Workshop: Digital Discovery with Bootable CDs

摘要

Boot-CDs are a flexible and powerful method to assist in the whole forensic process from live examination to acquisition, searching and recovery. Linux was ever since the most popular OS for this purpose, but in some cases windows-based Live-CDs are also useful. In this workshop we present different real-life case scenarios and the corresponding live-boot-solution. Since kernel 2.6 Linux is able to create forensically sound images even of partitions/harddisks with odd sectors. But one has to be aware of a lot of other circumstances which can alter the evidence: mounting filesystems, automatic activation of software RAID arrays, using LVMs or swap-space on the target disk. A lot of Linux-Boot-CDs seem to take care of all the critical points, but in fact there are only few well documented tests available. Another problem of the ready-to-download Linux Live-CD images is the lack of support for brand new hardware. So a framework to build a custom linux-live-system with current kernel versions and packages would be really helpful. We will present grml, a Debian based live system, developed by the Austrian Debian Developer Michael Prokop and the grml team. This system satisfies all the above mentioned initial conditions and much more. Various boot parameters allow to control the behavior of the live system, e.g. the parameter "forensic", which is a shortcut for "nofstab noraid noautoconfig noswap raid=noautodetect readonly ...". Additionally the grml system can be booted from CD/DVD, USB-/Firewire-Device, Remote-Adapter (iLO, RSA2, ...), Flash-Card and PXE. In this workshop you'll learn how to use grml for forensic investigations and how to build your own live system using the grml-live framework. On some brand-new mainboards the grml system might still fail, because the chipset, especially the onboard-raid-chipset is not yet supported by the linux kernel. For these cases a forensically sound windows-based boot-CD as plan B is needed. So the workshop will present a way t- o build a forensically sound windows based boot CD using the standard Windows Automated Installation Kit for Windows Vista along with some registry modifications.