Because UNIX can be instructed to access drives in read-only mode, conceivably any bootable CD-ROM or floppy diskette containing a UNIX operating system can serve as an evidence acquisition boot disk. However, one boot disk will not work with all UNIX systems because different types of UNIX systems typically have different kinds of hardware that are not compatible with each other. One boot disk is needed to boot a Solaris running on Sun Sparc-based hardware while another is needed to boot an Intel-based system running Linux. One boot disk might not even be sufficient for all Intel-based systems running Linux, since it may not have all of the necessary drivers to access all devices (e.g. Firewire drives, Ethernet cards).
CASE EXAMPLE
A Sun Ultrasparc, Enterprise 3500 system contained evidence on a 9 GB Seagate ST-19171FC Fibre Channel FC-AL, Dual Port (Barracuda 9) hard drive. Because of the unusual interface on this hard disk, it was not feasible to connect it to the available evidence collection system. Therefore, it was necessary to boot the Enterprise server from a Solaris CD-ROM and make a bitstream copy of its hard drives to a sanitized external SCSI drive using the dd command.
Notably, an evidence acquisition boot disk with Linux for Intel-based systems can be used to boot and access a Windows computer. For instance, FIRE (fire.dmzs.com) is a bootable Linux CD-ROM that can be used to acquire evidence from Intel-based systems. Like EnCase, FIRE enables remote previewing of a system via a network cable as shown in Figure 11.1.
Figure 11.1: Remote view of a Windows system using FIRE with its VNC connection feature.
Although UNIX systems can reliably mount most hard drives in read-only mode, there is still a possibility that it could make changes on an evidentiary device so some examiners use a hardware write-blocker as a precaution.