Forensic Soundness of Live Linux Distributions

Hello,

One of my colleagues brought up this article recently: https://dfir.ru/2018/07/25/a-live-forensic-distribution-writing-to-a-suspect-drive/

According to the author’s findings, even some live linux distributions that are labeled “forensic” were altering the data on the suspect drive in some cases. Has anyone compiled a list of:

  • Which linux distributions (and possibly winfe) handle this properly
  • Any hardware devices such as Ditto, TX1, Falcon etc. that are known to suffer from the same issue?

I found a thread on FF from 2018 where the author of the article says:

Tableau TX1 is using my kernel patch (but not the userspace tools).

We will do our own testing with the devices that are available to us but just wanted to see if there are any existing test results out there that cover this scenario. Thx

The distinction between a hardware and a software write blocker becomes a bit fuzzy when hardware forensic duplicators are built on a custom Linux kernel :smile: