Forensics and rescue

New features which should be implemented in Porteus; suggestions are welcome. All questions or problems with testing releases (alpha, beta, or rc) should go in their relevant thread here, rather than the Bug Reports section.
User avatar
brokenman
Site Admin
Site Admin
Posts: 5436
Joined: 27 Dec 2010, 03:50
Distribution: Porteus v3.2rcX all desktops
Location: Brazil
Contact:

Forensics and rescue

Post#1 by brokenman » 29 Mar 2014, 03:08

What do you look for in a rescue/forensics setup?

Scenario:
Granny calls and says she received an email on her outlook express and it said to open the attachment to win free tickets to bingo. You are sure she installed something nefarious. Grandad also stays up late doing god only knows what on the interweb thingy and reports that a clunking sound is coming from the big box. They are worried that they will lose all the grand kid's birthday photos and downloaded chocolate cookie recipes. Luckily you have your portable Porteus USB and can visit tomorrow. In the meantime the grand daughter visited and set a password on the main account and now nobody can access the machine.

What tools are you going to require for your rescue mission? What other tools that you probably won't need here, but would be nice to have would you suggest?
How do i become super user?
Wear your underpants on the outside and put on a cape.

donald
Full of knowledge
Full of knowledge
Posts: 1121
Joined: 17 Jun 2013, 13:17
Distribution: Porteus 3.2.2 XFCE 32bit
Location: Germany

Re: Forensics and rescue

Post#2 by donald » 29 Mar 2014, 03:40

LOL..what a scenario; you should start writing Books..
OK..outlook express...Windows...
"grand daughter set a password on the main account"..a Windows Account?..
if so, who cares?, Linux doesn't.
Bios-Pw ?, set the Jumper or remove the Battery, Windows Account,use Nt-passwort-Changer, and in general the Trinity Rescue Kit (CD) is all you need.
To prevent such scenarios in the Future, copy/save the important Files ,delete Win and install Linux..
I'm sure you will then get some freshly baked cookies from your Granny... :wink:

User avatar
brokenman
Site Admin
Site Admin
Posts: 5436
Joined: 27 Dec 2010, 03:50
Distribution: Porteus v3.2rcX all desktops
Location: Brazil
Contact:

Re: Forensics and rescue

Post#3 by brokenman » 12 Apr 2014, 00:16

Ok so if a rescue edition of porteus was created do you think it would be of any use?

The rescue edition would contain a newbie proof GUI for all rescue operations.
How do i become super user?
Wear your underpants on the outside and put on a cape.

donald
Full of knowledge
Full of knowledge
Posts: 1121
Joined: 17 Jun 2013, 13:17
Distribution: Porteus 3.2.2 XFCE 32bit
Location: Germany

Re: Forensics and rescue

Post#4 by donald » 12 Apr 2014, 03:24

Hi brokenman
"would it be of any use?"-- certainly..
should a newbie make use of serious / useful rescue-tools..I'm in doubt..
Even with a GUI the user must know exactly what he/she is doing.Otherwise it will get worse.( keywords = partition Table, mbr, sector-size etc.)
I assume that they won't read a Howto before clicking Buttons.
If it is given to newbies, then there must be an undo function for several steps,no?..Is that possible?
To get an Idea, let me ask you of which tools are you thinking of?

User avatar
fanthom
Site Admin
Site Admin
Posts: 4547
Joined: 28 Dec 2010, 02:42
Distribution: Porteus Kiosk
Location: Poland, currently - Cork, IE
Contact:

Re: Forensics and rescue

Post#5 by fanthom » 12 Apr 2014, 08:46

i agree that people do not like to read lengthy docs. that's why i believe in rescue edition success but only when it's locked down to the rescue shell. see video:
https://www.youtube.com/watch?v=R804iRA_dfw

other things:
installation through burning on CD or usb with 'dd', no cheatcodes, no additional modules, no terminal access by default. everything locked down as it is in our kiosk edition.
that should eliminate basic problems with OS. problems related to the rescue task (partitioning, MBR restore, etc) remains no matter what we do so active community help (or paid support maybe?) will be required.
from our side will do our best to make rescue tasks as simple as it's possible.

this is my vision but brokenman may change everything as he is in charge for the rescue edition :)
Please add [Solved] to your thread title if the solution was found.

User avatar
francois
Contributor
Contributor
Posts: 4902
Joined: 28 Dec 2010, 14:25
Distribution: kde xfce porteus manjaro kubun
Location: Enfin l'été, le changement climatique attendu: le soleil.

Re: Forensics and rescue

Post#6 by francois » 12 Apr 2014, 09:40

The windows rescue edition is an interesting concept. It could even be tied to the bounty concept accompanied by a designed forum where some of our members could answer to questions to help the eventual user. The proprietary software companies are not that good at giving service on their software. Are we willing to devote some time to the monopoly? Deserving win xp clients could be a good asset. Just ideas like that.
Voltaire: Le mieux est l'ennemi du bien.

