I was preparing a course material for one of my training programs about digital forensics that I thought it should be a good idea to write a post about available bootable Live CDs for use by digital forensic investigators. These Live CDs have a set of forensic tools and can be deployed to a running suspect system or we can boot the suspect system using them. I have listed only well-known Live CDs that are widely used.

SIFT (SANS Investigative Forensic Toolkit) Workstation is my favorite one. It is created by Rob Lee at SANS Institute on top of Ubuntu and pre-configured with several digital forensic examination tools. Its current version is 2.14 and it’s available to download at no charge in two different flavors; VMware Appliance and Installation DVD (.iso file).

Helix3 is another famous Linux distribution built on top of Ubuntu that focuses on incident response and computer forensics. It is developed by e-fense and. The most recent release of Helix3 is 2009R1 and can be downloaded from e-fense store. In 2009 e-fense announced that Helix3 would no longer be free to download and there is no plan to update the free version. The paid version is called Helix3 Pro and the latest version of Helix3 Pro is 2009R3 that was released on December 2009. At this time, e-fense is no longer planning on developing the Helix3 Pro.  Although the tool is not updated for a long period but it is used widely by the digital forensic practitioners. While it can be used as a bootable live CD, It also provides a collection of executables that can be run on live system.

CAINE (Computer Aided Investigative Environment) is another forensics distro based on Ubuntu and looks like the Helix3 in functionality and environment. CAINE is developed by Tony Brijeski and provides a friendly Windows autorun GUI and a number of analysis tools. The ISO image of current version is available for free download at cain3.0.

DEFT (Digital Evidence & Forensic Toolkit) is based on Linux Kernel 3 and the DART (Digital Advanced Response Toolkit). It is developed and maintained by an Italian team in .iso file format and virtual appliance configure. The current version which is distributed free of charge is 7.2. DEFT includes the best up-to-date forensic specific tools that you may get to work on imaging, processing, and or analyzing cases.

Raptor is another forensics bootable CD from Forward Discovery. It is based on Ubuntu distro and the latest free version of Raptor is 2.5. It is available for sale as a pre-installed USB device.

BackTrack is a well-known full fledge penetration testing Linux distro that can be utilized for forensics purposes as well. It’s based on Ubuntu Lucid and you can choose either GNOME or KDE console to download. The Backtrack is forensically sound if it boot up in “Start BackTrack Forensics” mode, so the file systems would not be mounted and swap space would not be used.