Mandrake - RedHat - Linux ??
Several years ago I completed a training using Linux Caldera for those who are using Linux for Computer forensic which one are you using and why? ?
I just love the way the portage system works, makes for relatively easy package management. I'm not saying it's perfect but for me it is very close. The support forum is exellent and there is a wealth of documentation from Gentoo's homepage. I don't just use it for forensics, I also use it for pentesting and have also deployed it on a number of servers.
I quickly got fed up with dependency errors on Red Hat and other systems.
I would recommend SMART Linux http//www.smartforensics.net and SMART for Linux http//www.asrdata.com. There's also the FARMER's boot cd http//www.crazytrain.com these are built for pure Linux forensics by ppl who understand fully the power of the OS for that purpose.
Kudos to Andy Rosen and Thomas Rude -)
There's also the Helix LiveCD from e-fense. It even allows you to pop it into a running Win machine and have access to a number of tools.
On the Linux side, they are quietly building a fairly solid suite of open source GUI tools. Plus it had pyFLAG and Autopsy etc.
It's based on Knoppix, so if you install it to your HD, you can use apt-get to install additional software. As a live CD, you can use Klik to install apps to a thumb drive or something.
SANS are using Fedora Core 4, on track 8, for teaching purposes with VmWare and an XP image.
As a result that is the way I am operating now with Sluethkit and Autopsy installed. Helix is a great tool and the new version is due out today.
SMART Linux is the only distribution of Linux designed from the ground up for Data Forensics work. If you're looking to use a Linux distribution on your laptop, attack box, etc. for Data Forensics work then SMART Linux is the only one I recommend. Everything about the SMART Linux environment has been optimized and designed for day-to-day forensics work. You can find out more www.asrdata2.com
(BTW Jon, kudos to you for referencing those links! LOL)
It helps to understand what comprises your Linux boot CD (kernel, desktop, file manager, etc.) before you use outside of your lab.
Hi Farmerdude, I use Linux SUSE 10, but want to make it forensically sound (i.e. not automount devices - such as USB drives & attached hdd's, etc). I have SMART and want to use it on this machine. Can you offer any advice?
Iâ€™m not an expert on SMART so these are just my thoughts, but if you are using it as a bootable distribution from floppy then youâ€™ll be running from the optimised kernel and packages contained on the floppy disk, in which case your SUSE distro shouldnâ€™t be touched or even booted. If you intend to install SMART onto your workstation then youâ€™ll either boot into this via a dual-boot set-up or wipe your SUSE distro off. Either way using SMART should by pass your forensically non-friendly SUSE, unless you want to modify SUSE itself and model it on SMART, in which case youâ€™ll have to embark on a complicated project to modify the entire distro.
You'll have a bit of work to make Suse 10 forensically sound. Patch and compile the kernel, tweak the desktop settings, review the programs installed and tweak them as well.
My advice would be to drop in the SMART Linux Boot CD and test it. If you like it, I would install it. If not, I would start tweaking )
BTW, I haven't reviewed Suse 10 in depth, so I don't have step-by-step to make it forensically sound.
Thanks fatrabbit & farmerdude, it sounds to complicated to try and tweak SUSE 10, so I'll take your advice and give it a miss. I don't have the SMART boot CD iso. I got my licence of SMART when I won a 'forensic' competition (a licenced copy of SMART was the first prize). I'll email Andrew and see it I'm entitled to get the iso for it.
Andy, out of curiosity what was the competition that you won?
Farmerdude, have you made a review of SuSE 9.2?