User avatar
freestyler
Contributor
Contributor
Posts: 382
Joined: 17 Oct 2013, 14:21
Distribution: Porteus KDE4
Location: Traveller
Contact:

Re: Forensics and rescue

Post#7 by freestyler » 12 Apr 2014, 09:49

I'd use testdisk, photorec or scalpel depending on what data is being recovered.
chntpw to change windows password
https://www.porteus-apps.org

User avatar
freestyler
Contributor
Contributor
Posts: 382
Joined: 17 Oct 2013, 14:21
Distribution: Porteus KDE4
Location: Traveller
Contact:

Re: Forensics and rescue

Post#8 by freestyler » 12 Apr 2014, 11:00

Was just having a look around at data recovery software:

http://thewalter.net/stef/software/scrounge/ - Reads each block of the hard disk and rebuilds file system tree on another partition.
r-linux: linux recovery http://www.r-tt.com/free_linux_recovery/
http://www.sleuthkit.org looks awesome, they have sleuth kit, autopsy and mac-robber (gain access to mounted read-only drives)
Apparently recuva can be run through wine, I guess I would have wine on a recovery system.
https://www.porteus-apps.org

donald
Full of knowledge
Full of knowledge
Posts: 1121
Joined: 17 Jun 2013, 13:17
Distribution: Porteus 3.2.2 XFCE 32bit
Location: Germany

Re: Forensics and rescue

Post#9 by donald » 12 Apr 2014, 16:58

@fanthom
nice video..with this Gui it seems to be pretty simple to do some easy tasks
like "search for deleted Files" etc.
Q:
Rescue-tools for Linux or for linux and Windows ?..(Pw change / reset,virus-scan)

Which Tools to include?..pick the best ones from
http://www.ultimatebootcd.com/
or
http://trinityhome.org/

What else is needed?
a wide range of hardware support and a complete translation in every language
to avoid mistakes.

btw.Rescue is one thing, but Forensic is a very different thing.(keyword = slack space )
(allways make an Image first, never work with the original..)

User avatar
brokenman
Site Admin
Site Admin
Posts: 5436
Joined: 27 Dec 2010, 03:50
Distribution: Porteus v3.2rcX all desktops
Location: Brazil
Contact:

Re: Forensics and rescue

Post#10 by brokenman » 12 Apr 2014, 20:54

Thanks for the video Fanthom. I can tell you that many of the applications mentioned here are available inculding scalpel, ddrescue, photorec & chntpw. There are measures to make sure that the user works from (or at least fully understands that they should) an image and not the disk directly. There is an advanced user section (at the moment) where user is given a root shell and partitioning rights. For the most part it is locked down.
How do i become super user?
Wear your underpants on the outside and put on a cape.

User avatar
francois
Contributor
Contributor
Posts: 4902
Joined: 28 Dec 2010, 14:25
Distribution: kde xfce porteus manjaro kubun
Location: Enfin l'été, le changement climatique attendu: le soleil.

Re: Forensics and rescue

Post#11 by francois » 12 Apr 2014, 22:56

@fanthom: simple and really good looking! :D
Voltaire: Le mieux est l'ennemi du bien.

donald
Full of knowledge
Full of knowledge
Posts: 1121
Joined: 17 Jun 2013, 13:17
Distribution: Porteus 3.2.2 XFCE 32bit
Location: Germany

Re: Forensics and rescue

Post#12 by donald » 13 Apr 2014, 00:59

@brokenman

most of the specialized rescue-tools have a lot of command-options,
e.g.
clonezilla..you can use it in "beginner mode" by pressing enter,enter,enter..with good results,
or,if you know what you are doing, in "expert mode"
If the porteus-rescue-edition shall be useful for everybody, not only for newbies,
a "advanced user section" and a root shell is a "must have".

Partitioning can easily be done with every Desktop-porteus.Therefore I see no need
to restrict this.

but I'm just thinking loud... :wink:

User avatar
brokenman
Site Admin
Site Admin
Posts: 5436
Joined: 27 Dec 2010, 03:50
Distribution: Porteus v3.2rcX all desktops
Location: Brazil
Contact:

Re: Forensics and rescue

Post#13 by brokenman » 13 Apr 2014, 02:39

Thanks Donald & Francois

I plan on leaving an advanced section available. No point having a rescue disk if advanced users can't use it since they will most probably be the ones doing the rescuing. For beginners however; there will be wizard guided solutions to make images, recover lost data, reset passwords, scan for virii etc.

Essentially it is designed for the average user to find a way to rescue lost data or fix damaged installs through an attractive GUI, but full access is available for advanced users if the need is there. I think most rescue disks lack the nice GUI and can be intimidating for beginners, hence the idea to create this version. It is already finished and I am just porting it to another base as we speak/type. Forensics was probably a misleading title since the release will be aimed towards rescue. Forensics is another ballgame.
How do i become super user?
Wear your underpants on the outside and put on a cape.

User avatar
fanthom
Site Admin
Site Admin
Posts: 4547
Joined: 28 Dec 2010, 02:42
Distribution: Porteus Kiosk
Location: Poland, currently - Cork, IE
Contact:

Re: Forensics and rescue

Post#14 by fanthom » 13 Apr 2014, 08:13

for clarity - i did not create this video. it was posted 2 years ago by brokenman and i just linked it here to drag some attention :P
rescue edition is in better shape now and has more functions than presented in the vid :)
Please add [Solved] to your thread title if the solution was found.

xtudiux
Black ninja
Black ninja
Posts: 72
Joined: 07 Mar 2011, 06:01
Location: Philippines

Re: Forensics and rescue

Post#15 by xtudiux » 26 Apr 2014, 14:30

Some features of parted magic...gui for dd and the like. test for failures of hdd, sdd etc. chkdsk for different FS...

What will its DE???

Post Reply