Variations on a Theme

When I first started doing computer forensics I used a windows based tool called EnCase. They have since grown into the Microsoft of the forensics world using many of the draconian and bullying tactics that the software giant uses.

I had heard of Linux when I started in the computer crimes unit(back in November of 2000) but hadnt really explored it. I bought a linux for dummies book(gasp!)and had my first linux experience with RH 7.0. Since then I have progressed to Mandrake, Debian and Slackware. I dont really care for RPM based distros and I am not a masocist so Gentoo is out of the question(though I understand there is a new distro that uses a graphical installer). I have installed Suse as the OS in my son's computer lab at school.

Anyway, my unit is pretty locked into a Windows way of doing forensics. In fact I am the only one who performs forenisc previews and exams in Linux. Now, to be fair, I still use Windows forensic tools because quite frankly they do the job damn well. But more and more I am leaning toward Linux as my forensic OS.

Why Linux as a forenisc OS? It doesnt crash. It handles resources better. I have more control over what I am doing. Its hela cool. Firewire and USB devices can be maddening however. I recently tried gettting a forensic image of a compact flash card and while I could get Linux to recognize the card reader(we have two in the office..a lexar and a belkin)I wasnt able to access the media. I might have eventually been able to get it to work but I ran out of time, broke down and used my windows imaging program. I'm not blaming Linux, I blame the hardware manufacturer's for buying into the whole wintel syndicate.

Its bizzare that more law enforcement agencies dont convert over to Linux, especially those that do any sort of forensics. The total cost of ownership alone should sway them. Resistantance to change. Unfamilarity. And, God forbid, actually having to get your hands dirty on figuring out how to make things think that would help in courtroom testimony.

Oh Well.