Digital Forensics & Incident Response Toolkits
When a cyber incident strikes, time becomes critical: you need to move fast and "drift" into action, reaching the scene before digital traces fade away. DRIFT Linux is the portable lab to keep in your trunk, ready to respond anywhere, at any time.
Latest Updates
Why DRIFT?
DRIFT is a system specifically designed for the needs of Digital Forensics and Incident Response, created to provide professionals with a lean, flexible, and ready-to-use operating environment. Built to adapt to different scenarios and needs, including through multiple editions, it combines usability and robustness with a strong focus on the preservation of digital evidence: devices are handled in read-only mode by default from the earliest stages of the kernel boot process, minimizing the risk of unintended alterations during acquisition and initial analysis activities.
Forensics Ready
Flexible
DFIR Toolkits
Stable
Ready to Use
Evidence Preservation
The DRIFT Project
DRIFT OS is trusted worldwide by a growing community and an expanding network of contributors and partners.
Integrity
Solid Drive & Device Integrity
Linux Kernel 7.0
Linux Kernel With Secure Boot support
Variants
Multiple variants for your multiple needs
DRIFT Linux
Different tools for different needs, always within ISO reach
DRIFT brings together two layers of wordplay. On one side, it draws on the English word "drift", evoking the idea of moving fast, reacting quickly, and getting there in time when a cyber incident occurs or a forensic acquisition is needed. On the other, the name also echoes, in a reworked form, the concept of DFIR Toolkits, bringing together Digital Forensics and Incident Response tools within a single operational environment.
Download >DRIFT Linux is Secure Boot Ready, which means it can boot even on systems with Secure Boot enabled, without requiring it to be turned off. This makes the distribution easier to use on modern hardware while preserving a live environment that is ready to go.
Download >DRIFT Linux includes the classic tools used for live acquisition, such as Guymager and ewfacquire. Proven tools, still highly relevant today, ready to use and kept up to date with the latest versions.
Download >DRIFT Linux includes tools for complete WEB acquisitions. It captures network traffic, TLS decryption keys, screen recordings, and uses archiveweb.page to preserve web pages as WACZ and WARC archives, capable of faithfully reproducing browsed content. Everything can then be timestamped with OpenTimestamp.
Download >DRIFT Linux includes internally developed tools to manage mounts and monitor disk status effectively. It simplifies the analyst's workflow by continuously showing the write-block status of devices, both inside the system file manager and through dedicated tools. The system also performs security checks on disks from the very first stage, helping ensure safe operations without altering digital evidence.
Download >DRIFT Linux already includes native tools to decrypt Microsoft BitLocker volumes, allowing them to be examined safely in read-only mode during the acquisition phase itself. Additional decryption modules will be introduced in future releases.
Download >Data preservation is a critical requirement during forensic analysis. DRIFT Linux enforces a strict safeguarding policy for all connected devices, including hard drives and USB media such as tablets and smartphones. From system boot and throughout the entire execution, DRIFT verifies and ensures connected devices remain strictly in read-only mode. Furthermore, the system clock is also protected: you can freely adjust the OS timing for analysis purposes without ever altering or overwriting the underlying hardware clock (RTC).
DRIFT Linux features its own dedicated and prioritized repository alongside the standard Ubuntu one, with SNAP removed. This provides the broad compatibility of the Ubuntu ecosystem while preserving a solid, coherent, and stable forensic environment.
Download >No, they are two distinct projects but linked by a close family tie. DRIFT Linux was conceived by Massimiliano Dal Cero as a personal spin-off of Tsurugi Linux. The two projects will be independent but will continue to be developed in parallel, and the mantainers of DRIFT will continue to be actively involved in both with mutual influence.
