About Grml-Forensic

Main

Grml-Forensic is a derivative of the Grml Linux live system which has been modified to aid in forensic investigations and data rescue tasks. Grml itself is a well known and established Debian based live system for system administrators. On top of that Grml-Forensic provides all the features of Grml and additionally includes several forensic tools and default operating modes for secure analysis. One of the main features of Grml-Forensic is, that it doesn't modify anything unless it's explicitly told to do so, so it's possible to investigate systems without risking compromised evidence.

What's the difference between Grml and Grml-Forensic?

Grml-Forensic's features:

• defaults to a secure boot mode (known as the 'forensic' bootoption at grml) for forensic investigations which forces all blockdevices in readonly mode
• includes software selection for forensic investigations and data rescue tasks
• automatically boots into X Window System (can be disabled via bootoption 'nostartx')
• based on Debian/testing

References

Grml-Forensic is used by forensic teams of various law enforcement departments as well as professional data recovery organisations.