Klaus,I'm thinking that if the Knoppix CD mounts a swap partition as read-write during the boot process, there is a risk that any information previously stored in the swap partition may be modified. This could compromise the integrity of any collected information for forensic analysis.
Common forensic analysis steps include: On a live system:1. Run scripts from trusted CD to collect information about currently running processes and services, logged on users, information which may be cached in memory, etc.
On a system that has been shutdown: 2. Boot from CD. 3. Image hard drive using DD.If Knoppix is used for #2 on a Linux system with swap partitions, can it affect the results of #3 and any MD5 checksums that would be created before and after imaging?
Regards, Brian
From: Klaus Knopper <knopper@linuxtag.org> Date: Wed, 8 May 2002 19:13:21 +0200 On Wed, May 08, 2002 at 01:01:37PM -0400, Brian Anon wrote: > When does Knoppix mount swap partitions? During the boot process? In /etc/init.d/knoppix-autoconfig, yes. > Is it possible to build a different Knoppix CD where this behaviour is > disabled by defaut? This would allow it to be enabled when required. Should the default behaviour nor be to use swap when present, and disable it when it needs to be disabled? Most users boot straight to KDE, and Ram is critical there. Those using Knoppix as rescue system should usually know how to disable swap when they are modifying partitions manually. Regards -Klaus
_________________________________________________________________Join the world?s largest e-mail service with MSN Hotmail. http://www.hotmail.com
_______________________________________________ debian-knoppix mailing list debian-knoppix@linuxtag.org http://mailman.linuxtag.org/mailman/listinfo/debian-knoppix