Slashdot Mirror

← Back to Stories (view on slashdot.org)

Linux and Data Forensics?

Posted by Cliff on from the linux-in-a-particular-field dept.

An anonymous reader asks: "Data Forensics has been discussed in the past. I am entering the field soon and aside from rifling through Slashdot and Google and reading some technical data on the software that I am going to be using I haven't had much time to learn everything about the position (I will be officially trained when I move over to the role). I am wondering, though, if Linux has played a strong role in the courtroom when it comes to validating evidence that has been used in a lawsuit case. Those in the field who are reading this, have you used open-source software to prove facts to the court? I don't mean using dd to make an image of a disk but rather a suite of tools whose purpose is to analyze data, indicate relationships, create hash tables, et cetera. That being said, if that software is not available (the programmer side of me asks), is there enough interest in the community to create a package that rivals and is as accountable and recognizable as commercial products?"

4 of 14 comments (clear)

  1. As always, google is your friend by UnderScan · · Score: 4, Informative

    Dear anonymous,
    As always, google is your friend.
    My learning disabled kid brother doesn't know what data forensics is, but he knows how to use google.
    Use it.

    http://www.google.com/search?q=knoppix+validation& sourceid=firefox&start=0&start=0&ie=utf-8&oe=utf-8
    http://www.google.com/search?q=linux+forensics&sou rceid=firefox&start=0&start=0&ie=utf-8&oe=utf- 8

    PDF - KNOPPIX Bootable CD Validation Study for Live Forensic Preview ...

    Linux-Forensics.com Home of the Penguin Sleuth Bootable CD

    Knoppix security tools distribution Knoppix STD (security tools distribution)

    From Australian DoD page:http://www.dsd.gov.au/library/software/flag/
    FLAG uses the SleuthKit tool from www.sleuthkit.org to analyse dd images. By putting inode information in the database it is possible to cross-correlate file properties, and simplify the forensic analysis process.

  2. Moderately Useful Point Supporting Linux by Bravo_Two_Zero · · Score: 4, Informative

    No, it's not related to the performance of Linux in the courtroom. But, I do recall reading that Linux is a preferred host for doing forensics (via dedicated tools are even using VMware) since filesystems can be mounted read-only without the need for a hardware switch (like a jumper on the drive). It's a minor point, but potentially useful.

    I've looked at:

    Penguinsleuth
    It's mostly a standard Knoppix CD with some forensics tools added

    SystemRescueCD
    From one of the partimage team members, it's gentoo-based and with a sweet array of boot options, including a boot option for an nt password & registry editor. Oh yeah... partimage is kinda nice for a Ghost-like imaging option.

    --


    Amateurs discuss tactics. Professionals discuss logistics.

  3. Sleuth Kit/Autopsy by Patman · · Score: 4, Informative

    I do data forensics work for a living.

    THe Sleuth Kit and the Autopsy frontend are outstanding tools. Use a Knoppix or FIRE CD plus an external hard drive for acquisitions.

    However, I would HIGHLY HIGHLY recommend that you take some training. SANS has a track for forensics that is pretty damn good. At the very least, it'll get you comfortable with the tools and tactics.

  4. Yahoo Groups by kucenskm · · Score: 4, Informative

    Check out the Linux_Forensics group on yahoo. There are a lot of people with more experience than I who could answer the court question you posed.

    As far as tools are concerned, the Sleuthkit (http://www.sleuthkit.org) is the (IMO) best tool for the job and since it is already open source, modifications can be made and submitted back to the community for use.

    I have spent the last few month immersing myself in this field and I've been learning something new everyday. Particularly about the guts of various file systems. Loads of fun :)

    -Matt