Appendix G. Contents of a Forensic Unix CD

You should create CDs containing the binaries you’ll need for conducting your investigation. If you do get stuck doing incident response on a host (that is, you don’t have the luxury of imaging the drives for examination on a trusted forensic workstation), at least use trusted binaries. The best way to carry them around is to put them on an ISO 9660 CD, which virtually every Unix platform can mount. Because you need a different set of binaries for each platform that you’ll encounter, we suggest that you create a different directory for each platform. It is common wisdom that everything must be statically linked to avoid problems with compromised kernels. This is good work if you can get it, but it ...

Get Computer Forensics: Incident Response Essentials now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.