Difference between revisions of "ALT Linux Rescue"

From Forensics Wiki
Jump to: navigation, search
m (Forensic issues: none outstanding for BIOS boot?)
m (Credits: +patch)
Line 42: Line 42:
 
== Credits ==
 
== Credits ==
  
* [[User:.FUF]] for [[Forensic Live CD issues]] page and sound advice
+
* [[User:.FUF]] for [[Forensic Live CD issues]] page, sound advice and early userspace patch
  
 
== External Links ==
 
== External Links ==
 
* [http://en.altlinux.org/Rescue Project site] (also available in [http://www.altlinux.org/Rescue Russian])
 
* [http://en.altlinux.org/Rescue Project site] (also available in [http://www.altlinux.org/Rescue Russian])
 
* Part of [http://en.altlinux.org/Regular Regular Builds] based on ALT Linux Sisyphus
 
* Part of [http://en.altlinux.org/Regular Regular Builds] based on ALT Linux Sisyphus

Revision as of 04:06, 23 April 2014

ALT Linux Rescue
Maintainer: Michael Shigorin
OS: Linux
Genre: Live CD
License: GPL, others
Website: en.altlinux.org/rescue

ALT Linux Rescue is yet another sysadmin's Live CD.

Contents

Intro

This weekly-updated image is intended to be text-only recovery toolchest with some basic forensic capabilities.

It will not activate MDRAID/LVM when booted with "forensic" keyword (available via a separate isolinux boot target) and will not try to use swaps or autodetect/mount filesystems unless requested explicitly; mount-system script will use ro,loop mount options when booted in this mode.

Build profile suitable for ALT Linux mkimage tool is included as .disk/profile.tgz.

Tools included

Most of the usual rescue suspects should be there; biew, chntpw, dc3dd/dcfldd, foremost, john, md5deep, nmap, scalpel, sleuthkit, wipefreespace to name a few are available either.

Platforms

i586 (BIOS) and x86_64 (BIOS/UEFI); SecureBoot might be left enabled in most occasions.

Deliverables

Two separate 32/64-bit hybrid ISO images suitable for direct writing onto USB Flash media (or CD-R by chance).

Forensic issues

No hardening against rootfs spoofing in images before 20140423; implemented as of today (stage2 squashfs SHA256 check has been contributed by Maxim Suhanov).

MDRAID/LVM2/filesystems/swaps activation might occur in images before 20140416 or when booted via the default "Rescue" target; as of 20140416, booting into specially provided "Forensic mode" will skip that (both early userspace and final environment) while provided mount-system script will switch to use ro,loop mounts.

UEFI users: hashsum hasn't been propagated to refind configuration yet, and one has to press F2 twice within boot manager menu and add "forensic" keyword to kernel commandline by hand.

Device write blocking hasn't been considered so far.

Credits

External Links