ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Difference between revisions of "ALT Linux Rescue"

From ForensicsWiki
Jump to: navigation, search
m (Credits: +patch)
m (overall refactoring)
Line 8: Line 8:
 
}}
 
}}
  
'''ALT Linux Rescue''' is yet another sysadmin's [[Live CD]].
+
'''ALT Linux Rescue''' is yet another sysadmin's [[Live CD]] with some forensic capabilities.
  
 
== Intro ==
 
== Intro ==
  
This weekly-updated image is intended to be text-only recovery toolchest with some basic forensic capabilities.
+
This weekly-updated image is intended to be text-only toolchest for analysis and recovery.
  
It will not activate MDRAID/LVM when booted with "forensic" keyword (available via a separate isolinux boot target) and will not try to use swaps or autodetect/mount filesystems unless requested explicitly; <tt>mount-system</tt> script will use <tt>ro,loop</tt> mount options when booted in this mode.
+
It will not try to use swaps or autodetect/mount filesystems unless requested explicitly.
 +
 
 +
Forensic mode is available via a separate boot target for BIOS users; UEFI users are asked to press F2 twice within boot manager menu and add "forensic" keyword to kernel commandline by hand as of 20140423.  This will skip activating MDRAID/LVM too.
  
 
Build profile suitable for ALT Linux <tt>mkimage</tt> tool is included as <tt>.disk/profile.tgz</tt>.
 
Build profile suitable for ALT Linux <tt>mkimage</tt> tool is included as <tt>.disk/profile.tgz</tt>.
Line 21: Line 23:
  
 
Most of the usual rescue suspects should be there; [[biew]], [[chntpw]], [[dc3dd]]/[[dcfldd]], [[foremost]], [[john]], [[md5deep]], [[nmap]], [[scalpel]], [[sleuthkit]], [[wipefreespace]] to name a few are available either.
 
Most of the usual rescue suspects should be there; [[biew]], [[chntpw]], [[dc3dd]]/[[dcfldd]], [[foremost]], [[john]], [[md5deep]], [[nmap]], [[scalpel]], [[sleuthkit]], [[wipefreespace]] to name a few are available either.
 +
 +
X11-based software is being considered for an extended version.
  
 
== Platforms ==
 
== Platforms ==
Line 32: Line 36:
 
== Forensic issues ==
 
== Forensic issues ==
  
No hardening against rootfs spoofing in images before 20140423; implemented as of today (stage2 squashfs SHA256 check has been contributed by Maxim Suhanov).
+
Hardening against rootfs spoofing has been implemented as of 20140423 (stage2 squashfs SHA256 check has been contributed by Maxim Suhanov); previous images are vulnerable to ISO9660-on-device containing a squashfs file with predefined name and specially crafted contents.
 
+
MDRAID/LVM2/filesystems/swaps activation might occur in images before 20140416 or when booted via the default "Rescue" target; as of 20140416, booting into specially provided "Forensic mode" will skip that (both early userspace and final environment) while provided <tt>mount-system</tt> script will switch to use <tt>ro,loop</tt> mounts.
+
  
UEFI users: hashsum hasn't been propagated to refind configuration yet, and one has to press F2 twice within boot manager menu and add "forensic" keyword to kernel commandline by hand.
+
MDRAID/LVM2/swaps activation might occur with images before 20140416 or when booted via the default "Rescue" target; booting into "Forensic mode" will skip that (for both early userspace and final environment as of 20140416) and switch <tt>mount-system</tt> script to use <tt>ro,loop,noexec</tt> mount options (as of 20140423).
  
Device write blocking hasn't been considered so far.
+
Physical device write blocking hasn't been considered so far.
  
 
== Credits ==
 
== Credits ==

Revision as of 09:46, 23 April 2014

ALT Linux Rescue
Maintainer: Michael Shigorin
OS: Linux
Genre: Live CD
License: GPL, others
Website: en.altlinux.org/rescue

ALT Linux Rescue is yet another sysadmin's Live CD with some forensic capabilities.

Intro

This weekly-updated image is intended to be text-only toolchest for analysis and recovery.

It will not try to use swaps or autodetect/mount filesystems unless requested explicitly.

Forensic mode is available via a separate boot target for BIOS users; UEFI users are asked to press F2 twice within boot manager menu and add "forensic" keyword to kernel commandline by hand as of 20140423. This will skip activating MDRAID/LVM too.

Build profile suitable for ALT Linux mkimage tool is included as .disk/profile.tgz.

Tools included

Most of the usual rescue suspects should be there; biew, chntpw, dc3dd/dcfldd, foremost, john, md5deep, nmap, scalpel, sleuthkit, wipefreespace to name a few are available either.

X11-based software is being considered for an extended version.

Platforms

i586 (BIOS) and x86_64 (BIOS/UEFI); SecureBoot might be left enabled in most occasions.

Deliverables

Two separate 32/64-bit hybrid ISO images suitable for direct writing onto USB Flash media (or CD-R by chance).

Forensic issues

Hardening against rootfs spoofing has been implemented as of 20140423 (stage2 squashfs SHA256 check has been contributed by Maxim Suhanov); previous images are vulnerable to ISO9660-on-device containing a squashfs file with predefined name and specially crafted contents.

MDRAID/LVM2/swaps activation might occur with images before 20140416 or when booted via the default "Rescue" target; booting into "Forensic mode" will skip that (for both early userspace and final environment as of 20140416) and switch mount-system script to use ro,loop,noexec mount options (as of 20140423).

Physical device write blocking hasn't been considered so far.

Credits

External Links