Do You Knoppix?

By Bryon D Beilman

One of the tools I would recommend for any technical based IT professional is the Knoppix CD. Knoppix (see http://www.knopper.net/knoppix/index-en.html ) is a free Linux OS that boots and runs completely off of the CD. That concept is not new, as I can recall a linux firewall that would boot off of a read only floppy. What makes it so valuable is what you can do once you boot up. It provides a decent GUI, and the ability to interact well with non Linux host operating systems.
It is very useful in recovery situations. Consider these scenarios:

• If you have Windows based machine that will not boot, but you need to get critical files off of the host. Boot into Knoppix, mount the file system (provided the disk is alive) and copy the files to another disk, memory stick or over the network.
• You want to upgrade to a bigger/faster/newer disk. You use a technology such as ghost, but after imaging the drive, the new one will not boot, because the vendor has a hidden partition where they keep an OS image, so there is no master boot record. In many hosts, you can use the Windows Recovery CD to do this, but with newer disks, sometimes the Windows CD doesn't see SATA or SAS disks. Knoppix is continually changing and improving it's ISO image, so you can use the MBR repair tools. (ie install-mbr /dev/sda )

You can recover deleted files, rescue files from damaged hard drives and other recovery type functions.

Aside from the windows recovery mode, you can use Knoppix as a security forensics tool. If you have a break in and want to analyze and isolate events for prosecution, you can boot from Knoppix and mount the data read-only while you scan it using the tools such as the coroner's toolkit (http://www.porcupine.org/forensics/tct.html. ) You can check for rootkits by using the chkrootkit utility.

There are many things you can do with Knoppix, and that is why it is in my toolchest. It is worth checking out.