[[forensic]]
 
Trace: » debian » lenovo_x61s » tips » persistency » testing » biosupdate » grml_linuxuser » forensic
Table of Contents

Grml and Forensics

Using grml for forensic investigations

  1. Use the main bootparameter “forensic”
  2. Clone/save harddisk using dd, dcfldd or even ewfacquire

Technical Information

You can build your own forensic live system using grml-live. grml-live already provides a GRML_FORENSIC class.

Boot-Parameter

  • “forensic” is a shortcut for “apm=power-off boot=live nomce vga=791 readonly quiet nofstab noraid nolvm noautoconfig noswap raid=noautodetect”

Disk Imaging

A list of imaging tools included in grml:

  • dd - for sure
  • dcfldd
  • ddrescue
  • libewf (open source library including tools for building and restoring EWF images, both EnCase (EWF-E01) and SMART (EWF-S01))
  • sdd

Forensic Software

Software Function Projekt-Page Licence Included
libewf imaging libewf BSD Yes
Scalpel carving http://www.digitalforensicssolutions.com/Scalpel/ ? Yes
Foremost carving http://foremost.sourceforge.net/GPL Yes
Autopsy forensic tool http://sleuthkit.org/autopsy/index.php CPL? Yes
sleuthkit forensic tool http://sleuthkit.org/ CPL? Yes
afflib imaging http://www.afflib.org/index.php Berkeley License Yes

For further details see TODO list of Debian Forensic team.

Further Resources

 
forensic.txt · Last modified: 2009/07/10 08:20 by 85.126.168.131 (mika)
 
Recent changes RSS feed Creative Commons License Valid XHTML 1.0 Valid CSS Grml homepage Driven by DokuWiki