Helix – Incident Response & Computer Forensics Live CD by e-fenseâ„¢, Inc.
I was researching the Linux command, dd, and GParted because I wanted to migrate some data on old disk drives to my new disk drive and to see if I could copy a drive and debug a hardware/software problem on a PC I am working on. There are existing Windows solutions but I was curious about the state of the art on Linux.
I originally tried Ubuntu but GParted did not copy the partition for me?! I then went to Gparted Live CD and it worked for the NTFS partition I was playing with. The Linux partition was a bit more complicated. It is the LVM partition I used for my Fedora Core 4 installation and Gparted will not copy LVN partitions. Hmm…bummer!
I briefly tried the LVM commands to add a new LVM physical drive to the volume group and move the data from the existing LVM physical drive to the new drive. It did not work for me and with some more work I am pretty sure I could make it work since that is one of things LVM should be able to do. However, my interests in cloning the drive were very similar to copying the drive for forensic work so I decided to see what the Pros use for creating copies of disk drives. That led me to Helix.
I had previously downloaded and played with Helix 1.5 and 1.6. Helix 1.6(Knoppix) had problems with correctly recognizing my CD-ROM so I downloaded the newest version to see if it did a better job with the CD-ROM and to see if they had a frontend tool for dd/dcfldd. The CD-ROM worked and I found a frontend acquisition tool called Adepto. Adepto is an improved version of AIR – Automated Image and Restore which is also on the disk. So I cloned the old hard drive.
Mounting cloned drive was a little hard under Helix. I had to:
sudo vgscan
sudo vgchange -a y
before I could:
sudo mount /dev/VolGroup00/LogVol00 /media/sda3
Mounting the partition under Ubuntu was much easier. Now to go clone a copy of the PC’s disk drive I want to troubleshoot.