Overview of Computer Forensics Linux Distributions
What is a Live CD?
A live CD/DVD/Disk contains a complete bootable Operating System that runs in a computer’s memory, rather than loading from the hard disk. The CD itself is read-only. They allow the user to run an OS for any purpose without installing or making any changes to the computers configuration.
For Computer Forensics, this is a great method so that the computer’s configuration or any other data on it is not compromised and detailed analysis still can run on top of it.
Learn Digital Forensics
In this regard, both Linux and Windows based distributions can be utilized, and are further described as follows:
List of Live Distributions for Computer Forensics
- ALT Linux Rescue: It is designed to help sysadmins fix and repair different kinds of problems such as resize partitions, recover files and partitions, optimize file system usage, etc. It can be found at: https://en.altlinux.org/Rescue
- BackBox Linux: It is an Ubuntu based distro created for Forensic and Penetration Testing purposes. It is fast and easy. Having its own software repositories, it is fast, easy and provides minimal yet complete desktop environment. It can be found at: http://www.backbox.org/
- BlackArch Linux: It is based on Arch Linux and is used for Forensics and Penetration Testing purposes. Its repository contains 1806 different tools which helps the user in the above mentioned practices. It can be found at: https://blackarch.org/
- CAINE: Computer Aided Investigative Environment or as its popularly known as CAINE is an Italian GNU/Linux based Live distro created for Digital Forensics. It offers a complete forensic environment and can integrate existing softwares and modules. It can be found at: http://www.caine-live.net/
- DEFT: Digital Evidence and Forensics Toolkit or commonly known as DEFT is a distro made for Digital Forensics with the purpose of running on a Live CD. It is based on GNU/Linux. It uses LXDE as desktop environment and WINE for executing Windows tools. It can be found at: http://www.deftlinux.net/
- GRML-Forensic: It is a system designed for forensic investigations and data rescue tasks. Its main purpose is to acquire user data. It can be found at: https://grml-forensic.org/
- Helix3/Helix3 Pro: Helix focuses on Incident Response and forensics tools. It is used by individuals who have a sound understanding of Incident Response and forensic techniques. However, according to its support blog, the free version, Helix3, would not be getting any updates anymore. Helix3 Pro is its commercial paid version. It can be found at: http://www.e-fense.com/
- Kali Linux: Kali Linux is the most widely used Operating System by security professionals. It’s previous version, BackTrack, made a mark on the industry. It provides tools for Computer Forensics as well as Penetration Testing. Its Forensic Mode was first introduced in BackTrack. It can be found at: https://www.kali.org/
- MacQuisition: It is a powerful 3-in-1 solution for live data acquisition, targeted data collection, and forensic imaging. It runs on Mac OSX and acquires data from over 185 different Macintosh computer models in their native environment. It is a paid software. It can be found at: https://www.blackbagtech.com/software-products/macquisition.html
- Matriux: Based on Debian, it is a fully featured security distro. It consists of more than 300 open source and free tools that can be used for various purposes such as Penetration Testing, Computer Forensics, Ethical Hacking, etc. It can be found at: http://www.matriux.com/index.php?language=en
- Parrot OS: It based on GNU/Linux and was designed with cloud penetration testing and IoT security in mind. It also includes a full portable lab for security and digital forensics. It also provides everything a user would need to develop his/her own security tools and protect their privacy with anonymity and crypto tools. It can be found at: https://www.parrotsec.org/
- Pentoo Linux: Based on Gentoo, it is a security-focused Live CD. It consists of lot of customized tools, customized kernel, etc. It is essentially, Pentoo is Gentoo with the Pentoo overlay. It can be found at: http://www.pentoo.ch/
- PlainSight: It is a computer forensics environment that allows beginners in the field perform common tasks using powerful open source tools. It can be found at: http://www.plainsight.info/
- Safe Boot Disk: It is designed to boot any Intel based computer into a forensically sound Microsoft Windows environment. All disks attached are, fixed and removable, are write-blocked using the SAFE software write-blocking engine during boot time. It can be found at: https://www.forensicsoft.com/help/SAFE_Boot1-1/
- SMART Linux: It has been developed for Data Forensics, Electronic Discovery and Incident Response. It can be found at: http://www.asrdata.com/forensic-software/smart-linux/
- Urix OS: Formerly NetSecL, it is a security-focused distro based on OpenSUSE. It consists of tools for Penetration Testing and Computer Forensics. It can be found at: http://urix.us/
- WinFE: Windows Forensic Environment or WinFE was created by simply adding two registry keys to the Windows Vista Pre-Installation Environment 2.0. These keys prevented the auto-mounting of some of the volumes at boot time, which then allowed the creation of a rudimentary Microsoft based forensic boot Live CD. It can be found at: http://www.ramsdens.org.uk/index.html
Forensic Live CD Issues
The main aim of performing a forensics investigation is to extract as much as information about the affected system to determine the root cause of infection/attack. The process of extracting information from the target involves one crucial step i.e. the tools used by investigator should not tamper with affected system memory in any way. Live CDs used to be one of the most popular choice for forensics investigations. However, they are certain pitfalls of using a Live CD.
