Masterkey Linux is a new bootable Linux live operating system developed by Qin Z. and focused on incident response and computer forensics. With no installation required, the forensics system is started directly from the CD/DVD-ROM or USB device of a computer and is fully accessible within minutes. Its open source nature and release under the GNU General Public License (GPL) allows university staff, students and other users to use and re-distribute it freely.
Though the Masterkey Linux forensic system was originally developed for educational purpose, it can also be used by computer forensics professionals, system administrators, incident response individuals for computer-related incident response and investigation.
Planning a new undergraduate degree course entitled "Digital Forensics and System Security" for the Faculty of Engineering and Computing at Coventry University focused attention on the system platforms, application software, and data that students should be resourced with. While it was recognised that access to standard commercial tools and hardware were important for future careers it was also felt that students should have a collection of tools available that they could deploy at leisure on their own computers to learn the methodology of digital forensics, really get enthusiastic about their subject, and fully master it.
Once this philosophy had been established financial considerations pointed towards an open source approach based on Linux. The potential complications of Linux installation on students' own equipment also suggested that a live CD/USB distribution would be ideal, providing the capability to distribute a customised package of operating system together with a collection of forensic tools. A student can just insert the CD/USB device into his/her computer, boot the operating system from the CD/USB device, and use the built-in forensics tools immediately. The distribution is also installable so that students can install it on their hard disks and benefit from superior performance and storage if they wish.
Masterkey is based on the Slackware linux distribution, Slax scripts and the associated linux live scripts. With forensics application in mind, Masterkey has been developed with the following features by default:
- Masterkey comes with a collection of forensics tools for imaging, data carving, forensic analysis and network analysis as well as other applications including: editors, office suite, multimedia tools, file and disk management tools, etc.
- Disk partitions found by Masterkey during bootup are not mounted automatically. This prevents a user from accidentally writing to the evidence disks and therefore contaminating the evidence. Icons of these found partitions are linked and displayed on the user's Desktop. By clicking the icon of a disk partition, the disk partition will be mounted as read-only.
- Mounting and use of swap partitions is not allowed. This prevents a user from destroying any evidence present on swap partitions.
- Root privilege. The user works with the system as a super user (administrator) so that tools requiring root privilege can be used straightaway.
- Console login. The Desktop environment (graphic user interface) does not start automatically during bootup. This makes it possible to work with Masterkey on older computers. The user can choose to start either the KDE or Fluxbox desktops if they wish.