ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Difference between revisions of "ALT Linux Rescue"

From ForensicsWiki
Jump to: navigation, search
m (Forensic issues: none outstanding for BIOS boot?)
m (Platforms: hyper-v gen.2)
(6 intermediate revisions by 2 users not shown)
Line 8: Line 8:
 
}}
 
}}
  
'''ALT Linux Rescue''' is yet another sysadmin's [[Live CD]].
+
'''ALT Linux Rescue''' is yet another sysadmin's [[Live CD]] with some forensic capabilities and features.
  
 
== Intro ==
 
== Intro ==
  
This weekly-updated image is intended to be text-only recovery toolchest with some basic forensic capabilities.
+
This weekly-updated image is intended to be text-only toolchest for data analysis and recovery.
  
It will not activate MDRAID/LVM when booted with "forensic" keyword (available via a separate isolinux boot target) and will not try to use swaps or autodetect/mount filesystems unless requested explicitly; <tt>mount-system</tt> script will use <tt>ro,loop</tt> mount options when booted in this mode.
+
It will not try to use swap partitions or autodetect and automount file systems unless requested explicitly.
 +
 
 +
Forensic mode is available via a separate boot target for BIOS users and a rescue boot option (via F2) for UEFI users. This will skip activating MDRAID/LVM too.
  
 
Build profile suitable for ALT Linux <tt>mkimage</tt> tool is included as <tt>.disk/profile.tgz</tt>.
 
Build profile suitable for ALT Linux <tt>mkimage</tt> tool is included as <tt>.disk/profile.tgz</tt>.
Line 20: Line 22:
 
== Tools included ==
 
== Tools included ==
  
Most of the usual rescue suspects should be there; [[biew]], [[chntpw]], [[dc3dd]]/[[dcfldd]], [[foremost]], [[john]], [[md5deep]], [[nmap]], [[scalpel]], [[sleuthkit]], [[wipefreespace]] to name a few are available either.
+
Most of the usual rescue suspects should be there; [[biew]], [[chntpw]], [[dc3dd]]/[[dcfldd]], [[foremost]], [[john]], [[md5deep]], [[nmap]], [[scalpel]], [[sleuthkit]], [[wipefreespace]] to name a few are available either; [[libevt]], [[libevtx]], [[liblnk]], [[libpff]], [[libregf]], [[libuna]], [[libvshadow]], [[libwrc]] tools have been added since 20140514.
 +
 
 +
X11-based software is being considered for an extended version.
  
 
== Platforms ==
 
== Platforms ==
  
i586 (BIOS) and x86_64 (BIOS/UEFI); SecureBoot might be left enabled in most occasions.
+
i586 (BIOS) and x86_64 (BIOS/UEFI); SecureBoot might be left enabled in most occasions (Hyper-V gen.2 is a notable exception, looks like Microsoft's "3rd party driver" key is lacking there; just turn SB off).
  
 
== Deliverables ==
 
== Deliverables ==
Line 32: Line 36:
 
== Forensic issues ==
 
== Forensic issues ==
  
No hardening against rootfs spoofing in images before 20140423; implemented as of today (stage2 squashfs SHA256 check has been contributed by Maxim Suhanov).
+
Hardening against rootfs spoofing has been implemented as of 20140423 (stage2 squashfs SHA256 check has been contributed by Maxim Suhanov); previous images are vulnerable to ISO9660-on-device containing a squashfs file with predefined name and specially crafted contents.
 
+
MDRAID/LVM2/filesystems/swaps activation might occur in images before 20140416 or when booted via the default "Rescue" target; as of 20140416, booting into specially provided "Forensic mode" will skip that (both early userspace and final environment) while provided <tt>mount-system</tt> script will switch to use <tt>ro,loop</tt> mounts.
+
  
UEFI users: hashsum hasn't been propagated to refind configuration yet, and one has to press F2 twice within boot manager menu and add "forensic" keyword to kernel commandline by hand.
+
MDRAID/LVM2/swaps activation might occur with images before 20140416 or when booted via the default "Rescue" target; booting into "Forensic mode" will skip that (for both early userspace and final environment as of 20140416) and switch <tt>mount-system</tt> script to use <tt>ro,loop,noexec</tt> mount options (as of 20140423).
  
Device write blocking hasn't been considered so far.
+
Physical device write blocking hasn't been considered so far.
  
 
== Credits ==
 
== Credits ==
  
* [[User:.FUF]] for [[Forensic Live CD issues]] page and sound advice
+
* [[User:.FUF]] for [[Forensic Live CD issues]] page, sound advice and early userspace patch
  
 
== External Links ==
 
== External Links ==
 
* [http://en.altlinux.org/Rescue Project site] (also available in [http://www.altlinux.org/Rescue Russian])
 
* [http://en.altlinux.org/Rescue Project site] (also available in [http://www.altlinux.org/Rescue Russian])
 
* Part of [http://en.altlinux.org/Regular Regular Builds] based on ALT Linux Sisyphus
 
* Part of [http://en.altlinux.org/Regular Regular Builds] based on ALT Linux Sisyphus
 +
* Rescue image within [http://en.altlinux.org/Starterkits ALT Linux Starterkits] based on stable branch has gained the same features as of 20140612

Revision as of 19:35, 22 July 2014

ALT Linux Rescue
Maintainer: Michael Shigorin
OS: Linux
Genre: Live CD
License: GPL, others
Website: en.altlinux.org/rescue

ALT Linux Rescue is yet another sysadmin's Live CD with some forensic capabilities and features.

Intro

This weekly-updated image is intended to be text-only toolchest for data analysis and recovery.

It will not try to use swap partitions or autodetect and automount file systems unless requested explicitly.

Forensic mode is available via a separate boot target for BIOS users and a rescue boot option (via F2) for UEFI users. This will skip activating MDRAID/LVM too.

Build profile suitable for ALT Linux mkimage tool is included as .disk/profile.tgz.

Tools included

Most of the usual rescue suspects should be there; biew, chntpw, dc3dd/dcfldd, foremost, john, md5deep, nmap, scalpel, sleuthkit, wipefreespace to name a few are available either; libevt, libevtx, liblnk, libpff, libregf, libuna, libvshadow, libwrc tools have been added since 20140514.

X11-based software is being considered for an extended version.

Platforms

i586 (BIOS) and x86_64 (BIOS/UEFI); SecureBoot might be left enabled in most occasions (Hyper-V gen.2 is a notable exception, looks like Microsoft's "3rd party driver" key is lacking there; just turn SB off).

Deliverables

Two separate 32/64-bit hybrid ISO images suitable for direct writing onto USB Flash media (or CD-R by chance).

Forensic issues

Hardening against rootfs spoofing has been implemented as of 20140423 (stage2 squashfs SHA256 check has been contributed by Maxim Suhanov); previous images are vulnerable to ISO9660-on-device containing a squashfs file with predefined name and specially crafted contents.

MDRAID/LVM2/swaps activation might occur with images before 20140416 or when booted via the default "Rescue" target; booting into "Forensic mode" will skip that (for both early userspace and final environment as of 20140416) and switch mount-system script to use ro,loop,noexec mount options (as of 20140423).

Physical device write blocking hasn't been considered so far.

Credits

External Links