14) Allow the image to be installed, and reboot upon completion.
15) Start the Terminal in the new VM and type sudo adduser osint vboxsf
16) Provide the password as needed (osint)
17) Reboot

You should now have access to the shared directory in order to save data to the host operating system (evidence). It can be found in the File Manager (Home), on the left column, titled "sf_" followed by the name of the folder to which it is connected. This shared folder will also be on your desktop for easy access. You can make the machine full-screen, copy and paste text to and from the image, and you are ready to begin using the applications.

VMWare Installation and Configuration:

1) In the VMWare menu, select File > Import > Select OVA
2) Select the location where the VM will be imported. Click "OK" Click "Retry" if the initial import fails
3) Power on the VM and Login to the OS
4) Install VMware tools as appropriate for your version:

VMWare Fusion: In the menu, select Virtual Machine > Install VMware Tools
VMWare Workstation: In the menu, select VM > Install VMware Tools
VMWare Player: In the menu, select Player > Manage > Install VMware Tools. Note:

5) Open (Double Click) the VMware Tools CD mounted on the desktop
6) Right-click the file that is similar to VMware.xx.tar.gz and click Extract to, and select Desktop
7) Open Terminal (Select 'No' to avoid an update) and type cd Desktop/vmware-tools-distrib
8) Type sudo ./vmware-install.pl and enter password (OSINT).
9) Type Y when prompted about downloading from the Linux repository
10) Accept all default values by striking the enter/return key at every prompt.
11) Reboot the VM
12) Enable Shared Folders from the file menu: Settings > Options > Shared Folders (Always Enabled)
13) Add a Shared Folder by selecting the desired folder on the host OS
14) Create a shortcut to the shared folder on the desktop with the following command in the terminal:
ln -s /mnt/hgfs/foldername /home/osint/Desktop/Shared_Folder

Usage Notes

A great feature of virtual machines is the use of Snapshots. These "frozen" moments in time allow you to revert to an original configuration or preserve an optimal setup. Most users install the virtual machine as detailed above, and then immediately create a snapshot of the unused environment. When your virtual machine eventually becomes contaminated with remnants of other investigations, or you accidentally remove or break a feature, you can simply revert to the previously created snapshot and eliminate the need to ever re-install.

VirtualBox use of Snapshots

1) Completely shut down the Virtual Machine
2) In the VirtualBox Menu, click on the Snapshots button in the upper right
3) Click on the blue camera icon to "take a snapshot"
4) Create a name and any notes to remind you of the state of the machine, such as "New Install"
5) Click OK

You can now use your virtual machine as normal. If you ever want to revert to the exact state of the machine that existed at the time of the snapshot, follow these instructions:

1) Completely shut down the Virtual Machine
2) In the VirtualBox Menu, click on the Snapshots button in the upper right
3) Select the desired snapshot to apply
4) Click on the blue camera icon with arrow to "restore snapshot"
5) Click Restore

Optionally, if you ever want to remove a snapshot, simply use the icon with a red X. This will remove data files to eliminate wasted space, but you cannot restore to that image once removed. It will not impact the current machine state. Many users remove old, redundant snapshots after creating newer clean machines.

VMWare Use of Snapshots (VMWare Workstation or Fusion, NOT Player)

1) Completely shut down the Virtual Machine
2) In the VMWare Menu, click on the Snapshots button in the upper right
3) Click on the camera icon to "take" a snapshot
4) Create a name and any notes to remind you of the state of the machine, such as "New Install"
5) Click Take

You can now use your virtual machine as normal. If you ever want to revert to the exact state of the machine that existed at the time of the snapshot, follow these instructions:

1) Completely shut down the Virtual Machine
2) In the VMWare Menu, click on the Snapshots button in the upper right
3) Select the desired snapshot to apply
4) Click on the camera icon with arrow to "restore" a snapshot
5) Click Restore

Optionally, if you ever want to remove a snapshot, simply use the "delete" icon. This will remove data files to eliminate wasted space, but you cannot restore to that image once removed. It will not impact the current machine state. Many users remove old, redundant snapshots after creating newer clean machines.

It is suggested to enable VMware autoprotect snapshots, set to daily, and limit the snapshot count to 3. Autoprotect snapshots are an easy way to always have a snapshot to revert to. The following steps will enable this feature.

1) Select the virtual machine and select VM > Settings
2) On the Options tab, select AutoProtect and select Enable AutoProtect
3) Select the "Daily" interval between snapshots
4) Select the maximum number of AutoProtect snapshots to retain (Recommended "3")
5 Select OK to save your changes

After the maximum number of AutoProtect snapshots is reached, Workstation deletes the oldest AutoProtect snapshot each time a new AutoProtect snapshot is taken. This setting does not affect the number of manual snapshots that you can take and keep.

