Difference between revisions of "ALT Linux Rescue"

From ForensicsWiki
Jump to: navigation, search
m (Credits: +patch)
m (overall refactoring)
Line 8: Line 8:
 
}}
 
}}
  
'''ALT Linux Rescue''' is yet another sysadmin's [[Live CD]].
+
'''ALT Linux Rescue''' is yet another sysadmin's [[Live CD]] with some forensic capabilities.
  
 
== Intro ==
 
== Intro ==
  
This weekly-updated image is intended to be text-only recovery toolchest with some basic forensic capabilities.
+
This weekly-updated image is intended to be text-only toolchest for analysis and recovery.
  
It will not activate MDRAID/LVM when booted with "forensic" keyword (available via a separate isolinux boot target) and will not try to use swaps or autodetect/mount filesystems unless requested explicitly; <tt>mount-system</tt> script will use <tt>ro,loop</tt> mount options when booted in this mode.
+
It will not try to use swaps or autodetect/mount filesystems unless requested explicitly.
 +
 
 +
Forensic mode is available via a separate boot target for BIOS users; UEFI users are asked to press F2 twice within boot manager menu and add "forensic" keyword to kernel commandline by hand as of 20140423.  This will skip activating MDRAID/LVM too.
  
 
Build profile suitable for ALT Linux <tt>mkimage</tt> tool is included as <tt>.disk/profile.tgz</tt>.
 
Build profile suitable for ALT Linux <tt>mkimage</tt> tool is included as <tt>.disk/profile.tgz</tt>.
Line 21: Line 23:
  
 
Most of the usual rescue suspects should be there; [[biew]], [[chntpw]], [[dc3dd]]/[[dcfldd]], [[foremost]], [[john]], [[md5deep]], [[nmap]], [[scalpel]], [[sleuthkit]], [[wipefreespace]] to name a few are available either.
 
Most of the usual rescue suspects should be there; [[biew]], [[chntpw]], [[dc3dd]]/[[dcfldd]], [[foremost]], [[john]], [[md5deep]], [[nmap]], [[scalpel]], [[sleuthkit]], [[wipefreespace]] to name a few are available either.
 +
 +
X11-based software is being considered for an extended version.
  
 
== Platforms ==
 
== Platforms ==
Line 32: Line 36:
 
== Forensic issues ==
 
== Forensic issues ==
  
No hardening against rootfs spoofing in images before 20140423; implemented as of today (stage2 squashfs SHA256 check has been contributed by Maxim Suhanov).
+
Hardening against rootfs spoofing has been implemented as of 20140423 (stage2 squashfs SHA256 check has been contributed by Maxim Suhanov); previous images are vulnerable to ISO9660-on-device containing a squashfs file with predefined name and specially crafted contents.
 
+
MDRAID/LVM2/filesystems/swaps activation might occur in images before 20140416 or when booted via the default "Rescue" target; as of 20140416, booting into specially provided "Forensic mode" will skip that (both early userspace and final environment) while provided <tt>mount-system</tt> script will switch to use <tt>ro,loop</tt> mounts.
+
  
UEFI users: hashsum hasn't been propagated to refind configuration yet, and one has to press F2 twice within boot manager menu and add "forensic" keyword to kernel commandline by hand.
+
MDRAID/LVM2/swaps activation might occur with images before 20140416 or when booted via the default "Rescue" target; booting into "Forensic mode" will skip that (for both early userspace and final environment as of 20140416) and switch <tt>mount-system</tt> script to use <tt>ro,loop,noexec</tt> mount options (as of 20140423).
  
Device write blocking hasn't been considered so far.
+
Physical device write blocking hasn't been considered so far.
  
 
== Credits ==
 
== Credits ==

Revision as of 04:46, 23 April 2014

ALT Linux Rescue
Maintainer: Michael Shigorin
OS: Linux
Genre: Live CD
License: GPL, others
Website: en.altlinux.org/rescue

ALT Linux Rescue is yet another sysadmin's Live CD with some forensic capabilities.

Intro

This weekly-updated image is intended to be text-only toolchest for analysis and recovery.

It will not try to use swaps or autodetect/mount filesystems unless requested explicitly.

Forensic mode is available via a separate boot target for BIOS users; UEFI users are asked to press F2 twice within boot manager menu and add "forensic" keyword to kernel commandline by hand as of 20140423. This will skip activating MDRAID/LVM too.

Build profile suitable for ALT Linux mkimage tool is included as .disk/profile.tgz.

Tools included

Most of the usual rescue suspects should be there; biew, chntpw, dc3dd/dcfldd, foremost, john, md5deep, nmap, scalpel, sleuthkit, wipefreespace to name a few are available either.

X11-based software is being considered for an extended version.

Platforms

i586 (BIOS) and x86_64 (BIOS/UEFI); SecureBoot might be left enabled in most occasions.

Deliverables

Two separate 32/64-bit hybrid ISO images suitable for direct writing onto USB Flash media (or CD-R by chance).

Forensic issues

Hardening against rootfs spoofing has been implemented as of 20140423 (stage2 squashfs SHA256 check has been contributed by Maxim Suhanov); previous images are vulnerable to ISO9660-on-device containing a squashfs file with predefined name and specially crafted contents.

MDRAID/LVM2/swaps activation might occur with images before 20140416 or when booted via the default "Rescue" target; booting into "Forensic mode" will skip that (for both early userspace and final environment as of 20140416) and switch mount-system script to use ro,loop,noexec mount options (as of 20140423).

Physical device write blocking hasn't been considered so far.

Credits

External Links