Discussion:
Live CD for forensics use (MilaX?)
Tim Garlick
2010-06-04 20:09:50 UTC
Permalink
Hi all, I need a Live CD that I can boot from to investigate Solaris 10 and OpenSolaris systems that have been potentially compromised. The target OS is Solaris 10. This is complicated by the fact that the Solaris 10 system being investigated is a VirtualBox instance of S10 Update 8. I mount the Live CD ISO on the VM's virtual CD drive and then boot from that.

I've tried MilaX but I can't figure out how to mount the Solaris 10 root disk after I've booted to a text console with MilaX. VirtualBox doesn't display the graphics correctly when you boot the MilaX ISO in graphical mode. I haven't tried the VBox MilaX appliance yet, because that gives me a separate VM, when I need to get to the S10 VM.

So, my questions are:

- Is MilaX the best choice?
- If not, which distro is better?
- Either way, how do I mount the S10U8 VM's root disk once I've booted the Live CD?

Thanks for any pointers.
--
This message posted from opensolaris.org
Alexander Eremin
2010-06-05 08:05:56 UTC
Permalink
Post by Tim Garlick
Hi all, I need a Live CD that I can boot from to investigate Solaris 10 and OpenSolaris systems that have been potentially compromised. The target OS is Solaris 10. This is complicated by the fact that the Solaris 10 system being investigated is a VirtualBox instance of S10 Update 8. I mount the Live CD ISO on the VM's virtual CD drive and then boot from that.
I've tried MilaX but I can't figure out how to mount the Solaris 10 root disk after I've booted to a text console with MilaX. VirtualBox doesn't display the graphics correctly when you boot the MilaX ISO in graphical mode. I haven't tried the VBox MilaX appliance yet, because that gives me a separate VM, when I need to get to the S10 VM.
- Is MilaX the best choice?
- If not, which distro is better?
- Either way, how do I mount the S10U8 VM's root disk once I've booted the Live CD?
Thanks for any pointers.
Hi Tim,
you can use 'format' utility to find disk name and root partition,then
mount it.
For this you can use any OpenSolaris/Belenix/MilaX LiveCD.

Also you can find and mount all UFS part's:

#!/bin/sh

solaris=0
for dnode in /dev/dsk/*
do
type=`/usr/sbin/fstyp $dnode 2> /dev/null`

if [ "x$type" = "xufs" ]
then
/usr/bin/mkdir /mnt/solaris$solaris
/sbin/mount -F $type $dnode /mnt/solaris$solaris
fi
done


Cheers,
--
::alhazred
Richard L. Hamilton
2010-06-05 16:49:24 UTC
Permalink
Post by Tim Garlick
Post by Tim Garlick
Hi all, I need a Live CD that I can boot from to
investigate Solaris 10 and OpenSolaris systems that
have been potentially compromised. The target OS is
Solaris 10. This is complicated by the fact that the
Solaris 10 system being investigated is a VirtualBox
instance of S10 Update 8. I mount the Live CD ISO on
the VM's virtual CD drive and then boot from that.
Post by Tim Garlick
I've tried MilaX but I can't figure out how to
mount the Solaris 10 root disk after I've booted to a
text console with MilaX. VirtualBox doesn't display
the graphics correctly when you boot the MilaX ISO in
graphical mode. I haven't tried the VBox MilaX
appliance yet, because that gives me a separate VM,
when I need to get to the S10 VM.
Post by Tim Garlick
- Is MilaX the best choice?
- If not, which distro is better?
- Either way, how do I mount the S10U8 VM's root
disk once I've booted the Live CD?
Post by Tim Garlick
Thanks for any pointers.
Hi Tim,
you can use 'format' utility to find disk name and
root partition,then
mount it.
For this you can use any OpenSolaris/Belenix/MilaX
LiveCD.
#!/bin/sh
solaris=0
for dnode in /dev/dsk/*
do
type=`/usr/sbin/fstyp $dnode 2> /dev/null`
f [ "x$type" = "xufs" ]
then
/usr/bin/mkdir /mnt/solaris$solaris
/sbin/mount -F $type $dnode
/mnt/solaris$solaris
fi
done
Although if they're serious about forensics use, they'd need to use

/sbin/mount -F $type -o ro $dnode

because you absolutely positively do not want to mess with the evidence.

(better would be to have a copy of the disk or disk image made and work
on that, never touching the original at all, unless getting into high-end
data recovery on it)
--
This message posted from opensolaris.org
Alexander Eremin
2010-06-05 17:33:11 UTC
Permalink
Post by Tim Garlick
On Fri, 2010-06-04 at 13:09 -0700, Tim Garlick
Post by Tim Garlick
Hi all, I need a Live CD that I can boot from to
investigate Solaris 10 and OpenSolaris systems
that
have been potentially compromised. The target OS
is
Solaris 10. This is complicated by the fact that
the
Solaris 10 system being investigated is a
VirtualBox
instance of S10 Update 8. I mount the Live CD ISO
on
the VM's virtual CD drive and then boot from that.
Post by Tim Garlick
I've tried MilaX but I can't figure out how to
mount the Solaris 10 root disk after I've booted to
a
text console with MilaX. VirtualBox doesn't
display
the graphics correctly when you boot the MilaX ISO
in
graphical mode. I haven't tried the VBox MilaX
appliance yet, because that gives me a separate
VM,
when I need to get to the S10 VM.
Post by Tim Garlick
- Is MilaX the best choice?
- If not, which distro is better?
- Either way, how do I mount the S10U8 VM's root
disk once I've booted the Live CD?
Post by Tim Garlick
Thanks for any pointers.
Hi Tim,
you can use 'format' utility to find disk name and
root partition,then
mount it.
For this you can use any OpenSolaris/Belenix/MilaX
LiveCD.
#!/bin/sh
solaris=0
for dnode in /dev/dsk/*
do
type=`/usr/sbin/fstyp $dnode 2> /dev/null`
f [ "x$type" = "xufs" ]
then
/usr/bin/mkdir /mnt/solaris$solaris
/sbin/mount -F $type $dnode
/mnt/solaris$solaris
fi
done
Although if they're serious about forensics use,
they'd need to use
/sbin/mount -F $type -o ro $dnode
because you absolutely positively do not want to mess
with the evidence.
(better would be to have a copy of the disk or disk
image made and work
on that, never touching the original at all, unless
getting into high-end
data recovery on it)
Right,
thanks Richard.

Cheers,
Alex
--
This message posted from opensolaris.org
Loading...