Notifications
Clear all

BartsPE

5 Posts
5 Users
0 Likes
620 Views
(@spyguy)
Posts: 6
Active Member
Topic starter
 

I've searched through the forums for any mention of BartsPE but didn't get any hits. Is this a tool that this group is aware of? If not you might want to take a look at the link that I have provided. It will allow you to bootup a PC from the CD/DVD or flash memory and gives you access to the harddrive without having to boot from the harddrive.

 
Posted : 01/12/2005 11:48 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

True, but I'm not sure what the benefit of this is from a forensic standpoint.

First off, if you boot to another operating system, you loose a lot of valuable volatile data.

Second, what benefits does this have over using bootable Linux CDs? With those, you don't have issues with EULAs.

Don't get me wrong…I can see how this would be useful for rescuing a system, but from a forensic analysis perspective, I'm not sure on what benefits this gives over what's already available.

Harlan

 
Posted : 28/12/2005 12:59 am
arashiryu
(@arashiryu)
Posts: 122
Estimable Member
 

Have used the BartsPE cd on many occasions but only for data recovery or removing a root kit from an infected system.
The BartsPE disk is very customizable. I haven't had a need to customize the PE cd with the forensic tools since HELIX does the job.

Any suggestions?

 
Posted : 28/12/2005 11:11 pm
(@jakec)
Posts: 7
Active Member
 

My testing revealed that BartPE is not "forensically sound" when you use it
to boot up a sytem with a Windows OS on the hard disk.
It mounts the drive read/write, assigns drive letters and twiddles with the
Recycle Bin etc. Before I discovered Helix, I had done a little research
(with no success) on how to prevent BartPE from messing with the evidence
drives, or atleast mount them Read-Only.
I agree that it is good for booting a system to fix it, virus scanning etc, but
there are better forensics tools available.

 
Posted : 29/12/2005 7:07 pm
schlecht
(@schlecht)
Posts: 46
Eminent Member
 

I've used it to recover data from one of my corrupt vmware machines but nothing too serious. I do have a copy with a bunch of tools also loaded on it in case my machine decides to die when I'm onsite at a client (doing other security work).

It's not bad, but I couldn't see using if for forensics.

 
Posted : 30/12/2005 11:44 pm
Share: