Originally posted here by Katja
Personally, I think FreeBSD might also be a very good option. It's Unix but not Linux. I think the FreeBSD kernel is a bit more reliable than the Linux kernel, although with Linux it strongly depends on which version you like to use. (SuSE, RedHat, etc.)
What is different about the kernel from SuSE, RedHat, Debian, etc.? They are all still Linux...because it's Linux solely BECAUSE of the kernel; if you use the Hurd kernel, it's no longer Linux (however, I'm not a zealot that demands we use "GNU/Linux").

If you mean all the extras that get compiled into each distro's default kernel, then yes, there is a difference. How that impacts forensic work, I don't know. I don't know many people who would (seriously) use a defatult kernel (generic distro) on a forensic capture and examination platform. The requirements for making a platform and processing data on it with documented integrity that will stand up to cross-examination are not to be balked at.

That's part of why platforms like Helix and Auditor (yes MsM, I've been won over...Auditor is a valuable tool! :grin are tailored towards specific uses.

hogfly what about Encase from the guys at Guidance Software? It's been a long time since I touched their stuff (I was using Encase in the mid 90's)...is it *still* windows based? I know it's the darling child of the commercial mag's and such. Unfortunately, I don't do enough forensic work anymore to be up-to-date on this stuff. Mostly, I play around with finding a few things on a quicky search (nothing for criminal or administrative purposes...just lost files, where has the subject been surfing, etc.)