Yubikey Notes

You can use a Yubikey as a second factor for login from your Virtual Machine:

VirtualBox (Stable):

In the Buscador Terminal, copy/paste each line and click Enter:

    wget "https://raw.githubusercontent.com/Yubico/yubikey-personalization/master/69-yubikey.rules" -O /tmp/69-yubikey.rules
    wget "https://raw.githubusercontent.com/Yubico/yubikey-personalization/master/70-yubikey.rules" -O /tmp/70-yubikey.rules
    sudo mv /tmp/69-yubikey.rules /etc/udev/rules.d/69-yubikey.rules
    sudo mv /tmp/70-yubikey.rules /etc/udev/rules.d/70-yubikey.rules           

Shut Buscador down completely
Insert Yubikey into computer
VirtualBox > Settings > Ports > USB > Click Icon with green "+”, select Yubikey, click OK
Remove Yubikey
Start Virtual Machine, boot completely into Buscador
Insert Yubikey
Attach Yubikey in VirtualBox > Device > USB . Yubikey
In the Terminal, type:
wget "https://raw.githubusercontent.com/beast-fighter/saves_the_day/master/activate_yubikey.sh"
chmod +x activate_yubikey.sh
./activate_yubikey.sh
When prompted, press Enter
When prompted to “Commit”, type y and hit Enter
Shut down Buscador completely
Remove Yubikey
Restart system, try to login with Yubikey (Fail)
Insert Yubikey, Login (Success) You may need to try password twice

VMWare (Experimental):


In the Buscador Terminal, copy/paste each line and click Enter:

    wget "https://raw.githubusercontent.com/Yubico/yubikey-personalization/master/69-yubikey.rules" -O /tmp/69-yubikey.rules
    wget "https://raw.githubusercontent.com/Yubico/yubikey-personalization/master/70-yubikey.rules" -O /tmp/70-yubikey.rules
    sudo mv /tmp/69-yubikey.rules /etc/udev/rules.d/69-yubikey.rules
    sudo mv /tmp/70-yubikey.rules /etc/udev/rules.d/70-yubikey.rules           

Shut Buscador down completely
Insert Yubikey into computer
Open the .vmx file of your VMware image in a text editor
Add the following at the end of the .vmx file: usb.generic.allowHID = "TRUE"
Save the .vmx file
Start Buscador
Go to USB devices in the VMWare Menu and click on the Yubico.com device.
In the Terminal, type:
wget "https://raw.githubusercontent.com/beast-fighter/saves_the_day/master/activate_yubikey.sh"
chmod +x activate_yubikey.sh
./activate_yubikey.sh
When prompted, press Enter
When prompted to “Commit”, type y and hit Enter
Shut down Buscador completely
Remove Yubikey
Restart system, try to login with Yubikey (Fail)
Insert Yubikey, Login (Success) You may need to try password twice


USB Live Boot

Every online investigation computer should have a selection of removable operating systems ready to boot at any time. While optical media such as compact discs could be used to boot a computer, creating bootable USB devices is the easiest and most robust solution. The general premise of this method is to create a USB drive that can be used to boot an entire operating system from itself. After completing these instructions, you will have a USB drive the size of a quarter that possesses its own operating system, custom browser, investigation extensions, and Android emulator. Insert it into practically any computer and receive a fast and secure solution to online investigations.

Requirements:

A computer capable of booting to USB. This can be Windows or Mac OS X hardware (Macs are preferred), and most computers made in the past 10 years will work. You may need to hold down a specific key on your keyboard while booting to force the machne to boot to the USB drive. On Apple computers, it is the Alt/Option key. On many Windows machines it is a function key such as F2, ESC, or DEL.

A small USB 3.0 drive. I prefer the Sandisk Utra Fit 16GB drive (LINK). You will also need a USB 3.0 port on your computer. Windows ports are often blue in color while Apple ports are not. This WILL work on older ports, but may be too slow to be useful.

A micro USB Wi-Fi adapter (Link). While you may already have native network access, the new operating system may not recognize your drivers. This $10 piece of hardware ensures a working system without configuration.

The Buscador Linux operating system ISO. User name and password is OSINT.

Windows Users: A program called Rufus (LINK).

Mac Users: A program called Etcher (LINK).

Instructions:

1) Insert your desired USB drive that will be overwritten.
2) Execute the Rufus or Etcher program and choose your USB drive.
3) Choose a partition scheme of “MBR … for BIOS or UEFI Computers” (Rufus).
4) Click the button similar to a CD and choose the appropriate ISO file that you downloaded (Rufus).
5) Click “Start” and allow the process to complete.
6) Reboot the computer and select the USB drive upon boot sequence.



Download 1.2

Buscador for VMWare:

Version: 1.2
Release: March 2018
GDrive Download
(Faster-ova file)
Direct Download (Rename zip to ova)
Checksum (MD5):
8c1e7d732178c19b4d3929243819d46f

This is an OVA file that should work in any version of VMWare, including Workstation, Fusion, and Player.

Buscador for VirtualBox:

Version: 1.2
Release: March 2018
GDrive Download
(Faster-ova file)
Direct Download (Rename zip to ova)
Checksum (MD5):
1368b69a3ad6af421a3ecae670fe8bc1

This is an OVA file that should work in any version of VirtualBox, including Windows, Mac, and Linux.

Buscador ISO:

Version: 1.2
Release: March 2018
GDrive Download
(Faster)
Direct Download (Rename zip to iso)
Checksum (MD5):
bf8d03c328ce99f868f468303b8bd785

This is an ISO file that can be used as a bootable USB or direct install.

1.2 Change Log:

Updated Operating System
Updated Browsers and Extensions
Updated All OSINT Utilities
Added EyeWitness
Added Sublist3r
Added Aquatone
Added MAT
Added KeePassXC (Replacement)
Added VLC
Added LibreOffice
Added PDF Viewer

Update Scripts!

In Terminal:

sudo update_scripts

Support & Updates

While we do not offer technical support for Buscador, the IntelTechniques forums has a dedicated discussion group about usage of the system. Please post any questions there. All updates since the latest release will be posted there.

NEW OSINT GUIDE!

The Sixth Edition of the book on internet search techniques is now available. Click the book below for details.

Online Training

You can order your online video training with any credit card right now and receive unlimited access to our entire catalog! These courses, with over 270 videos, replicate our entire arsenal of live training resources. Click below for details and pricing.