ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

ALT Linux Rescue

From ForensicsWiki
Revision as of 09:46, 23 April 2014 by MShigorin (Talk | contribs) (overall refactoring)

Jump to: navigation, search
ALT Linux Rescue
Maintainer: Michael Shigorin
OS: Linux
Genre: Live CD
License: GPL, others

ALT Linux Rescue is yet another sysadmin's Live CD with some forensic capabilities.


This weekly-updated image is intended to be text-only toolchest for analysis and recovery.

It will not try to use swaps or autodetect/mount filesystems unless requested explicitly.

Forensic mode is available via a separate boot target for BIOS users; UEFI users are asked to press F2 twice within boot manager menu and add "forensic" keyword to kernel commandline by hand as of 20140423. This will skip activating MDRAID/LVM too.

Build profile suitable for ALT Linux mkimage tool is included as .disk/profile.tgz.

Tools included

Most of the usual rescue suspects should be there; biew, chntpw, dc3dd/dcfldd, foremost, john, md5deep, nmap, scalpel, sleuthkit, wipefreespace to name a few are available either.

X11-based software is being considered for an extended version.


i586 (BIOS) and x86_64 (BIOS/UEFI); SecureBoot might be left enabled in most occasions.


Two separate 32/64-bit hybrid ISO images suitable for direct writing onto USB Flash media (or CD-R by chance).

Forensic issues

Hardening against rootfs spoofing has been implemented as of 20140423 (stage2 squashfs SHA256 check has been contributed by Maxim Suhanov); previous images are vulnerable to ISO9660-on-device containing a squashfs file with predefined name and specially crafted contents.

MDRAID/LVM2/swaps activation might occur with images before 20140416 or when booted via the default "Rescue" target; booting into "Forensic mode" will skip that (for both early userspace and final environment as of 20140416) and switch mount-system script to use ro,loop,noexec mount options (as of 20140423).

Physical device write blocking hasn't been considered so far.


External Links