Debian Forensics Tasksel
Christophe Monniez
christophe.monniez at fccu.be
Thu Feb 24 07:29:20 UTC 2011
Le jeudi 24 février 2011 à 03:28 +0100, Derrick Karpo a écrit :
> Christophe I think this is a useful idea. I have been doing something
> similar manually on our forensics machines in the office but it would
> be much easier to just tasksel 'forensics' and call it a day. All of
> your suggestions are good. Some other things that may be of value:
>
> o disallow mounting of external swap partitions
> o associate certain mime types (ie. txt, .doc) with read only
> viewers (ie. browser, doc viewer)
> o force journaled filesystems to loop mount (ie. 'ext3 -o ro,loop')
> to prevent journal recovery
>
> I don't have any experience with tasksel but if you are looking for
> assistance I would be happy to help where I can.
>
> Derrick
>
It sounds that they are good ideas too.
So here is what we have:
1) Installing all the forensics packages + a few useful
packages.
2) Disabling any automount feature of the different graphical
installers.
3) Adding an /etc/sudoers.d/forensic file to give the forensics
people
the ability to mount systems without being root and maybe
without password.
4) Allow more loop devices than 8
5) Modifiy initramfs in order to not modify disks at boot time.
6) disallow mounting of external swap partitions
7) associate certain mime types (ie. txt, .doc) with read only
viewers (ie. browser, doc viewer)
8) force journaled filesystems to loop mount (ie. 'ext3 -o
ro,loop') to prevent journal recovery
Now, we need someone with tasksel experience or to learn tasksel by
ourself.
--
Christophe Monniez <christophe.monniez at fccu.be>
More information about the forensics-devel
mailing list