[Grml] Re: Forensic use of grml

[Michael Prokop]

* Ralf Moll <ralf-info at family-moll.de> wrote:

>> I hope you already know grml-terminalserver. :) If you don't use
>> grml-terminalserver the grml_netboot_package might be interesting
>> for you, take a look at
>> http://wiki.grml.org/doku.php?id=terminalserver

> Hmm, if I want to use the terminalserver I've to install a complete grml
> on my server. With the pxe-netboot-package I can use the grml-cd for our
> network like being outside having only the grml cd.

Yes.

> I don't want to change my server-os and in additions to that I want the
> same enviroment for forensic analysis in out net over pxe-boot and
> outside via cd-boot.

Ok.

>> I just created a preliminary libewf-20060820_1-1_i386.deb package.
>> I'll improve some minor stuff and the final package should be
>> available within in the next few hours/days via the grml-repository.
>> So the next devel-release (see http://grml.org/beta-tester/ for
>> details) will very probably contain this software already.

> Great. That's one of the most important tools for me.

It will be part of the next devel-release and of course of grml 0.9
then. I'll keep you up2date.

>>>  * A.I.R. Cloning HDs for mausschubser ;)
>>>   * http://air-imager.sourceforge.net/

>> GPL, that's fine. But it has an absolutely braindread and even
>> broken install script (install-air-1.2.8, 165K) and depends on
>> perl-tk which would need ~10MB of additional space on grml. :(

> Ok, that's bad. Maybe Adepto is better. I contacted the author and post
> the result here later.

Ok, thanks.

>> So the easiest way to run AIR is a short shellscript like
>> http://grml.org/tmp/get-air which does the job.  I'll add an shell
>> function named getair (like getskype, getgizmo, get_tw_cli,... we
>> already have) so it's easy to install on demand.

> Ok, for forensic analysis the pc are regularly not connected to the
> internet, so the getair-script doesn't make sense. So I have to do it
> without A.I.R.

Ok.

>> Is there any other software you use for your forensic work and which
>> should become part of grml?

> Look at http://wiki.grml.org/doku.php?id=forensic

Done that, thanks. :)

> BTW: How can I create an account? ;-) Didn't find the "sign in"....

Currently accounts are used only by core developers of grml.
If you want to edit a page just do it :) and enter a short
description into the field named "Edit summary:" and add your name
(if you want) before saving changes.

For example something like:

  "added $FOO [ralf moll]"

simplifies it for us to follow all the changes.

BTW: I've removed the wishlist stuff as the specifc pages in the
wiki should provide documentation for users and should not contain
developers stuff. ;) If you have something for the wishlist either
just edit http://wiki.grml.org/doku.php?id=wishlist or use
http://grml.org/report/ or feel free to drop me a personal mail.

Ok, back to your wishlist:

  * LinEn from EnCase (maybe a licence problem)

=> where can I get that? AFAICS it's just available with the EnCase
suite (which is closed source + quite expensive). :(

 * AFF-Tools [ http://www.afflib.org/ ]

==> I'll take a look at it!

And Adepto and AIR have been discussed already. :)

>> The current develrelease (grml 0.8-1) already provides support for
>> fs-labels, so will you have to run only 'mount /mnt/$LABEL' to mount
>> the partition containing a filesystem named $LABEL. (The release is
>> available for beta-testers, if you are interested in testing just
>> let me know and I'll give you access to the ISO.)

> hmm, that's a good start. so every user should know his harddisk-name
> and nothing can go wrong.

Yes. (Small correction: it's filesystem's/partition's name.)

>>> First of all one question:
>>> how can i add a additional dir to the cd for running e.g. libewf if I
>>> boot the "normal" grml v0.8 via PXE / NFS?
>>> Or can I place the unzipped ISO-Content in a NFS-Share and do there all
>>> the modifications I need?

>> Installing the package on the NFS-server makes it vissible to the
>> NFS-client. :)

> But only for the terminalserver-stuff. The pxe just mounts the grml-file
> from the cd.

Ok.

You could write a shellscript which does all the stuff you need if
you do not want remaster grml on your own.  Just create an
additional directory named scripts on the cdrom and place your stuff
in /cdrom/scripts/grml.sh. Booting using 'grml scripts' then
executes the script on startup. (If you want to do this by default
either adjust isolinux.cfg or run 'mkdir bootparams && echo -n "
scripts" >>bootparams/bootparams' in the root-directory of the CD,
see keyword bootparams at http://grml.org/config/grml-config.html.
Labeling a device/partition with GRMLCFG might be interesting for
you as well.)

>> If you want to install additional software either install the
>> software manually, use the configuration framework (see
>> http://grml.org/config/ - you can run your own scripts this way) or
>> remaster grml (http://wiki.grml.org/doku.php?id=remastering +
>> http://grml.org/solutions/)

> The author of the helix cd http://e-fense.com/helix/ did create a dir
> CDROM:/Addon which is not in the knoppix-image, but on the cd-root. The
> dir is included in the path. So every dummy user can just add his own
> tools to the CDROM:/Addon dir even via Windoze ISO-Tools and burn his
> "private" cd with a few new programms.
> Every easy customizing :)

We have a "debs" bootoption in our config framework
(http://grml.org/config/grml-config.html) for installing stuff from
/cdrom/debs/. But I must admit that it very probably won't fit your
needs, the lines above about /cdrom/scripts/grml.sh should work
better for you.

But I like the idea to add an "external" directory to $PATH as you
don't have to care about debian packaging and can add software like
AIR easily on your own. So I'll add '/cdrom/addons/' to $PATH in our
config!

regards,
-mika-
-- 
 http://grml.org/            # Linux for texttool-users and sysadmins
 http://wiki.grml.org/       # share your knowledge
 http://grml.supersized.org/ # the grml development weblog
 #grml @ irc.freenode.org    # meet us on irc