I've searched through the forums for any mention of
True, but I'm not sure what the benefit of this is from a forensic standpoint.
First off, if you boot to another operating system, you loose a lot of valuable volatile data.
Second, what benefits does this have over using bootable Linux CDs? With those, you don't have issues with EULAs.
Don't get me wrong…I can see how this would be useful for rescuing a system, but from a forensic analysis perspective, I'm not sure on what benefits this gives over what's already available.
Harlan
Have used the BartsPE cd on many occasions but only for data recovery or removing a root kit from an infected system.
The BartsPE disk is very customizable. I haven't had a need to customize the PE cd with the forensic tools since HELIX does the job.
Any suggestions?
My testing revealed that BartPE is not "forensically sound" when you use it
to boot up a sytem with a Windows OS on the hard disk.
It mounts the drive read/write, assigns drive letters and twiddles with the
Recycle Bin etc. Before I discovered Helix, I had done a little research
(with no success) on how to prevent BartPE from messing with the evidence
drives, or atleast mount them Read-Only.
I agree that it is good for booting a system to fix it, virus scanning etc, but
there are better forensics tools available.
I've used it to recover data from one of my corrupt vmware machines but nothing too serious. I do have a copy with a bunch of tools also loaded on it in case my machine decides to die when I'm onsite at a client (doing other security work).
It's not bad, but I couldn't see using if for forensics.