Is Linux a superior forensics platform?

View Poll Results: Which do you prefer??

Voters
11. You may not vote on this poll
  • KDE

    6 54.55%
  • Gnome

    3 27.27%
  • I love both

    2 18.18%
  • Other (please specify!)

    0 0%
Page 1 of 3 123 LastLast
Results 1 to 10 of 29

Thread: Is Linux a superior forensics platform?

  1. #1
    Computer Forensics
    Join Date
    Jul 2001
    Posts
    672

    Is Linux a superior forensics platform?

    So I just recently went out and purchased two terabytes of disks and spent around $2000 in software and hardware and I got to thinking...what the hell am I doing?

    For a few years now, I've been doing forensics work on the linux platform exclusively. I've been using Helix and my own workstation running redhat that I put together to handle multiple disk types.

    Linux supports virtually every file system type, can mount a disk read only without modifying mactimes, and it has virtually every tool neccessary built in to it.

    Hexeditor
    debugger
    Free virus scanning that's generally speaking..better than commercial software.
    Binary/hex/dec converters
    compilers
    perl
    dd
    hashing
    time retrieval
    network monitoring
    and the list goes on...

    and any other tool you need to look at a disk is provided by Brian Carriers hard work creating TSK.

    I spent $2k on FTK and Winhex(forensics version), a few disk mounting programs and a couple of hardware write blockers.
    My question is, who the hell in their right mind would choose to do forensics on a single minded operating system that has to have all these extras just to be able to do something simple like mount a DD image that's stored on an EXT3 disk let alone analyze that image.

    I think my next purchase will be ASR Data's SMART..because to be honest, windows is a piece of **** when it comes to forensics work.
    Antionline in a nutshell
    \"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

    Trust your Technolust

  2. #2
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Hmmm,

    because to be honest, windows is a piece of **** when it comes to forensics work.
    Isn't that a bit like comparing COBOL to ALGOL

    Remember, Windows is purely commercial and $$$$$ driven. It is the OS of the masses, many of whom would not even understand forensics, let alone be prepared to pay ?

    Just a thought
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  3. #3
    Banned
    Join Date
    Jul 2005
    Posts
    511
    Personally, I think FreeBSD might also be a very good option. It's Unix but not Linux. I think the FreeBSD kernel is a bit more reliable than the Linux kernel, although with Linux it strongly depends on which version you like to use. (SuSE, RedHat, etc.)

  4. #4
    Frustrated Mad Scientist
    Join Date
    Dec 2004
    Posts
    1,152
    I'm going to an introduction to forensics day on the 20th he asked for any additional topics and I asked him to do some comparisons between Helix and the commercial software EnCase etc. I't'll be interesting to see what he says.

    I don't know if you can add to the polling options but it would be interesting to see how many people out-source forensics rather than do it in house.

    I know we out-source foresnsics in everything that is likely to come to court just because we lack the skills and equipment within the organisation. We would only carry out simple investigations internally.

  5. #5
    Computer Forensics
    Join Date
    Jul 2001
    Posts
    672
    Originally posted here by nihil
    Hmmm,



    Isn't that a bit like comparing COBOL to ALGOL

    Remember, Windows is purely commercial and $$$$$ driven. It is the OS of the masses, many of whom would not even understand forensics, let alone be prepared to pay ?

    Just a thought

    Something like that..

    Yes windows is purely commercial, but for places like government and law enforcement that claim they lack funding..how can they justify all these windows programs to perform such a simple task like mounting a disk partition?
    I understand that windows is commercial, and encase is commercial etc..but just because it's commercial doesn't mean it's the best or even good(in the case of windows).

    POLL modified..

    And at this point in time, I can see that the windows utilities are polished and clean and make everything pretty, but that doesn't excuse the operating system from sucking for this purpose.
    Antionline in a nutshell
    \"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

    Trust your Technolust

  6. #6
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    Originally posted here by Katja
    Personally, I think FreeBSD might also be a very good option. It's Unix but not Linux. I think the FreeBSD kernel is a bit more reliable than the Linux kernel, although with Linux it strongly depends on which version you like to use. (SuSE, RedHat, etc.)
    What is different about the kernel from SuSE, RedHat, Debian, etc.? They are all still Linux...because it's Linux solely BECAUSE of the kernel; if you use the Hurd kernel, it's no longer Linux (however, I'm not a zealot that demands we use "GNU/Linux").

