The team at Vital Data have finished beta testing their FoRK CD and have uploaded version 1.0.0 for all members to download. It is available at forensicIT.com.au in the General Utilities – GNU / Linux – Downloads section.
It is based on the Knoppix 3.6 LiveCD, with some customisations and additions. Bugs identified during the testing were only minor, such as identification of hard drives transposing makes with model numbers, etc. These have all been corrected. We encourage everyone to download the CD, as it is an extremely useful tool to have, and we would appreciate all the testing and feedback we can get.
When booting from the CD, you may just press “Enter” to accept the default boot option. This will take you to “runlevel 2”, or console mode, with the initial console running the FoRK script. This script has been written to make obtaining a forensic grade image easier.
All drives in the system are automatically detected, as well as their partitions. The technician may press space to drop down a list box and select the source drive or partition. Pressing TAB navigates between fields, and again the technician may select the target drive / partition. Data on the source drive is automatically recorded, and the technician may complete case details to be recorded along with these.
Pressing CTRL-F allows the technician to access the menu at the top of the screen. Once your source, destination and case information is complete, access the menu to “tweak” the source & destination drives (making read / write access faster), and mount or format the destination drive.
Once the technician is ready to go, 3 imaging options are available – Image (a straight image, no logging or hashing), Backup Image (imaging with logging) or Forensic Image (logging and hashing). For forensic use, always obtain a forensic image. This method will record all the case information, drive & system information, md5sums and errors into logs along with your image.
The CD can also be used for previewing. At the boot prompt, type “desktop” and press Enter. The system will load into desktop mode, allowing you to preview the contents of the PC from a graphical interface. Here you can also access the additional tools crammed onto the FoRK, including the FoRK imaging script.
Please feel free to read more at www.vitaldata.com.au and access additional information and ISO download at www.forensicIT.com.au.
