Results 1 to 5 of 5

Thread: Forensic mode suggestions

Threaded View

  1. #1
    Just burned his ISO
    Join Date
    Jan 2010

    Lightbulb Forensic mode suggestions

    This more a feature request than a tool request, but I figure this is the most appropriate forum.

    [First, note that I haven't been able to use BackTrack 4 yet. Feel free to flame me if you already implemented any of these suggestions!]

    The current BackTrack forensic mode (not mounting any partitions) should be sufficient for imaging purposes. But several changes could be made to give users more confidence that data won't be altered when partitions are mounted (read-only) for examination/preview purposes.

    Take a look at this paper, which has the results of some research into various "forensic" Linux boot CDs:

    Following from that, there are several ways in which the forensic mode of Backtrack could be improved, i.e. made "more secure" against accidental writes:

    - Configure the kernel (and udev or whatever) to create all device files (/dev/sdX and /dev/sdXn) as read-only. Then the user must explicitly do e.g. "blockdev --setrw /dev/sda1" before being able to mount a partition read/write. It's all too easy to mount a partition, even with the ro option, and have the filesystem write to disk despite that. Not to mention the possibility of forgetting to specify ro when mounting...

    - Change default mount options for all filesystems to ro,noatime, and for journalling filesystems (ext3/4, XFS, NTFS, ...) default to mounting without journal replay/recovery.

    Unfortunately, the default behaviour when mounting a journalled filesystem ro, is to replay the journal (i.e. write to disk). Different filesystems have different names for their "don't replay the journal" mount option. For ext3/4 it is noload, for XFS norecovery, and for NTFS-3G norecover.

    Unless the underlying block device is read-only, you're still trusting the filesystem code not to write to disk, which is not wise given various filesystems' lack of respect for the ro option, and the possibility of bugs. (Witness the recent kernel fix: "ext4: Don't update superblock write time when filesystem is read-only".)

    - Modify the KDE desktop environment to mount partitions read-only using the loopback device. In other words, KDE would do something like this when mounting /dev/sda1 (say):
    losetup -r /dev/loop1 /dev/sda1
    mount -o ro,noatime,noload /media/test

    [Question: is doing
    mount -o ro,noatime,loop,noload /dev/sda1 /media/test
    equivalent to the above two commands; does the ro mount option imply losetup is called with -r?]

    Then you would have another layer of security against inadvertent writes: /dev/sda1 will be read-only (if the first suggestion is implemented), /dev/loop1 is read-only, and the read-only mount options. In fact, with that you could safely add another boot option to the Backtrack menu: forensic mode with auto-mounting, or at least easy mounting via the KDE desktop.

    Finally, for more security, publish a patch (maybe a simple one-byte change?) to the BT4 ISO which changes the default boot menu option to forensic mode. Users who want to eliminate the possibility of accidentally booting in non-forensic mode could patch the downloaded ISO before writing it to disc. (Example: power cut or crash when user is away from system, system reboots and starts BackTrack in normal mode after menu timeout.)
    Last edited by Donuts; 01-15-2010 at 04:23 AM. Reason: Removed couple of stray words

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts