Greetings,
I've been using CentOS for quite awhile for a lot of non-forensics projects but am considering changing distros since CentOS doesn't support NTFS directly. You can get all the pieces to make it work, but I'd really prefer to use something with NTFS on board, out of the box, in this case.
Are there any distros which work better for forensics work than others? Good developer support, full range of packages, stable, etc …..
Thanks.
-David
Google says
http//
http//biatchux.dmzs.com/
http//
http//
Greetings,
Ahh. 'tis a good list of Linux based environments contained on a CD or DVD, but I was thinking more about what we should have back in the lab. We're running Windows XP on most of the forensics stations and that provides a stable, flexible analysis environment. What Linux distro should we consider for use in a manner similar to XP? We'll end up running many of the tools found on the distributions you referenced, but will be updating them and adding to them.
Some of this, by the way, comes out of reading your (keydet89's) book. I'm much more comfortable with Perl in a Linux environment so I want to be able to do a lot of my scripting, tool development, and analysis on Linux when it makes sense.
-David
I am not a Linux guru by any means, but for a noob I suppose SuSe is as good a choice as any. YAST gives you the ability to seemlessly install apps. I have tried a few distros, but most of the time in the lab, I want to be able to quickly install apps without having to spend time configuring it, YAST seems to fit the bill for me. The Novell deal with microsoft (whilst understandably annoying more than a few people in the open source and linux community) suggests that even greater interoperability with Windows in the future. On top of this, I believe that the SuSe installation DVDs is bundled with more software than any other.
I guess it all comes down to experimenting with different distros and seeing what works for you personally.
Good developer support, full range of packages, stable, etc
My preferences would be Helix, Farmers Boot CD and SMART Linux.
Helix has support for NTFS and is currently based on Debian. The other two are based on Slackware.
Please note that SMART now with its most recent release has Ubuntu as its distro base. Personally I'm not keen on the first release (Apologies Andrew) having said that it is early days. Ubuntu would appear to be a sensible choice providing the distro has been remastered correctly with forensics in mind. IMHO Ubuntu has considerable investment with direction towards hardware support which can not be ignored.
I personally use Gentoo because I find it very effective when maintaining the system. The package management although frustrating at times is exteremly flexible. Inevitably I always end up recompiling any kernel no matter which distro to strip out unnecessary drivers and include features useful for forensics, again I find Gentoo suitable for this purpose.
Slackware is a very clean distro but I've found it to be lacking in resources in respect of packages.
Although I've never tried Archlinux I've heard positive things about it and I would be tempted to try it out. However for the time being I'm still very much happy with Gentoo.
I guess it all comes down to experimenting with different distros and seeing what works for you personally.
What stumpy says.
kovar
The bit you missed off the end of your 'required' list was training.
I would concur strongly with echo6 as the distro's metioned (Farmerdude Helix SMART) do offer such.
Most people using linux are happy to bimble along experimenting as they go.
This is not something to be recommended if you have to justify your findings before a court. Google 'kernel forensics linux' to get a flavour of why.
wrt echo6 other comment
i use Arch and have done for a couple or more yrs. I love it. The package management system is a delight to use.
Used Gentoo briefly myself, and it's very worthy of consideration. The community is great and the helpfile/wiki system is awesome. I just went the Arch way as it felt more comfortable for me at the time.
with distro's like Arch (and Gentoo) being described as bleeding edge, maybe it's more important that you know what, why, and how, you are setting it up and using it rather than whats available out of the box. Will you / are you capable of recompiling packages to suit yourself if the latest version hasn't hit the repositories yet. What about the kernel ?
Thinking on, its probably more so for those distro's that are precompiled, ready for use "out of the box". Does anyone else remember dependency (rpm) hell?
Kern
DEFT - Digital Evidence Forensic Toolkit -
Also, if using Ubuntu, there's a package called APT-ONCD (as in APT packages on CD) that enables you to clone all the installed packages of one Ubuntu machine and distribute it on all your others. So you can set one up for use with Linux and then effectively clone it's packages.
http//aptoncd.sourceforge.net/
Ted
Ted ..
cant get that link to do anything but bring up an adverts page.
(
maybe try (http//deft.yourside.it/)
and
(ftp//137.204.236.163/)
grabbed it a while back. but wouldn't install on my system. not sure who's problem tho. mine or vendor. nice for the reminder, i'll be sure to try again.
Kern
Good morning,
I've been using Unix since BSD 4.0 running on a VAX so rebuilding kernels and the like isn't a problem. Sorting out RPM hell is second nature by now, and even the good package management systems can leave you in a bad state so that skill stays current.
I'm pleased to hear that Ubuntu has matured. I used it awhile back and it was a nightmare to find packages for it. I'd not even heard of Arch and will go check it out.
Thank you all quite a bit.
-David
I've been using Unix since BSD 4.0
In which case if you are familiar with ports package management then you should feel very much at home with Gentoo. Especially with its portage package management system including its baselayout which are based heavily on BSD thanks to Gentoo's founder Daniel Robbins who brought many of his ideas over from BSD.
Admittedly Gentoo is not the fastest system to install although the latest versions have made it easier for novices there is however Sabayon Linux which is Gentoo based and can allow you setup and install a Gentoo based linux system very quickly. As with Ubuntu and many other modern distros you need to take steps to disable many of the features which make it easier for users e.g. media handling etc.
Oh! yes I do recall rpm dependency hell!! My first Linux baby steps were with Red Hat 5.2 and used Red Hat until it went to Fedora Core. In order to get a better understanding of Linux I forced myself through an endeavor with a stage 1 Gentoo install. I learnt a great deal from the experience and would throughly recommend a similar approach to anyone new to Linux especially forensic investigators i.e. get comfortable with a popular distro then dive in at the deep end with a Gentoo install following their installation docs.