BackTrack Linux introduced a “Forensic Boot” option to the operating system that continued on through BackTrack 5 and now exists in Kali Linux. The “Forensics Boot” option has proven to be very popular due to the widespread availability of this operating system. Many people have Kali ISOs laying around and when a forensic need comes up, it is quick and easy to put Kali Linux to the job. Pre-loaded with the most popular open source forensic software, Kali is a handy tool when you need to do some open source forensic work.
When booted into the forensic boot mode, there are a few very important changes that are made.
First off, the internal hard disk is not touched. This means that if there is a swap partition it will not be used and no internal disk will be auto mounted. To verify this, we took a standard system and removed the hard drive. Attaching this to a commercial forensic package we took a hash of the drive. We then re-attached the drive to the computer and booted up off of Kali in forensic boot mode. After using Kali for a period of time, we then shut the system down, removed the hard drive, and took the hash again. These hashes matched, indicating that at no point was anything changed on the drive at all.
The other, just as important, change that was made was we disabled the auto mount of any removable media. So thumb drives, CDs, and so on will not be auto-mounted when inserted. The idea behind all of this is simple: Nothing should happen to any media without direct user action. Anything that you do as a user is on you.
If you are interested in using Kali for real world forensics of any type, we recommend that you don’t just take our word for any of this. All forensic tools should always be validated to ensure that you know how they will behave in any circumstance that you may place them.
