Prefered Forensics Distro / Practice images

Beneath the OP's name, it says "newbie".

Yes Im a newbie, i got really interested in forensics and was looking for beginner stuff & tips.

I specify a premade distro because its simple & easy. For more experience people, wut do u use?

Also, what other forensic forums do u recommend?

Everyones info has been great Thanks )

I specify a premade distro because its simple & easy. For more experience people, wut do u use?

What I use depends on what I'm trying to do, which I tend to believe is more important. Having a precompiled distribution of tools isn't the way to start. Start by picking a focus and doing a deep dive, learning everything you can about that area.

Distros are good, if you know how to use them effectively.

Also, what other forensic forums do u recommend?)

I don't usually recommend forums, because doing so leads to analysts being too passive in their learning. Far too many in the "community" are passive in their learning.

Interesting.

Cool.

How so?

Just a difference of opinion. A lot of the distro's are well documented and supported by communities that have been formed around them. Pairing the strength of these communities, the available documentation, and some recommended reading you can learn a lot on your own. As you have different experiences going through this process you can start even make associations on where one FOSS might be a better choice over another given the circumstances.

Depending on what country the OP is from he could probably find other posters from that area that can assist with relevant law and best practices for that area with respect to evidence handling/reporting.

I really like using Paladin Linux for imaging of most laptops, desktops (mac and pc), and tablets. (https://www.sumuri.com/products/paladin/) Version 5 has been very solid for most of the imaging my firm does in the field and in lab.

I really like using Paladin Linux for imaging of most laptops, desktops (mac and pc), and tablets. (https://www.sumuri.com/products/paladin/) Version 5 has been very solid for most of the imaging my firm does in the field and in lab.

There was no software write-blocking until version 6, and there are known issues with PALADIN 5 automatically wiping a NTFS journal and recovering the Ext3/4 file system during the boot.

To xccx

By the way, there is an amazing book - "Digital Forensics with Open Source Tools". It contains great tips on how to built your own open source examination platform, using both Linux and Windows.

It's quite strange to me, that keydet89 didn't recommend this book to you )

Also, for practicing your network forensic skills check this site out

http//www.malware-traffic-analysis.net/

It's quite strange to me, that keydet89 didn't recommend this book to you )

If that's the case, then it appears you didn't read any of my previous responses to this thread.

My thought on this thread is that an analyst should not start out by seeking a distro put together by someone else, but should first understand the data being analyzed, determine which tools best suit their own analysis process, and then choose the appropriate distro.

Besides, the book was published 5 years ago…if an analyst is going to first go to a forum for answers and not start by doing some of their own research, maybe that book isn't suitable for them.

There was no software write-blocking until version 6, and there are known issues with PALADIN 5 automatically wiping a NTFS journal and recovering the Ext3/4 file system during the boot.

What version of Paladin did you use? We generally use Paladin Edge 5.02 where a usb boot is available or the same version on cd if no applicable usb port is available. As to no-write block the write-block option is available upon boot of the OS - you can choose writeblock or no write-block in the bootloader.

Further, once you boot to the Paladin desktop, within the paladin toolbox the disk manager allows you to mount or un-mount volumes r or rw. Have you used this software at all?

There was no software write-blocking until version 6, and there are known issues with PALADIN 5 automatically wiping a NTFS journal and recovering the Ext3/4 file system during the boot.

What version of Paladin did you use? We generally use Paladin Edge 5.02 where a usb boot is available or the same version on cd if no applicable usb port is available. As to no-write block the write-block option is available upon boot of the OS - you can choose writeblock or no write-block in the bootloader.

Further, once you boot to the Paladin desktop, within the paladin toolbox the disk manager allows you to mount or un-mount volumes r or rw. Have you used this software at all?

In my previous post, I refer to PALADIN 5.02 (MD5 for the ISO image f2e018cb36277ffe577275d00092bfba). I don't trust the developers of PALADIN and NIST (they did some tests on previous versions of this software), so I did my own tests and found data alteration issues that were reported both to the developers of PALADIN and NIST. In the next version of PALADIN, a new write blocking approach (similar to my kernel patch) was implemented to mitigate the issues reported.

You can look at the screenshot related to the NTFS journal wiping issue here (see the messages on the top of the terminal window). Also, I can share the disk images used for the testing, if anyone cares (I'm actually trying to share as much information about data alteration issues in live distributions as I can since 2009, but nobody seems to care).

PS
The same NTFS issue is also present in PALADIN EDGE 5.02 (MD5 824e802026e05acbce6342084e15ed61), even when booting in the write blocking mode.