Forensics

The wide variety of useful Linux utilities exist for desktop computers can also be used on Linux-based PDAs. These utilities can be used as a part of the forensics investigation process.

Disk Cloning

dd, or duplicate disk, is a Unix and Linux utility that allows the user to create a bitstream image of a disk or device. Once the Linux-based PDA is connected to another device and the dd utility is run, the mirror image can be uploaded onto memory cards or even an external desktop workstation connected via a network. Images created by dd are readable by forensics software tools such as EnCase and Forensic Toolkit. Since the device uses a Linux filesystem, the image may also be mounted and examined on a Linux workstation.

Undeleting Files

foremost is a Linux based program data for recovering deleted files and served as the basis for the more modern Scalpel. The program uses a configuration file to specify headers and footers to search for. Intended to be run on disk images, foremost can search through most any kind of data without worrying about the format.

BackTrack Linux

Backtrack-Linux is probably the highest rated and acclaimed Linux security distribution to date. It is a Linux-based penetration testing and forensics arsenal that aids security professionals in the ability to perform assessments in a purely native environment.

You can download a Live DVD with a bootable forensics system from www.backtrack-linux.org which gives you many high-end tools for forensics and data rescue.

It is a customized distribution of Ubuntu Linux. You can boot into a customized Linux environment that includes customized linux kernels, excellent hardware detection and many applications dedicated to incident response, network security testing and forensics.

Backtrack Linux has been modified very carefully to NOT touch the host computer in any way and it is forensically sound. It will not auto mount swap space, or auto mount any attached devices.

www.backtrack-linux.org