Live Rescue CDs

We evaluated four live Linux distros, which had tools for data recovery, network monitoring, intrusion detection and even anti-virus scanning 

Tuesday, April 12, 2005

Print

Comment

Email

Digg

Del.icio.us

Reddit

Twitter

Has your hard drive's partition ever crashed out, and that too just 15 minutes before delivering a presentation to a customer? Or perhaps some virus, worm or Trojan crept into your network and choked the wits out of your bandwidth. How about this? A hacker managed to get into your machine (remotely or locally) and tampered with your corporate information. You know it's happened, but need to give your boss authentic proof of the incident, which can later be used as evidence for the cyber crime. 

While there can be ways of securing your system against hackers and worm attacks, what do you do if you've lost data? That's when you wish you had something to help recover your valuable data. This story is about 'that something'- known as live rescue CDs. This is nothing but a customized live CD containing specific tools for rescuing partitions, data and even a few network-monitoring tools. The best thing about these CDs is that they can run on any machine and most of them can read all standard partition types without doing any configuration. We've thoroughly evaluated four live rescue CDs to help you choose the right one for your needs. We've even given their ISO images on this month's DVD. You could burn them on a CD using any CD burning software, like Nero. Using them is simple.

Just insert them into a drive, reboot the machine, and make sure that the BIOS is set to boot from the CD drive. Another word of caution before we proceed any further. While running these CDs is pretty easy, using them isn't. You need to have good working knowledge of Linux as well as PC hardware. None of the live CDs came with any proper documentation, so you'll have to figure out which tools are bundled with each and then look up their individual websites for usage information. Therefore, we strongly suggest that you first try them out on a test machine, understand how to use and operate them fully, before actually using them on a real system. 

How we tested 
While testing these CDs, we had three things in mind. First, whether it could recover deleted partitions or not, and if yes, then which partition types, eg, NTFS, ext2 and ext3. The next thing we tested was ease of configuration and usage. Finally, we looked at how many tools it included for monitoring and assessing a network.

For testing the partition-recovery capabilities, we took a standard P4 machine with 256 MB RAM and a 40 GB hard disk and installed Linux in to it. Then we used a standard DOS bootable floppy to run the fdisk command and delete all partitions. We then booted the machine with the live CD and tried to recover the partition. We then installed Windows XP on the same machine with the NTFS file system and repeated the same process. We also tried to destroy the MBR and then tried to recreate it using the live CDs. We also tested the forensic tools to check weather they can do data recovery or not. To test them we created and deleted some documents in both NTFS and ext3 partitions and tried to recover them as well. At the end of our evaluation, we found the 'Fire' live rescue CD to be the best of the lot. It was a complete rescue CD having everything you might need after your machine's been compromised. The name FIRE comes from 'Forensic and Incidence Response Environment', which gels with the performance we got from the CD. We found that this live CD had the maximum software for data recovery, forensics, network assessment and anti virus.

By Anindya Roy and Sanjay Majumder

Page(s)   1  2  3  4  5  6