When you first boot up the new Backtrack 4, you might have noticed something slightly different.
So what is this “Start BackTrack Forensics” all about?
Live CDs and Forensics
For a long time now, Linux live CDs have been very useful for forensic acquisition purposes when for one reason or another you can’t utilize a hardware write blocker. For a Linux live CD to be considered for this purpose however, it is of the utmost importance that the use of the live CD in no way alters any data in any manner.
In the past, this ruled out the use of Backtrack for forensic purposes. Backtrack would automount available drives and utilize swap. This could cause all sorts of havoc, changing last mount times, altering data on disk, and so on.
Well, no longer! The Backtrack 4 Live CD has incorporated changes to allow a boot mode which is forensically clean. This is great news, as with Backtrack being such a popular live CD, a copy can often be found close at hand.
How?
So, lets have the scoop. Forensic people are often detail oriented and very conservative, so how do we know it is safe to use? Well, first off the Backtrack 4 Live CD is based off of Casper, and contains no filesystem automount scripts at all. As well, the system as been altered as such that it will not look for or make use of any swap files which are contained on the system. All those scripts have been removed from the system.
Verification
To test this functionality, we have tested this boot mode in multiple hardware configurations with multiple software configurations. For each test, we took a before MD5 snapshot of the system, booted BT4, verified no file systems were mounted and swap was not in use, did a number of activities on the system, then shut the system back down and took an after MD5 snapshot. In this process, we have been able to verify that the use of BT4 in no way altered any data on the test systems.
So, can you trust Backtrack 4 for forensic purposes? Well, not until you verify it as well!
Just like any forensic tool, its negligent to just take someone else’s word that any tool works properly. Its up to you to independently verify the tool before you use it. We expect your results will match ours, and you will find Backtrack 4 is going to be a great addition to you tool set. (And, if your results find a problem, please let us know ASAP and include details as to how you conducted your testing. As, that would be a real problem.)
When you utilize Backtrack for forensics purposes, be sure you don’t let it go through an unattended boot. Default boot for Backtrack is standard boot mode, which will use swap if it is present. There is a nice long delay however, so you will have plenty of time to select the proper boot mode.
