Backtrack 4 liveCD now provides forensics capabilities

Backtrack 4, the latest release of the popular penetration testing distribution, has now an interesting option related to forensics.

You may want to check here about a graceful introduction to the new feature added to the latest release, which provides the option of booting Backtrack 4 in forensics mode, without mounting any device that way not affecting the process of evidence recollection.

However, the digital forensic investigator using this tool must be aware of two things (we may called it cons so far, I hope to change my appreciation in the coming months):

• verification
• forensic option not the default

For the first one, I guess it's a question of time for the community to be confident BT 4 is usable as a forensic tool (as we are confident Helix 3 is...). In the mean time, I think that we need to work on getting BT 4 into that status. I plan to go through several tests to confirm that BT 4 is behaving as expected from a forensic point of view. I'll post my findings soon.

Regarding the second topic, the boot menu BT 4 shows doesn't have the forensic entry selected by default. Even when the boot delay time is long enough (30 seconds) it's still a door open to mess something if you forget to select the forensic menu entry (BT 4 will go and boot in no forensic mode if the unattended boot occurs). Fortunately, this situation can be easily solved by means of changing the GRUB menu and creating a new ISO image for BT 4. That changes can be achieved by using this helpful script. I plan to take a look at this and see if the outcome is the expected one: making the forensics option from the boot menu the default one.