Linux forensics - Introduction

Updated: February 22, 2009

Most of the time, we do not really care about our computers. They are a means to an end, or many ends. Games, Internet, work, you name it. When everything works, the PC is a somewhat noisy beast that lets us do what we want - most of the time. But what happens when something goes wrong?

Suddenly, your machine won't boot. Suddenly, you have managed to contract malware. Your hard disk is misbehaving, your partitions are gone, your files are gone. These kinds of disasters are all too common. Unfortunately, very few people think about them, let alone prepare for them.

Don't be one of them ...

You can avoid - or at the very least, minimize - risks and damages by exercising a continuous, pro-active approach to integrity and security. It begins with very basic concepts of data backup and simple desktop maintenance and extends beyond disasters into evidence collection and analysis, incidence reporting, vulnerability discovery and patching, and damage control.

In this series of articles, we will talk about specialized Linux distributions that are particularly suited for these kinds of tasks: incidence response, data recovery, security audits, and investigation of system failures. In one word, we will talk about forensics-oriented distributions.

Today, we will just introduce the topic. In the follow-up articles, we will review several highly useful, dedicated forensics Linux distributions.

So, before you start ...

There are some things you need to know.

First, you can custom-build your own set for utilities for the task - for example, run Ubuntu, load it with goodies and then create a bootable image with Remastersys - however, you might as well rely on security professional to do the job for you. Let them create the tools; you use them.

Second, analyzing and fixing system failures and security breaches takes a bit of knowledge. Therefore, if you're not really familiar with system internals, either Linux, Windows or both, you might not be able to fully utilize the power of tools presented here. Still, it does not hurt to be aware of them and have them handy, in case of a disaster.

Third, forensics of the kind we are talking about here is the 2nd or even a 3rd level of response. There's much you can do before turning to heavy-duty hacking. Thus, enter the must-have toolbox for any security conscious (Linux) user:

Must-have toolbox

The tools listed below should always be within your reach. Most of them come as individual live CDs, so you should carry a pouch with you. If you're extra-geeky, you might even use them from bootable USB drives. Whatever the case, you should have them ready for instant use, whether you're at home, work, a friend's place, or traveling abroad.

In no particular order:



This is a live CD specifically geared toward rescue and recovery. The tools package includes some of the most important tools available for Linux user, like GParted, PartImage, Grub, Lilo, sfdisk, TestDisk, and more.



PartImage is a powerful, friendly disk/partition imaging software, allowing you to quickly and easily backup and recover your entire disks or individual partitions, including the Windows NTFS filesystem.You can learn more about how to use Partimage in my tutorial: Free imaging software - CloneZilla & PartImage - Tutorial. PartImage is included with the SystemRescueCD.



Speaking of imaging software, CloneZilla is another powerful candidate for disk / partition backup and recovery; see the tutorial above.



Another extremely important tool is TestDisk. This tool allows to recover lost partitions, make not-bootable disks boot again and restore delete files. It is one of the more effective and powerful utilities on the market. When everything else fails, TestDisk won't. TestDisk is included with the SystemRescueCD.

Super Grub Disk

Super Grub Disk

Super Grub Disk is intended to run from a floppy disk or CD and is used for system rescue. Most importantly, it can be used to restore boot loaders, including GRUB, LILO and even Windows boot loader.

Other tools ...

Even though this article is geared toward Linux users, there's a fair chance they will be asked upon to act on behalf of a Windows friend in need, in which case they should be familiar with Windows tools as well. The best choice for Windows is:

Ultimate Boot CD for Windows


This is one of the most important tools a Windows user can have. It is a complete bootable Windows kernel, packaged with tens of useful utilities in a range of categories.

Among offered tools are 7-Zip, a43, Ad-Aware SE, Agent Ransack, AVPersonal, BGInfo, CPU Bench, CWShredder, DeepBurner, Dirms, Disk Copy, Disk Image, Disk Wipe, Eraser, ERUNT, Explore2fs, ExplorerXP, File Recovery, FileZilla, Firefox, Floppy Repair, Foxit Reader, freeCommander, Free Undelete, HD Cleaner, HDTune, HijackThis, IPScan, IZArc, MaxBlast, MemTest, MbrFix, MBRWiz, Notepad++, Opera, P95, PasswordPro, PDF Reader, Popcorn, PPPOEXP, Putty, R-Linux, RecoveryManager, RegCleaner, Scribe, SmallCD, Stinger, SuperAntiSpyware, Sysclean, UltraVNC, xplorer2, WinDLG, and many more.

You should also read the UBCD4WIN articles:

How to create a bootable live Windows CD

Ultimate Boot CD for Windows (UBCD4WIN) just gets better and better

Furthermore, for more details about a wide range of programs of all kinds, please see:

A (sweet) collection of Windows programs

A (cool) list of Linux tools


OK, now we're ready. We have the basic understanding of what forensics really means, compared to serious housekeeping. We also have our must-have toolkit ready. So be patient for a day or two. The first review coming soon. Distribution? Helix.