[sf-lug] forensics with Linux

Pseudo Anonymous pseudo.anonymous70 at gmail.com
Wed Nov 18 07:05:33 PST 2009

forensics with Linux

Let's say someone hands us a laptop that is or likely has been
compromised.  Let's say we actually want to preserve an exact image
copy of the laptop hard drive.  Let's say we also want to compute some
secure cryptographic hashes of entire laptop hard drive and
digitally sign - such as with gpg - those hashes and statement about
those hashes.  Let's say we've got quite sufficiently large external
USB drive that we can attach and that wasn't at all involved in
compromise and hasn't been attached to that laptop before.

So, how would we best proceed to: boot Linux off of CD or DVD (or
possibly even USB stick) and make absolutely no write access to the
laptop hard drive - e.g. nothing that would automatically or by default
mount or attempt to mount anything on the laptop filesystem(s) rw?
We'd also want to be sure nothing attempts to run/boot/execute anything
off the laptop hard drive.  Let's say we've got someone that well knows
how to wield fdisk/cfdisk/sfdisk/mke2fs/dd/gpg/openssl, and at least
most common Linux systems administration tasks, but may or may not be a
forensics expert, and we're mostly interested in preserving evidence of
state and data of laptop hard drive.

Any particular recommendations of handy readily available Linux
distribution that would be best/easiest to accomplish these tasks -
such as run from live CD image, and if needed, including actions or
boot options to ensure it doesn't make or attempt to make any write
access to laptop hard drive by default including having it not making
nor attempting to make any rw mounts of laptop filesystem(s).

And for the legal or legally inclined folks, particular recommendations
for evidence preservation/handling for possible use in criminal and/or
civil case(s) in such described situation?

Thanks in advance for the information.

More information about the sf-lug mailing list