    If you mean all the extras that get compiled into each distro's default kernel, then yes, there is a difference. How that impacts forensic work, I don't know. I don't know many people who would (seriously) use a defatult kernel (generic distro) on a forensic capture and examination platform. The requirements for making a platform and processing data on it with documented integrity that will stand up to cross-examination are not to be balked at.

    That's part of why platforms like Helix and Auditor (yes MsM, I've been won over...Auditor is a valuable tool! :grin are tailored towards specific uses.

    hogfly what about Encase from the guys at Guidance Software? It's been a long time since I touched their stuff (I was using Encase in the mid 90's)...is it *still* windows based? I know it's the darling child of the commercial mag's and such. Unfortunately, I don't do enough forensic work anymore to be up-to-date on this stuff. Mostly, I play around with finding a few things on a quicky search (nothing for criminal or administrative purposes...just lost files, where has the subject been surfing, etc.)
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  7. #7
    Computer Forensics
    Join Date
    Jul 2001
    Posts
    672
    ZenCoder: Yeah funny thing about Encase and Guidance Software..it was stolen from ASR data..the makers of SMART They have a link to one of the court orders on their website.

    BSD contains the only version of DD that will read an odd number of sectors on a disk(atleast the last time I looked in to it). That's a one-up in my book.

    Encase is a good tool, but it is only windows based.
    Antionline in a nutshell
    \"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

    Trust your Technolust

  8. #8
    Senior Member
    Join Date
    Mar 2004
    Posts
    113
    I feel linux is better, while working on HPA/DCO I realized that. Just that linux has some built in features that will detect HPA. Also, there is an intersting case: if you create HPA on the disk such that the size is in KB , then some versions of windows won't detect, even if it does the size will 0MB and the tools that can run on windows might not detect that there is a HDD. While on Linux platform, although the size will shown as 0, but TSK can easily detect and reset the HPA, Also once the investigator finds out that there is HPA on the disk then he can easily reset it back.

    So the idea here is to find out whether there is any HPA or not.

    MRG.

  9. #9
    Yes, that's my CC number! 576869746568617's Avatar
    Join Date
    Dec 2003
    Location
    Earth
    Posts
    397
    Maybe I'm old, but I still use F.I.R.E. - Forensic Incident Response Engine. It's basically a custom implementation of Linux with all the forensic tools you could need that run from a CD or DVD and a RAM Drive. Works well, and is sanitary.
    Windows 9x: n. A collection of 32 bit extensions and a graphical shell for a 16 bit patch to an 8 bit operating system originally coded for a 4 bit microprocessor. Written by a 2 bit company that can\'t stand 1 bit of competition.


  10. #10
    Computer Forensics
    Join Date
    Jul 2001
    Posts
    672
    Just to keep everyone thinking about this...I've done some calculations...

    Take the following for example:
    A first responder walks in to an incident scene, and, using Helix grabs a DD image of the system disk off of a windows 2003 server. A SHA1sum is taken of the source and final disk image. The disk storing the image is formatted as EXT3.

    The disk is then delivered to the investigator.

    In order for an investigator to conduct a sound investigation on this image the following is required:
    Windows XP Professional: $199
    WinHex $459
    Mount-Everything Professional - $150
    Access Data FTK -$1000
    Mount image Pro -$279
    Digital Intel Write blocker - let's call it $250 for the sake of simplicity.

    In order to mount a dd image for FTK to get a file listing, this is what it takes.
    Mount-everything -sees the EXT3
    Mount image pro - Mounts the dd image

    Total cost of tools to investigate this disk: $2337

    Now let's look at an alternative...

    RedHat Linux Enterprise Workstation - $179
    PYFlag - FREE
    Sleuthkit - FREE
    Autopsy - FREE
    khexedit - FREE
    Regviewer - FREE
    Mounting a disk image?
    mount -o loop,ro,nodev,noatime,noexec /path/to/image /mount/point

    Total cost of tools to investigate this disk: $179 (this is not even accurate because no one said you had to use RH enterprise)


    Granted, the windows tools have been heavily refined to automate the tasks involved in investigations, but the principal issue I struggle with, is why use a single minded, inferior operating system to do forensics? Why are programs like encase and FTK made only for windows, when the core operating system does nothing but hamper an investigation?
    Antionline in a nutshell
    \"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

    Trust your Technolust

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •