:: Forensics :: option
For a long time now, Linux Live CDs have been very useful for forensic acquisition purposes in instances where for one reason or another you can’t utilize a hardware write blocker.
When configured not to automount drives, and a little bit of know how, a Linux Live CD can be a wonderful software write blocker.
For a Linux live CD to be considered for this purpose however, it is of the utmost importance that the use of the live CD in no way alters any data in any manner.
For a Linux live CD to be considered for this purpose however, it is of the utmost importance that the use of the live CD in no way alters any data in any manner.
In the past, this ruled out the use of certain distros for forensic purposes.
A normal distro would automount available drives and utilize swap partitions where available.
This could cause all sorts of havoc, changing last mount times, altering data on disk, and so on.
This could cause all sorts of havoc, changing last mount times, altering data on disk, and so on.
A special Live CD must have incorporated changes to allow a boot mode which is forensically clean. So, lets have the scoop. Forensic people are often detail oriented and very conservative, so how do we know it is safe to use?
Well, first off the Live CD must be based off of Casper, and the forensic boot mode must contains no filesystem automount scripts at all.
The system initialization scripts must have been altered in the forensic boot mode so that the forensics Linux will not look for or make use of any swap partitions which are contained on the system.
All those scripts must have been removed from the system.
Verification
To test this functionality, we must test this boot mode with multiple hardware configurations.
For each test, we must take a before MD5 snapshot of the system disks, boot the Linux LiveCD in forensic boot mode, verify if no file systems were mounted and swap is not in use, do a number of activities on the system, then shut the system back down and take an after MD5 snapshot.
In comparing the two MD5 snapshots, in every case they must match, demonstrating no changes on the disks has been made.
So, can you trust a certain forensic Linux for your forensic purposes?
Just like any forensic tool, its negligent to just take someone else’s word that any tool works properly. Its up to you to independently verify the tool before you use it.
Usage
When you utilize Linux for forensics purposes, be sure you don’t let it go through an unattended boot.
It is highly suggested that you become familiar with Linux before use this, or any other Linux Live CD for any forensic purpose. Also, be sure to check out the additional forensic tools added to the distribution.
Linux Forensics Tools Repository
Linux Forensics Tools Repository
No comments:
Post a Comment