I've searched through the forums for any mention of BartsPE but didn't get any hits. Is this a tool that this group is aware of? If not you might want to take a look at the link that I have provided. It will allow you to bootup a PC from the CD/DVD or flash memory and gives you access to the harddrive without having to boot from the harddrive.
True, but I'm not sure what the benefit of this is from a forensic standpoint.
First off, if you boot to another operating system, you loose a lot of valuable volatile data.
Second, what benefits does this have over using bootable Linux CDs? With those, you don't have issues with EULAs.
Don't get me wrong…I can see how this would be useful for rescuing a system, but from a forensic analysis perspective, I'm not sure on what benefits this gives over what's already available.
Have used the BartsPE cd on many occasions but only for data recovery or removing a root kit from an infected system.
The BartsPE disk is very customizable. I haven't had a need to customize the PE cd with the forensic tools since HELIX does the job.
My testing revealed that BartPE is not "forensically sound" when you use it
to boot up a sytem with a Windows OS on the hard disk.
It mounts the drive read/write, assigns drive letters and twiddles with the
Recycle Bin etc. Before I discovered Helix, I had done a little research
(with no success) on how to prevent BartPE from messing with the evidence
drives, or atleast mount them Read-Only.
I agree that it is good for booting a system to fix it, virus scanning etc, but
there are better forensics tools available.
I've used it to recover data from one of my corrupt vmware machines but nothing too serious. I do have a copy with a bunch of tools also loaded on it in case my machine decides to die when I'm onsite at a client (doing other security work).
It's not bad, but I couldn't see using if for forensics.