Which live distribution to trust

Question

Which live distribution to trust

Closed this issue 7 years ago · 14 comments

Hello Mr. Suhanov

I know github is not for such question, but I was not able to find any other channel to contact you. I'm a student and looking for a live distribution to take forensic image of the internal hard drive of my computer. Since you are a researcher in the field, I wanted to ask you.

I'm well aware of your work in the field (i.e Linux write blocker), and have read your article named Linux forensics: pitfalls of mounting file systems. I'm also aware of the issues mentioned in the following article forensic live cd issues.

I would like to make sure the internal hard drive will never be modified in any case during the process. The hard drive includes NTFS and EXT4 partitions.

Considering all the issues in those articles i.e.:

mounting of internal media during boot
automount of removable media
recovery of dirty file systems
orphan inode deletion
swap space activation
RAID, LVM activation
root file system spoofing due to Casper
incorrect mount policy with rebuildfstab and scanpartitions scripts etc.

among known live distributions which one do you think is completely forensically sound ?

In your article you suggest grml-2009.05, however that version is very old today and now there is another distribution called grml-forensics. And grml-forensics is not free. I'm looking for a free solution. Also Kali 2017.01 claims that it does not modify the internal hard drive here. Have you ever tested this version of the distribution with dirty file systems ?

Although I'll take the image with dd command without mounting the file systems on the internal drive, I expect the candidate live distribution to include your kernel patch. I may need to utilize read only access.

I also wonder if it creates a difference in forensic soundness if I boot the live distribution from USB pen drive rather than CD-DVD drive.

I'm looking forward for your help.

Regards

Answer 1 · 2017-09-02T00:06:59.000Z

Try Grml 2017.05. This distribution is free (you don't have to pay), it also includes the kernel patch and necessary scripts (just select the forensic mode in the boot loader).

Also Kali 2017.01 claims that it does not modify the internal hard drive here.

Don't trust these claims. Kali and BackTrack never were forensically sound. For example, a normal release of Kali 2017.1 will automatically activate LVM volumes during the boot, thus triggering their synchronization, if required.

I also wonder if it creates a difference in forensic soundness if I boot the live distribution from USB pen drive rather than CD-DVD drive.

Yes, the type of a boot device can create a difference. The process of booting an operating system from a CD/DVD, or a USB Flash drive, or a USB HDD/SSD (a drive in an enclosure) may rely on different execution paths. I can demonstrate that Kali 2017.1 is automatically mounting a file system on an internal drive when running from a USB HDD, while keeping this file system intact when running from a CD.

Answer 2 · 2017-09-02T11:13:03.000Z

Thank you so much for your help.

Your work is very valuable and your patch should have already been included in linux kernel. I have few more questions that I think will also be helpful for those who are in my position but lucky for reading this post.

I do really wonder what the difference is in using Grml-Forensic and Grml 2017.05 in forensic mode.
Here they explain Grml-Forensic is based on Grml, but not a fork of it. Knowing that, is it safe to assume both are actually utilizing same forensic measures but Grml-Forensic is not free only because of its support service ?

Yes, the type of a boot device can create a difference. The process of booting an operating system from a CD/DVD, or a USB Flash drive, or a USB HDD/SSD (a drive in an enclosure) may rely on different execution paths.

That makes my concern valid. What about Grml 2017.05 ? Does it make difference if I boot it from USB flash drive ?

Answer 3 · 2017-09-02T12:05:40.000Z

I do really wonder what the difference is in using Grml-Forensic and Grml 2017.05 in forensic mode.
Here they explain Grml-Forensic is based on Grml, but not a fork of it. Knowing that, is it safe to assume both are actually utilizing same forensic measures but Grml-Forensic is not free only because of its support service ?

I guess it's better to address this question to @mika.

That makes my concern valid. What about Grml 2017.05 ? Does it make difference if I boot it from USB flash drive ?

Grml, as well as many other Debian-based operating systems, may try to mount (and probe) different sets of block devices (in order to locate the boot drive during the initramfs stage of the boot process) depending on the type of the boot drive. However, some measures have been implemented in Grml to make this process forensically sound.

Answer 4 · 2017-09-02T15:34:08.000Z

I guess it's better to address this question to @mika.

Thank you for your guidance.

You may already know but you are also mentioned in this book. Interestingly the book lists Kali, DEFT, CAINE and Pentoo for forensics but not Grml. The book also states that Deft includes your patch. And I checked Deft has dc3dd but Grml does not.

How sound DEFT Zero 2017.1 is compared to Grml ?

Answer 5 · 2017-09-02T19:49:56.000Z

How sound DEFT Zero 2017.1 is compared to Grml ?

Unfortunately, I didn't have enough time to thoroughly test this version of DEFT Zero.

Answer 6 · 2018-11-19T16:04:39.000Z

Hello Mr. Suhanov,

After a year, I have one more question. I hope you will bring an insight about this one too.

Grml 2017.05 uses systemd. Due to some concerns, I do not want to use systemd on any of my machines. It seems Grml 2014.11 does not use systemd. With all the concerning issues about forensic soundness discussed previously, Is using grml 2014.11 fully forensically sound like using Grml 2017.05 ? If it is, does Grml 2014.11 include your kernel patch ?

Thank you!

Answer 7 · 2018-11-19T20:19:45.000Z

If it is, does Grml 2014.11 include your kernel patch ?

Yes. You can always try to validate a distribution using the test images available in this repository.

Answer 8 · 2019-03-02T11:20:51.000Z

I wanted to download grml 2014.11 but could not find it in grml's website. Only 2017.05 and 2018.12 is available in Older releases page (http://ftp.halifax.rwth-aachen.de/grml//).

I asked Mr. Micheal Prokop about it via e-mail but did not get any reply.
Do you know any way to download it anymore ?
A way in which I can verify grml2014.11 with hashes and gpg signature of Micheal Prokop is much appreciated.

Kind regards.

Answer 9 · 2019-03-08T12:43:30.000Z

Try this: http://linuxfreedom.com/grml/download.html

My copy (downloaded from an official mirror before) has the following MD5 hash:

51ca23d8335732150f31c021eafc6513 grml64-full_2014.11.iso

Answer 10 · 2019-03-11T09:09:14.000Z

I can confirm that this is matches the checksum of the official Grml ISO.

Answer 11 · 2019-07-21T12:02:48.000Z

@msuhanov thank you for the website (http://linuxfreedom.com/grml/download.html) and MD5 hash. But it seems grml 2014.11 is removed from that website too. They are now offering 2018.12 there only. Is there any other source you know anymore ?

@mika thank you for your confirmation. Is there any chance that you could include 2014.11 in grml's official mirrors ? Not only systemd is an issue, but also the size of grml64-full_2014.11 is 460M which is nicer than 1.81G 2018.12.

Answer 12 · 2019-07-21T22:33:03.000Z

http://archive.grml.org/

If that doesn't work, I can upload the image to a file sharing service.

Answer 13 · 2019-07-22T15:00:36.000Z

This is heaven. Was this adress a secret ?

Answer 14 · 2019-07-26T10:02:39.000Z

@charlesneal123 it's not really a secret but we don't officially announce this URL as its not mirrored and costing us traffic (and we also prefer our users to use latest stable releases as the releases on archive.grml.org are unsupported)