[Grml] Forensic use of grml

Michael Prokop mika at grml.org
Mon Sep 18 17:30:06 CEST 2006


* Ralf Moll <ralf-info at family-moll.de> [20060918 14:15]:

> I'm a german police officer and sick of all the boot-cds around. I want
> to build a boot-cd / pxe-image for me and other people around based on
> grml because I like shell and debian / ubuntu.

Great. :)

> Currently I'm using a customized HELIX CD
>  * http://e-fense.com/helix/
> which is quite ok but "difficult" to customize.

> My plans are building ONE grml with the forensic tools I need or (which
> would be better) include all tools in the official grml-cd.

Ok.

> I need a CD for booting outside our lab and a pxe-version inside our lab.

> The pxe-part rocks already.

Great. :)

I hope you already know grml-terminalserver. :) If you don't use
grml-terminalserver the grml_netboot_package might be interesting
for you, take a look at
http://wiki.grml.org/doku.php?id=terminalserver

> So here are the things I need to include:
>  * libewf - Free tool to create and write back EnCase-Images
>   * https://www.uitwisselplatform.nl/projects/libewf/

I don't see any problems in adding this to main grml (it's available
under the BSD license).

I just created a preliminary libewf-20060820_1-1_i386.deb package.
I'll improve some minor stuff and the final package should be
available within in the next few hours/days via the grml-repository.
So the next devel-release (see http://grml.org/beta-tester/ for
details) will very probably contain this software already.

>  * A.I.R. Cloning HDs for mausschubser ;)
>   * http://air-imager.sourceforge.net/

GPL, that's fine. But it has an absolutely braindread and even
broken install script (install-air-1.2.8, 165K) and depends on
perl-tk which would need ~10MB of additional space on grml. :(

So the easiest way to run AIR is a short shellscript like
http://grml.org/tmp/get-air which does the job.  I'll add an shell
function named getair (like getskype, getgizmo, get_tw_cli,... we
already have) so it's easy to install on demand.

Is there any other software you use for your forensic work and which
should become part of grml?

> Additionally it would be cool to add a special hot-plug scipts for hds:
> if there is a scpecial id-file / volume-name automatically mount the hd
> as /media/destination-hd for faster hd-cloning.

The current develrelease (grml 0.8-1) already provides support for
fs-labels, so will you have to run only 'mount /mnt/$LABEL' to mount
the partition containing a filesystem named $LABEL. (The release is
available for beta-testers, if you are interested in testing just
let me know and I'll give you access to the ISO.)

> So, how can I do this and is there someone around who want's to help me?

Sure. :)

> First of all one question:
> how can i add a additional dir to the cd for running e.g. libewf if I
> boot the "normal" grml v0.8 via PXE / NFS?
> Or can I place the unzipped ISO-Content in a NFS-Share and do there all
> the modifications I need?

Installing the package on the NFS-server makes it vissible to the
NFS-client. :)

If you want to install additional software either install the
software manually, use the configuration framework (see
http://grml.org/config/ - you can run your own scripts this way) or
remaster grml (http://wiki.grml.org/doku.php?id=remastering +
http://grml.org/solutions/)

> Further I will create a forensic-page in the grml-wiki and do the doku.

I just created http://wiki.grml.org/doku.php?id=forensic so you can
drop in your stuff there.

regards,
-mika-
-- 
 http://grml.org/            # Linux for texttool-users and sysadmins
 http://wiki.grml.org/       # share your knowledge
 http://grml.supersized.org/ # the grml development weblog
 #grml @ irc.freenode.org    # meet us on irc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://ml.grml.org/pipermail/grml/attachments/20060918/681a4616/attachment-0003.pgp>


More information about the Grml mailing list