Le jeudi 24 février 2011 à 03:28 +0100, Derrick Karpo a écrit : > Christophe I think this is a useful idea. I have been doing something > similar manually on our forensics machines in the office but it would > be much easier to just tasksel 'forensics' and call it a day. All of > your suggestions are good. Some other things that may be of value: > > o disallow mounting of external swap partitions > o associate certain mime types (ie. txt, .doc) with read only > viewers (ie. browser, doc viewer) > o force journaled filesystems to loop mount (ie. 'ext3 -o ro,loop') > to prevent journal recovery > > I don't have any experience with tasksel but if you are looking for > assistance I would be happy to help where I can. > > Derrick >
It sounds that they are good ideas too. So here is what we have: 1) Installing all the forensics packages + a few useful packages. 2) Disabling any automount feature of the different graphical installers. 3) Adding an /etc/sudoers.d/forensic file to give the forensics people the ability to mount systems without being root and maybe without password. 4) Allow more loop devices than 8 5) Modifiy initramfs in order to not modify disks at boot time. 6) disallow mounting of external swap partitions 7) associate certain mime types (ie. txt, .doc) with read only viewers (ie. browser, doc viewer) 8) force journaled filesystems to loop mount (ie. 'ext3 -o ro,loop') to prevent journal recovery Now, we need someone with tasksel experience or to learn tasksel by ourself. -- Christophe Monniez <christophe.monn...@fccu.be> _______________________________________________ forensics-devel mailing list forensics-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/forensics-devel