Forensics

Finnix, the LiveCD for system administrators

Finnix 103 and later includes a forensic mode, which is designed to avoid automatic actions that could potentially change data on media. When booting with the "forensic" or "forensics" boot flag, Finnix behavior changes as so:

  • All block devices found during initrd probing are set to read-only at the block layer, before any mounting is attempted. To allow writes for a specific device once booted, execute "blockdev --setrw /dev/blockdevice". Note that in older kernels, this method was known to have edge cases where data could still be written to a block device, but recent kernels are thought to be safe.
  • When searching for Finnix media during initrd, the only filesystem types used to search for Finnix media are non-journal filesystems (iso9660, vfat and ext2). Journaling filesystems are known to automatically write recovery data if the filesystem is not consistent, unless extra precautions are taken.
    • This behavior is true of normal Finnix boot mode, not just forensic mode.
  • When searching for and using the Finnix media, all mounts are forced read-only. This disables the "rw" boot flag.
  • Once the initrd locates Finnix media (via UUID matching), extra checks are performed to make sure the found media is what the initrd booted off of. This is done by storing SHA512 hashes of all CD /finnix files, on the initrd. If a hash does not match, or if a file is found in /finnix that is not known to the initrd, booting is aborted. This prevents suspect media (for example, on a hard drive) from making itself look like Finnix for the purpose of executing trojan code.
    • This behavior is separate from the "testcd" boot option, which uses MD5 hashes of all files on the CD, located on the CD itself, to guard against download/burn errors.
  • No swap space is activated.
  • No LVM, RAID or crypt autoconfiguration is performed.
  • /etc/fstab is not updated with found block devices.
  • No network configuration (DHCP or manual addressing) is performed.

A decent guide to the challenges inherent in Linux LiveCDs for forensics is available in this article from forensicswiki.org. As of Finnix 103, it is believed that Finnix's forensic mode addresses all challenges addressed by this article. However, be aware that no software is perfect, and Finnix does not guarantee it will not inadvertently modify suspect media.

Note: Finnix is not a forensic LiveCD. There are many existing tools that provide a more specialized focus on forensics. Instead, Finnix's forensic mode is meant to be a base where the user can be reasonably confident that Finnix is not modifying data without the user's knowledge.

Personal tools