Chapter 20: Creating a Bootable Environment and Live Response Tool Kit

Overview

When a call comes in that a system has been hacked, the forensic consultant has to be ready to move quickly. Sometimes, the victim system will be so badly damaged by the attack that the machine won’t even be able to boot. Some victim systems may be functional, but the “powers that be” will allow the victim to be taken offline to perform proper analysis on it. Still others, however, will require that the system remain online while the analysis is performed. No matter what the scenario, the forensic consultant has to be prepared to deal with it.

In this chapter, we’ll tell you how to create a bootable response media (usually either CD-ROM or floppy) that contains all the tools you’ll need to perform a proper response analysis to an attack. We’ll also put together a collection of critical Windows and Unix tools that can be used for forensic analysis on live systems.