Digital forensics

Overview of Computer Forensics Linux Distributions

Chiragh Dewan
January 31, 2018 by
Chiragh Dewan

What is a Live CD?

A live CD/DVD/Disk contains a complete bootable Operating System that runs in a computer’s memory, rather than loading from the hard disk. The CD itself is read-only. They allow the user to run an OS for any purpose without installing or making any changes to the computers configuration.

For Computer Forensics, this is a great method so that the computer’s configuration or any other data on it is not compromised and detailed analysis still can run on top of it.

Learn Digital Forensics

Learn Digital Forensics

Build your skills with hands-on forensics training for computers, mobile devices, networks and more.

In this regard, both Linux and Windows based distributions can be utilized, and are further described as follows:

List of Live Distributions for Computer Forensics

  • ALT Linux Rescue: It is designed to help sysadmins fix and repair different kinds of problems such as resize partitions, recover files and partitions, optimize file system usage, etc. It can be found at:
  • BackBox Linux: It is an Ubuntu based distro created for Forensic and Penetration Testing purposes. It is fast and easy. Having its own software repositories, it is fast, easy and provides minimal yet complete desktop environment. It can be found at:
  • BlackArch Linux: It is based on Arch Linux and is used for Forensics and Penetration Testing purposes. Its repository contains 1806 different tools which helps the user in the above mentioned practices. It can be found at:
  • CAINE: Computer Aided Investigative Environment or as its popularly known as CAINE is an Italian GNU/Linux based Live distro created for Digital Forensics. It offers a complete forensic environment and can integrate existing softwares and modules. It can be found at:
  • DEFT: Digital Evidence and Forensics Toolkit or commonly known as DEFT is a distro made for Digital Forensics with the purpose of running on a Live CD. It is based on GNU/Linux. It uses LXDE as desktop environment and WINE for executing Windows tools. It can be found at:
  • GRML-Forensic: It is a system designed for forensic investigations and data rescue tasks. Its main purpose is to acquire user data. It can be found at:
  • Helix3/Helix3 Pro: Helix focuses on Incident Response and forensics tools. It is used by individuals who have a sound understanding of Incident Response and forensic techniques. However, according to its support blog, the free version, Helix3, would not be getting any updates anymore. Helix3 Pro is its commercial paid version. It can be found at:
  • Kali Linux: Kali Linux is the most widely used Operating System by security professionals. It’s previous version, BackTrack, made a mark on the industry. It provides tools for Computer Forensics as well as Penetration Testing. Its Forensic Mode was first introduced in BackTrack. It can be found at:
  • MacQuisition: It is a powerful 3-in-1 solution for live data acquisition, targeted data collection, and forensic imaging. It runs on Mac OSX and acquires data from over 185 different Macintosh computer models in their native environment. It is a paid software. It can be found at:
  • Matriux: Based on Debian, it is a fully featured security distro. It consists of more than 300 open source and free tools that can be used for various purposes such as Penetration Testing, Computer Forensics, Ethical Hacking, etc. It can be found at:
  • Parrot OS: It based on GNU/Linux and was designed with cloud penetration testing and IoT security in mind. It also includes a full portable lab for security and digital forensics. It also provides everything a user would need to develop his/her own security tools and protect their privacy with anonymity and crypto tools. It can be found at:
  • Pentoo Linux: Based on Gentoo, it is a security-focused Live CD. It consists of lot of customized tools, customized kernel, etc. It is essentially, Pentoo is Gentoo with the Pentoo overlay. It can be found at:
  • PlainSight: It is a computer forensics environment that allows beginners in the field perform common tasks using powerful open source tools. It can be found at:
  • Safe Boot Disk: It is designed to boot any Intel based computer into a forensically sound Microsoft Windows environment. All disks attached are, fixed and removable, are write-blocked using the SAFE software write-blocking engine during boot time. It can be found at:
  • SMART Linux: It has been developed for Data Forensics, Electronic Discovery and Incident Response. It can be found at:
  • Urix OS: Formerly NetSecL, it is a security-focused distro based on OpenSUSE. It consists of tools for Penetration Testing and Computer Forensics. It can be found at:
  • WinFE: Windows Forensic Environment or WinFE was created by simply adding two registry keys to the Windows Vista Pre-Installation Environment 2.0. These keys prevented the auto-mounting of some of the volumes at boot time, which then allowed the creation of a rudimentary Microsoft based forensic boot Live CD. It can be found at:

Forensic Live CD Issues

 The main aim of performing a forensics investigation is to extract as much as information about the affected system to determine the root cause of infection/attack. The process of extracting information from the target involves one crucial step i.e. the tools used by investigator should not tamper with affected system memory in any way. Live CDs used to be one of the most popular choice for forensics investigations. However, they are certain pitfalls of using a Live CD.

  1. Journaling file system issues
  2. Auto mount of block devices
  3. Failure to properly write protect

Journaling file system issues

Journaling File System is a file system which keeps track of the changes which are yet to be committed to the file system. It plays a critical role in recovering filesystem to its working state in case of power failure or system crash. In case of forensics investigations, when mounting/unmounting journaling file systems with read only flags using a Live CD, a number of writes may occur to the filesystem, resulting in tampering of memory evidence.

Auto mount of block devices

When booting an evidence system from a Live CD, a number of initrd scripts gets executed in order to create a temporary root file system. However, this will also result in several writes to the filesystem resulting in tampering of evidence data. This can occur for several reasons such as execution of hardware detection scripts during boot time, mounting file system in read-only mode while creating a temporary root file system etc.

Failure to properly write protect

Some distributions rely on device blocking scripts to set the underlying blocking devices of file systems to read only mode. However, there are certain downfalls to this approach, as read-only mode will only protect the filesystems memory from the process running under user space, but the driver code running under kernel space can still modify the filesystem memory.


Overall, this article has examined the use of Live CD’s as a primary means to help aid in any kind or type of Forensics Investigation, as it relates to either a computer or a wireless device. It is important to note that these tools should not be relied upon solely, rather; they should be used in conjunction with other Forensics based tools. The general security issues with Live CDs were also examined. In this regard, the use of a Live USB will address some of these issues.

Keep in mind that as new Live CDs come out, their primary intention is to evaluate new software and related applications. They are not meant nor designed to be high level Security tools. Rather, they can be used at a lower level of Security, such as removing malware, imaging a hard drive, and even conducting system recovery procedures.

Learn Digital Forensics

Learn Digital Forensics

Build your skills with hands-on forensics training for computers, mobile devices, networks and more.

Other potential, future uses of Live CDs include the testing and evaluation of new software applications, new hardware configurations, creating new passwords (in a manner similar to that of a Password Manager), and even screening a network infrastructure for any types of general vulnerabilities as well as clustering different groups of servers and computers together.

Chiragh Dewan
Chiragh Dewan

A creative problem-solving full-stack web developer with expertise in Information Security Audit, Web Application Audit, Vulnerability Assessment, Penetration Testing/ Ethical Hacking as well as previous experience in Artificial Intelligence, Machine Learning, and Natural Language Processing. He has also been recognised by various companies such as Facebook, Google, Microsoft, PayPal, Netflix, Blackberry, etc for reporting various security vulnerabilities. He has also given various talks on Artificial Intelligence and Cyber Security including at an TEDx event.