Appendix G. Contents of a Forensic Unix CD
You should create CDs containing the binaries you’ll need for conducting your investigation. If you do get stuck doing incident response on a host (that is, you don’t have the luxury of imaging the drives for examination on a trusted forensic workstation), at least use trusted binaries. The best way to carry them around is to put them on an ISO 9660 CD, which virtually every Unix platform can mount. Because you need a different set of binaries for each platform that you’ll encounter, we suggest that you create a different directory for each platform. It is common wisdom that everything must be statically linked to avoid problems with compromised kernels. This is good work if you can get it, but it ...
Get Computer Forensics: Incident Response Essentials now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
