[Grml] Forensic use of grml
Michael Prokop
mika at grml.org
Mon Sep 18 17:30:06 CEST 2006
* Ralf Moll <ralf-info at family-moll.de> [20060918 14:15]:
> I'm a german police officer and sick of all the boot-cds around. I want
> to build a boot-cd / pxe-image for me and other people around based on
> grml because I like shell and debian / ubuntu.
Great. :)
> Currently I'm using a customized HELIX CD
> * http://e-fense.com/helix/
> which is quite ok but "difficult" to customize.
> My plans are building ONE grml with the forensic tools I need or (which
> would be better) include all tools in the official grml-cd.
Ok.
> I need a CD for booting outside our lab and a pxe-version inside our lab.
> The pxe-part rocks already.
Great. :)
I hope you already know grml-terminalserver. :) If you don't use
grml-terminalserver the grml_netboot_package might be interesting
for you, take a look at
http://wiki.grml.org/doku.php?id=terminalserver
> So here are the things I need to include:
> * libewf - Free tool to create and write back EnCase-Images
> * https://www.uitwisselplatform.nl/projects/libewf/
I don't see any problems in adding this to main grml (it's available
under the BSD license).
I just created a preliminary libewf-20060820_1-1_i386.deb package.
I'll improve some minor stuff and the final package should be
available within in the next few hours/days via the grml-repository.
So the next devel-release (see http://grml.org/beta-tester/ for
details) will very probably contain this software already.
> * A.I.R. Cloning HDs for mausschubser ;)
> * http://air-imager.sourceforge.net/
GPL, that's fine. But it has an absolutely braindread and even
broken install script (install-air-1.2.8, 165K) and depends on
perl-tk which would need ~10MB of additional space on grml. :(
So the easiest way to run AIR is a short shellscript like
http://grml.org/tmp/get-air which does the job. I'll add an shell
function named getair (like getskype, getgizmo, get_tw_cli,... we
already have) so it's easy to install on demand.
Is there any other software you use for your forensic work and which
should become part of grml?
> Additionally it would be cool to add a special hot-plug scipts for hds:
> if there is a scpecial id-file / volume-name automatically mount the hd
> as /media/destination-hd for faster hd-cloning.
The current develrelease (grml 0.8-1) already provides support for
fs-labels, so will you have to run only 'mount /mnt/$LABEL' to mount
the partition containing a filesystem named $LABEL. (The release is
available for beta-testers, if you are interested in testing just
let me know and I'll give you access to the ISO.)
> So, how can I do this and is there someone around who want's to help me?
Sure. :)
> First of all one question:
> how can i add a additional dir to the cd for running e.g. libewf if I
> boot the "normal" grml v0.8 via PXE / NFS?
> Or can I place the unzipped ISO-Content in a NFS-Share and do there all
> the modifications I need?
Installing the package on the NFS-server makes it vissible to the
NFS-client. :)
If you want to install additional software either install the
software manually, use the configuration framework (see
http://grml.org/config/ - you can run your own scripts this way) or
remaster grml (http://wiki.grml.org/doku.php?id=remastering +
http://grml.org/solutions/)
> Further I will create a forensic-page in the grml-wiki and do the doku.
I just created http://wiki.grml.org/doku.php?id=forensic so you can
drop in your stuff there.
regards,
-mika-
--
http://grml.org/ # Linux for texttool-users and sysadmins
http://wiki.grml.org/ # share your knowledge
http://grml.supersized.org/ # the grml development weblog
#grml @ irc.freenode.org # meet us on irc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://ml.grml.org/pipermail/grml/attachments/20060918/681a4616/attachment-0003.pgp>
More information about the Grml
mailing list