Chapter 22: Open-Source Forensic Duplication Tool Kits

OVERVIEW

Chapter 21 reviewed several commercially distributed tool kits that perform forensic duplications. The tool kit discussed in this chapter can be assembled for free, and in a modest amount of time, you can easily master its use.

With the proliferation of open-source operating systems such as Linux, OpenBSD, NetBSD, and FreeBSD, a whole suite of tools (and source code) is available to the general public that never existed before. Many of the general system administration tools such as dd, losetup, vnconfig, and md5sum can be used for investigations just as effectively as their commercial counterparts.

This chapter explains the use of these tools and how they have proved to be important additions to the investigator 's tool kit. Because these tools are free and the results of the duplication methods they provide can be imported into nearly any forensic analysis suite, you may prefer to use these tools over any others. It is important that you note, however, that to use these tools, you'll need a high level of experience and a slight knowledge of file system technical details.

Just as we discussed needing a trusted boot disk (or CD-ROM) in Chapter 21, forensic duplication with noncommercial software has the same requirement. Because Linux is an open-source operating system, many successful distributions have been developed to make Linux run on CDs or floppy disks without accessing the hard drive. We suggest you check out Trinux, which is a Linux distribution designed to run off of a CD-ROM. You can research Trinux at http://trinux. sourceforge .net. Knoppix, available at http://www.knoppix.net, follows in the same vein. It is designed to be installed from a CD-ROM, has excellent documentation, and has been more actively developed than Trinux. Knoppix will have more support for " strange " hardware and more recent tools. Additionally, a similar distribution of FreeBSD is offered at http://sourceforge.net/projects/freebsdtogo/ and properly named FreeBSD To Go.

Another project worth mentioning is F.I.R.E, or the Forensic and Incident Response Environment. It offers an easy-to-navigate menu system for performing a wide variety of forensics and security analyses on a computer without altering the evidence. For more information about forensics-capable CDs, see http://www.linux-forensics.com/links.html. For information on bootable CDs in general, see http://www. distrowatch .com/dwres.php?resource=cd.

Multiple Linux distributions have been designed for the forensics examiner to run off a CD-ROM, including Trinux, Knoppix, Knoppix-STD , F.I.R.E., and many others. These versatile distributions are complete with analysis tools, data-collection resources, disk-recovery utilities, security-testing capabilities, and even virus scanning. Information about each distribution is shown in the following table.

In this chapter, we are still within the forensic duplication stage of our investigation: