Hello, i am sorry for the newb question but i was wondering if it does or not? thanks
Printable View
Hello, i am sorry for the newb question but i was wondering if it does or not? thanks
It can run without accessing the hard drive. What are you concerned about exactly?
when I run my (almost persistant) usb-BT it can see the laptops harddrive, and access files on it.
But other than that I do not think it will touch enything without you telling it to do so.
it will mount and use any linux swap partitions that it can find on your hard disk drives unless you boot into forensic mode.
It access your other partitions (read only) when it is trying to locate filesystem.squashfs.
If you have any ext3, ext4, or ntfs filesystems that weren't cleanly unmounted, it might reapply the journal even in forensics mode. There might be a fix for this soon.
That was actually a question I had. When you boot Backtrack in forensic mode does it overwrite the memory stored in RAM?Quote:
Originally Posted by whitelisted
well, it depends on you, what you want it to do.You can access HDD by mounting its partitions etc, or when you install BackTrack then obviously you access HDD as well.
That's not actually the same question (swap partitions are on disk not in memory), but yes, loading BackTrack will overwrite at least some of the contents of your memory. BackTrack requires memory to operate, so it has to. Operating Systems that are used to copy the contents of physical RAM (such as in a cold boot style attack) will usually be extremely small in order to minimise the amount of memory overwritten, but even they will overwrite some memory. BackTrack is not extremely small, and was not designed for that particular application.Quote:
Originally Posted by Kitten
AFAIK, BackTrack 4 Final release removed all ext3/4, ntfs kernel modules from initrd image, so BackTrack would not recover these damaged file systems. However, this didn't fix a more serious bug that may result in wiping the whole drive when booting :)Quote:
Originally Posted by whitelisted
AFAIK, BackTrack 4 Final removed all ext3/4, ntfs kernel modules from initrd. So BackTrack will no longer recover these file systems during the boot.Quote:
Originally Posted by whitelisted
- boot from the live image
- hit [down] twice to select forensics mode from the boot menu
- hit [e] to edit the boot parameters
- hit [e] again to edit the kernel line
- add the argument "break=bottom" to the boot parameters
- hit [enter]
- hit [b] to boot using the modified boot parameters
You should eventually find yourself at a prompt reading "(initramfs)". This is a bash shell located in the initramfs miniroot just before /proc, /dev, and /sys are remounted onto /root, which will eventually become your root filesystem.
Looks like the kernel has them compiled in statically.Code:(initramfs) egrep '(ntfs|ext[234])' /proc/filesystems
ext3
ext2
ext4
ext4dev
ntfs
(initramfs) /root/bin/lsmod | egrep '(ntfs|ext[234])'
(initramfs) gunzip -c /proc/config.gz | egrep -i '(ntfs|ext[34])'
CONFIG_EXT3_FS=y
# CONFIG_EXT3_DEFAULTS_TO_ORDERED is not set
CONFIG_EXT3_FS_XATTR=y
CONFIG_EXT3_FS_POSIX_ACL=y
CONFIG_EXT3_FS_SECURITY=y
CONFIG_EXT4_FS=y
CONFIG_EXT4DEV_COMPAT=y
CONFIG_EXT4_FS_XATTR=y
CONFIG_EXT4_FS_POSIX_ACL=y
# CONFIG_EXT4_FS_SECURITY is not set
CONFIG_NTFS_FS=y
# CONFIG_NTFS_DEBUG is not set
# CONFIG_NTFS_RW is not set
(initramfs)