Using LiveCDs to solve everyday problems

by Elena Blanco on 22 November 2005 , last updated

Archived This page has been archived. Its content will not be updated. Further details of our archive policy.

Introduction

Computer forensics as a speciality has grown hand-in-hand with computer crime. As in all walks of life, as criminals have grown more sophisticated so have the methods used to investigate the crimes they commit.

However, the field of computer forensics has more to offer than just the investigation of crime. There are a surprising number of commonplace situations where forensic techniques can be useful. For example, what happens when the password to the root or administrator account of a computer is lost? Someone will need to break into that machine and reset the password in order that normal administrative tasks can be performed. The techniques used to break into a machine are part of the forensic specialist’s toolkit, along with auditing tools, intrusion detection tools, and tools that allow data to be rescued from machines that will not boot.

It may come as something of a surprise to learn that many of the forensic tools in use today have not come from large corporate software houses linked to intelligence and police services but have come from the open source community. Although the open source community is sometimes characterised as being composed of anti-establishment hackers, it has a long history of producing leading security experts. The open source development model is such that security flaws are there in the source code for all to see and fix and this provides a wealth of security experience in the community. In particular Linux itself has become a widely used forensic tool through increasing use of bootable CDs, also known as LiveCDs. More recently, Pendrive Linux makes it possible to install a portable Linux operating system on a flash drive or USB key as an alternative to a LiveCD.

What is a LiveCD?

A LiveCD (or LiveDistro) is an operating system installed on external storage such as a CD or USB memory stick in such a way that it can be used to boot a computer into that operating system without any installation onto the hard drive of that computer being necessary. The majority of LiveCDs feature the Linux operating system along with a collection of software applications and work on computers with an x86 architecture, for example all IBM-PC compatible and more recent Apple Macintosh computers. LiveCDs are useful for showcasing the Linux operating system and selected software without installing onto the hard drive of a computer. They are also seeing increasing use as a way of booting a computer that cannot be booted from its own hard drive.

This could be because the operating system on the computer has suffered a catastrophic failure or perhaps because the machine has been compromised. Once the computer has been booted into the environment provided by the LiveCD then data recovery or system cracking tools can be used to rescue data or to repair the installed operating system.

There are a huge number of LiveCDs available, all of which are targeted at specific markets or groups of users. In addition to the various specialisms to be found amongst IT professionals there are LiveCDs aimed at the games and entertainment market, for educational use, targeting those requiring heightened privacy or those who wish to turn their computer into a media centre capable of playing multiple media formats.

A range of LiveCDs

There are many LiveCDs available each targeting a specific audience and a specific purpose. Examples include:

Ubuntu - an introduction to open source for the end user
Ubuntu is a Linux distribution that has seen a huge surge in popularity over the last few years. It is based on Debian but has a frequent, predictable 6 month release cycle and a Long Term Support (LTS) version provides three years support on the desktop, and five years on the server. The project invests a great deal of effort in its desktop environment. Although Ubuntu is primarily used as an operating system installed on a computer’s hard drive, the standard installation CD also acts as a LiveCD, allowing anyone to try Ubuntu out with the minimum of effort. It is also possible to run it from a USB memory stick. The LiveCDs available from Ubuntu are especially interesting as they are available for PCs and newer Macs with x86 architecture, and there is also a version for 64 bit computers. Several variants of Ubuntu exist including Edubuntu which is aimed at educational use.
Knoppix - general purpose and comprehensive
Knoppix is an established and well known LiveCD based on Debian GNU/Linux and released under the GNU General Public License (GPL). Its fullest version, which comes as a DVD rather than a CD, comes with a host of open source software programs, from industry strength server programs such as the Apache web server, the MySQL database, and the PHP scripting language, to applications targeted at the end user, such as office suites and a range of email clients. It also offers a choice of desktop environments such as KDE and GNOME. All of the 2700+ software packages that come installed on the Knoppix DVD require no further downloading, installation or configuration; the smaller CD version has just over 1000 packages. Although Knoppix is not targeted directly at the specialised field of forensics, it nonetheless comes with utilities for data recovery and system repair for a range of operating systems. It is possible to create your own customized version of Knoppix, a process known as remastering.
Helix 3 Pro - specifically aimed at forensic users
Helix is a CD-based suite of tools targeted at the forensics field, including a bootable Linux environment that allows a computer to be investigated independently of its own operating system. It is produced by e-Fense Inc, a company specialising in incident response and forensic analysis, and is made available as a downloadable ISO image that can be used to burn a Helix CD. Despite containing some open source software, it is not clear that the entire Helix CD is covered by open source licences, as some of the tools on it are produced by e-Fense themselves. The Helix CD is only available to paid members of the e-Fense forum.
Dyne:bolic - specifically aimed at media creators
Dyne:bolic is a Linux-based LiveCD featuring pre-installed applications for audio-visual creativity including Blender, a fully-featured open source 3D rendering package. Dyne:bolic also includes software to allow multiple computers to be operated remotely from a main workstation over a network, allowing you to distribute your workload over a number of machines. Dyne:bolic’s creators promote its use as a tool to free creators from what they see as oppressive interference from large organisations.

The use of LiveCDs to solve everyday problems

Detailed forensic examination by professional forensic experts is undoubtedly one use of LiveCDs but they also offer opportunities for the less specialised IT professional and indeed the end user. There are many everyday problems that can be easily solved by using one of the many LiveCDs available today. Some examples of these include:

  • Forgetting the Windows administrator password. This is such a common occurrence that many LiveCDs specifically cater for this situation. Instead of having to have detailed system administration knowledge of how to break in to a Windows machine and reset the administrator password, all the forgetful owner needs is a few moments with a LiveCD and it is taken care of.
  • Rescuing data from a compromised machine. When a machine has been compromised it is often unsafe or inadvisable to boot that machine into its own operating system. This could be because it has had many of its system programs replaced and so local tools are unsafe, or perhaps because it is launching attacks against other machines across a network. In this situation it can be a life saver to be able to boot the machine safely and then be able to copy valuable data from the hard disk either to a removable storage or to another network device.
  • Restoring deleted files. Many LiveCDs come with utilities to easily restore previously deleted files. In fact these utilities can even recover files and complete partitions that have been damaged or formatted. If a repartitioning operation runs into difficulties then being able to restore a partition that has been reformatted may save the machine from a complete reinstall.
  • Virus checking. If a machine has been infected by a virus the safest option is to boot the infected machine from a LiveCD and clean the machine whilst its local operating system is not running. This situation ensures that no infected files are in use when the virus scanning is performed. Some LiveCDs are completely dedicated to scanning for and disinfecting viruses. Many LiveCDs, such as Knoppix, provide the Clam Antivirus virus scanner.
  • Using a computer privately. As long as a user has the ability to reboot the computer, a LiveCD can be a powerful tool for using a computer without leaving traces. As all data is held in memory rather than being written to the hard drive, when a computer booted from a LiveCD is switched off, all traces of the user session disappear.

Further reading

Links

Related information from OSS Watch