[Grml] Forensic use of grml

Tue Sep 19 22:51:58 CEST 2006

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Michael,

> I hope you already know grml-terminalserver. :) If you don't use
> grml-terminalserver the grml_netboot_package might be interesting
> for you, take a look at
> http://wiki.grml.org/doku.php?id=terminalserver
Hmm, if I want to use the terminalserver I've to install a complete grml
on my server. With the pxe-netboot-package I can use the grml-cd for our
network like being outside having only the grml cd.

I don't want to change my server-os and in additions to that I want the
same enviroment for forensic analysis in out net over pxe-boot and
outside via cd-boot.

> I just created a preliminary libewf-20060820_1-1_i386.deb package.
> I'll improve some minor stuff and the final package should be
> available within in the next few hours/days via the grml-repository.
> So the next devel-release (see http://grml.org/beta-tester/ for
> details) will very probably contain this software already.
Great. That's one of the most important tools for me.

>>  * A.I.R. Cloning HDs for mausschubser ;)
>>   * http://air-imager.sourceforge.net/
> 
> GPL, that's fine. But it has an absolutely braindread and even
> broken install script (install-air-1.2.8, 165K) and depends on
> perl-tk which would need ~10MB of additional space on grml. :(
Ok, that's bad. Maybe Adepto is better. I contacted the author and post
the result here later.

> So the easiest way to run AIR is a short shellscript like
> http://grml.org/tmp/get-air which does the job.  I'll add an shell
> function named getair (like getskype, getgizmo, get_tw_cli,... we
> already have) so it's easy to install on demand.
Ok, for forensic analysis the pc are regularly not connected to the
internet, so the getair-script doesn't make sense. So I have to do it
without A.I.R.

> Is there any other software you use for your forensic work and which
> should become part of grml?
Look at http://wiki.grml.org/doku.php?id=forensic
BTW: How can I create an account? ;-) Didn't find the "sign in"....

> The current develrelease (grml 0.8-1) already provides support for
> fs-labels, so will you have to run only 'mount /mnt/$LABEL' to mount
> the partition containing a filesystem named $LABEL. (The release is
> available for beta-testers, if you are interested in testing just
> let me know and I'll give you access to the ISO.)
hmm, that's a good start. so every user should know his harddisk-name
and nothing can go wrong.

>> So, how can I do this and is there someone around who want's to help me?
> Sure. :)
Cool :)

>> First of all one question:
>> how can i add a additional dir to the cd for running e.g. libewf if I
>> boot the "normal" grml v0.8 via PXE / NFS?
>> Or can I place the unzipped ISO-Content in a NFS-Share and do there all
>> the modifications I need?
> Installing the package on the NFS-server makes it vissible to the
> NFS-client. :)
But only for the terminalserver-stuff. The pxe just mounts the grml-file
from the cd.

> If you want to install additional software either install the
> software manually, use the configuration framework (see
> http://grml.org/config/ - you can run your own scripts this way) or
> remaster grml (http://wiki.grml.org/doku.php?id=remastering +
> http://grml.org/solutions/)

The author of the helix cd http://e-fense.com/helix/ did create a dir
CDROM:/Addon which is not in the knoppix-image, but on the cd-root. The
dir is included in the path. So every dummy user can just add his own
tools to the CDROM:/Addon dir even via Windoze ISO-Tools and burn his
"private" cd with a few new programms.
Every easy customizing :)

>> Further I will create a forensic-page in the grml-wiki and do the doku.
> I just created http://wiki.grml.org/doku.php?id=forensic so you can
> drop in your stuff there.
I alread wrote down some stuff.

Looking forward to a cool project,

ramon
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFEFhubMz/fBOR9IURAnjtAJ0eQgFRNmatDRMZvJnsM44rjwEX3ACfeF6H
Bq5dSuiqwC8Dbq2W7qjBV9g=
=I/1F
-----END PGP SIGNATURE-----