- Journaling file system issues
- Auto mount of block devices
- Failure to properly write protect
Journaling file system issues
Journaling File System is a file system which keeps track of the changes which are yet to be committed to the file system. It plays a critical role in recovering filesystem to its working state in case of power failure or system crash. In case of forensics investigations, when mounting/unmounting journaling file systems with read only flags using a Live CD, a number of writes may occur to the filesystem, resulting in tampering of memory evidence.
Auto mount of block devices
When booting an evidence system from a Live CD, a number of initrd scripts gets executed in order to create a temporary root file system. However, this will also result in several writes to the filesystem resulting in tampering of evidence data. This can occur for several reasons such as execution of hardware detection scripts during boot time, mounting file system in read-only mode while creating a temporary root file system etc.
Failure to properly write protect
Some distributions rely on device blocking scripts to set the underlying blocking devices of file systems to read only mode. However, there are certain downfalls to this approach, as read-only mode will only protect the filesystems memory from the process running under user space, but the driver code running under kernel space can still modify the filesystem memory.
Conclusion
Overall, this article has examined the use of Live CD’s as a primary means to help aid in any kind or type of Forensics Investigation, as it relates to either a computer or a wireless device. It is important to note that these tools should not be relied upon solely, rather; they should be used in conjunction with other Forensics based tools. The general security issues with Live CDs were also examined. In this regard, the use of a Live USB will address some of these issues.
Keep in mind that as new Live CDs come out, their primary intention is to evaluate new software and related applications. They are not meant nor designed to be high level Security tools. Rather, they can be used at a lower level of Security, such as removing malware, imaging a hard drive, and even conducting system recovery procedures.
Learn Digital Forensics
Other potential, future uses of Live CDs include the testing and evaluation of new software applications, new hardware configurations, creating new passwords (in a manner similar to that of a Password Manager), and even screening a network infrastructure for any types of general vulnerabilities as well as clustering different groups of servers and computers together.
In this Series
- Overview of Computer Forensics Linux Distributions
- Digital forensics and cybersecurity: Setting up a home lab
- Top 7 tools for intelligence-gathering purposes
- iOS forensics
- Kali Linux: Top 5 tools for digital forensics
- Snort demo: Finding SolarWinds Sunburst indicators of compromise
- Memory forensics demo: SolarWinds breach and Sunburst malware
- Digital forensics careers: Public vs private sector?
- Email forensics: desktop-based clients
- What is a Honey Pot? [updated 2021]
- Email forensics: Web-based clients
- Email analysis
- Investigating wireless attacks
- Wireless networking fundamentals for forensics
- Protocol analysis using Wireshark
- Wireless analysis
- Log analysis
- Network security tools (and their role in forensic investigations)
- Sources of network forensic evidence
- Network Security Technologies
- Network Forensics Tools
- The need for Network Forensics
- Network Forensics Concepts
- Networking Fundamentals for Forensic Analysts
- Popular computer forensics top 19 tools [updated 2021]
- 7 best computer forensics tools [updated 2021]
- Spoofing and Anonymization (Hiding Network Activity)
- Browser Forensics: Safari
- Browser Forensics: IE 11
- Browser Forensics: Firefox
- Browser forensics: Google chrome
- Webinar summary: Digital forensics and incident response — Is it the career for you?
- Web Traffic Analysis
- Network forensics overview
- Eyesight to the Blind – SSL Decryption for Network Monitoring [Updated 2019]
- Gentoo Hardening: Part 4: PaX, RBAC and ClamAV [Updated 2019]
- Computer forensics: FTK forensic toolkit overview [updated 2019]
- The mobile forensics process: steps and types
- Free & open source computer forensics tools
- An Introduction to Computer Forensics
- Common mobile forensics tools and techniques
- Computer forensics: Chain of custody [updated 2019]
- Computer forensics: Network forensics analysis and examination steps [updated 2019]
- Computer Forensics: Overview of Malware Forensics [Updated 2019]
- Incident Response and Computer Forensics
- Computer Forensics: Memory Forensics
- Comparison of popular computer forensics tools [updated 2019]
- Computer Forensics: Forensic Analysis and Examination Planning
- Computer forensics: Operating system forensics [updated 2019]
- Computer Forensics: Mobile Forensics [Updated 2019]
- Computer Forensics: Digital Evidence [Updated 2019]
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Digital forensics
Digital forensics
Digital forensics
Digital forensics