Difference between revisions of "ALT Linux Rescue"

From ForensicsWiki
Jump to: navigation, search
m (Tools included: added several tools by Joachim Metz)
m (External Links: +starterkits)
Line 49: Line 49:
* [http://en.altlinux.org/Rescue Project site] (also available in [http://www.altlinux.org/Rescue Russian])
* [http://en.altlinux.org/Rescue Project site] (also available in [http://www.altlinux.org/Rescue Russian])
* Part of [http://en.altlinux.org/Regular Regular Builds] based on ALT Linux Sisyphus
* Part of [http://en.altlinux.org/Regular Regular Builds] based on ALT Linux Sisyphus
* Rescue image within [http://en.altlinux.org/Starterkits ALT Linux Starterkits] based on stable branch has gained the same features as of 20140612

Revision as of 09:00, 14 June 2014

ALT Linux Rescue
Maintainer: Michael Shigorin
OS: Linux
Genre: Live CD
License: GPL, others
Website: en.altlinux.org/rescue

ALT Linux Rescue is yet another sysadmin's Live CD with some forensic capabilities and features.


This weekly-updated image is intended to be text-only toolchest for data analysis and recovery.

It will not try to use swap partitions or autodetect and automount file systems unless requested explicitly.

Forensic mode is available via a separate boot target for BIOS users and a rescue boot option (via F2) for UEFI users. This will skip activating MDRAID/LVM too.

Build profile suitable for ALT Linux mkimage tool is included as .disk/profile.tgz.

Tools included

Most of the usual rescue suspects should be there; biew, chntpw, dc3dd/dcfldd, foremost, john, md5deep, nmap, scalpel, sleuthkit, wipefreespace to name a few are available either; libevt, libevtx, liblnk, libpff, libregf, libuna, libvshadow, libwrc tools have been added since 20140514.

X11-based software is being considered for an extended version.


i586 (BIOS) and x86_64 (BIOS/UEFI); SecureBoot might be left enabled in most occasions.


Two separate 32/64-bit hybrid ISO images suitable for direct writing onto USB Flash media (or CD-R by chance).

Forensic issues

Hardening against rootfs spoofing has been implemented as of 20140423 (stage2 squashfs SHA256 check has been contributed by Maxim Suhanov); previous images are vulnerable to ISO9660-on-device containing a squashfs file with predefined name and specially crafted contents.

MDRAID/LVM2/swaps activation might occur with images before 20140416 or when booted via the default "Rescue" target; booting into "Forensic mode" will skip that (for both early userspace and final environment as of 20140416) and switch mount-system script to use ro,loop,noexec mount options (as of 20140423).

Physical device write blocking hasn't been considered so far.


External Links