Live Linux distributions

The preferred method of creating an image of a hard drive is to remove it from the subject system. This is not always practical, however. For example, some laptops (including the one I am currently using to write this book) must be disassembled to remove the hard drive as they lack access panels for this purpose. Booting a live Linux distribution in forensics mode can be the easiest option for these types of situations.

There are a couple of options available. Most any live Linux will work, but it never hurts to use a forensics-oriented distribution like SIFT. You can either install it to its own USB drive or use the same USB drive that you use for your known-good binaries. As I said earlier in this book, if you do this you will need to format the drive with multiple partitions. The first must be FAT in order for it to boot, and the partition with the binaries must be formated as ext2, ext3, or ext4 to preserve permissions.

There are some that like to use a live Linux distribution on the forensics workstation. I recommend against doing this. My primary objection to doing this is that the performance is always relatively poor when running a live Linux distribution, as everything is run in RAM. If you are just running the live Linux distribution for the write blocking, I recommend you just use my udev rules-based blocking described earlier in this chapter.