Hi all,
Happy New Year!
I am writing a paper about creating a CD which allows users to collect evidence on a live Unix Systems (right now I am only concentrated on RedHat Linux and Solaris). You will probably say that Helix or Knoppix can do the job but they require the system to be rebooted. My CD will not require a reboot because some critical systems just cannot be shut down anytime.
Any input will be greatly appreciated!!!
EC
Hey EC,
How is the paper/CD going? I just saw the post and was wondering about the progress. I know you are familiar with Helix but when using it for *nix incident response, it _does_not_ have to be used in the bootable Linux mode. Simply pop in the CD, mount it and check out the Static-Binaries folder. There are two folders to interest you; linux_x86 and solaris_2.7. They are precompiled, static binaries of normal tools needed during IR. There are not any scripts or automated tools but maybe that's what you will be focusing on in your paper.
Hope the work is going well. Keep us posted on your progress and when things get published. Good luck.
-jhs