FIRE-Logo!!!
FIRE Home || FIRE FAQ || FIRE Features || FIRE Tools || License || Donate!

F.I.R.E. - Frequently Asked Questions
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Revision 2

Copyright (c) 2003 Dirk Loss

Permission is granted to copy, distribute and/or modify this document under the
terms of the GNU Free Documentation License, Version 1.1 or any later version
published by the Free Software Foundation; with no Invariant Sections, with no
Front-Cover Texts, and with no Back-Cover Texts.


ABOUT


Q: What is F.I.R.E.?
A: F.I.R.E. is a free Forensic and Incident Response Environment
on a bootable CD-ROM.
In other words, it is a Linux distribution with lots of useful
security tools and a fine menu system which makes it very easy to use.
Nothing on your computer is modified, so you can try it out safely.

F.I.R.E. was created and is maintained by William Salusky
.
The homepage is at .


Q: What can I do with it?
A: Among other things, you can use F.I.R.E. to
* collect data from a potentially compromised host and do a
forensic analysis
* respond to a security incident using trusted binaries
* recover data from lost partitions
* do a virus check of your harddrives in a clean environment
* carry out a penetration test or vulnerability assessment

F.I.R.E. can be booted into a comfortable X-Window environment or operated
from a standard text console (even over a serial cable).
Menus that help you perform common tasks are available in both cases.


Q: But there are several other security/rescue Linux distributions out there.
Why should I be interested in F.I.R.E.?
A: You are right, there are several other CD-ROM- or floppy-based distros, e.g.
- Knoppix
- Trinux or
- PLAC

* Knoppix offers a huge amount of applications and excellent
hardware detection
but F.I.R.E. offers far more tools relevant to the security expert
* Trinux can be booted from a floppy disk
and can run on very old computers
but F.I.R.E. includes far more tools by default
and an optional graphical X-Server which allows it to run
software available only in GUI versions.
* PLAC is a good collection of security tools on a live CD-ROM
but F.I.R.E. has a menu system which makes it very easy to use,
it is specialized on data recovery and forensic analysis
and it is actively developed.


Q: What tools are included?
A: Far too many to list here. Some popular ones are:

* Nessus, Nmap, whisker, hping2, hunt, fragrouter
* Ethereal, Snort, tcpdump, ettercap, dsniff, airsnort
* chkrootkit, F-Prot
* tct, tctutils, Autopsy
* Testdisk, fdisk, gpart
* SSH (client and Server), VNC (client and server)
* Mozilla, ircII, mc, Perl, biew, fenris, gpg

See for a more detailed list.


Q: What platforms will F.I.R.E. run on?
A: F.I.R.E. requires an Intel x86 compatible PC with at least 48MB RAM.
To use the X Window System your graphics card and monitor must support
800x600 pixels and VESA frame buffer. Of course then you will need a mouse
then as well.


Q: How is F.I.R.E. licensed?
A: See for details.
Basically, you can use and copy it as you like, but give credit where it's
due. And remember that F.I.R.E. is distributed without any warranty.


INSTALLATION


Q: How do I get the F.I.R.E. CD-ROM?
A: At the moment F.I.R.E. is only available as an image file (*.iso)
You must download it from the Internet and burn it onto a CD-ROM.
(With a modem or ISDN the download might take several hours since
the file is quite large (> 200MB).


Q: Ok, I have downloaded the ISO. What do I do now?
A: 1. Check whether the file was downloaded correctly by calculating the
MD5-checksum and comparing it with the checksum given in the
download area at Sourceforge.
2. Burn the iso file to a CD-ROM. After that, make sure that there is more
than one file on the CD-ROM.
3. Enter the BIOS of your computer and configure it to boot from CD-ROM.
4. Reset your computer. After a few seconds you should see a green
welcome screen. Press to boot into text mode or <3> or <4> to
boot into graphics mode.


Q: How do I calculate a MD5 checksum?
A: On Unix hosts use the "md5sum" program to calculate the MD5-checksum
of the .iso-file. It is part of the GNU Textutils package and probably
already installed on your computer.

$ md5sum fire-0.3.5b.iso
fdae2b88726c6c99141c4b911350f299 *fire-0.3.5b.iso

A Windows commandline version of md5sum can be downloaded from
. If you like a GUI version,
try DPASHA from and choose the MD5 algorithm.

Then downloaded the checksum file corresponding to your iso
(in this example: fire-0_3_5b_md5.txt), have a look at it and
compare the MD5-checksums.

$ cat fire-0_3_5b_md5.txt (on Windows use Notepad to view the file)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

fdae2b88726c6c99141c4b911350f299 *fire-0.3.5b.iso

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.1

iQA/AwUBPearEQCUWsrXYo1REQKSdQCg5DXsok4GFDLXZQchQs7q79TZLYcAn1I8
nNJ4BWGAfGsvpPOPsydl2HzQ
=iUvO
-----END PGP SIGNATURE-----

In this case, the checksums ("fdae2b88726c6c99141c4b911350f299")
are the same, so the iso is correct. If they differ you have to
download the iso file again. Maybe you should try another Sourceforge mirror.


Q: How do I burn the CD-ROM?
A: See for a good explanation how to
burn iso-files.


USAGE


Q: What is the root password?
A: The root password is "firefire".


Q: I have booted into the X Window System. How do I start the console menu?
A: Just start a terminal and run

# /sbin/dlg/startmenu


Q: How can I transfer the contents of the /data directory to another
computer on the net?
A: First make sure that the network is configured properly.
Then turn to the remote computer and start up a listening netcat process:

[bill@REMOTE]$ nc -l -p 2020 > data.tar

Back on the F.I.R.E. system send the data directory to the remote computer
(in this example the IP address of the remote computer is 192.168.1.100):

[root@FIRE]# cd /data
[root@FIRE]# tar cf - . | nc -nvv 192.168.1.100 2020

Then extract the tar-archive on the remote computer:

[bill@REMOTE]$ tar xvf data.tar


Q: I would like to start some programs automatically after boot.
A: Create a shell script called "autoexec.sh" and put it into the root
directory of a FAT-formatted floppy disk.
If you do this under F.I.R.E. it would be something like:
# nano autoexec.sh
# mcopy autoexec.sh a:

The "autoexec.sh" file is searched for and executed during the boot phase.
For example:
---snip---
#!/bin/sh
insmod 8390
insmod ne2k-pci
ifconfig eth0 192.168.1.100 up
echo nameserver 192.168.1.254 > /etc/resolv.conf
loadkeys it
---snip---

You can run this script manually by calling /sbin/checkfloppy.sh


Q: How can I use F.I.R.E. on a running system, i.e. without rebooting my PC?
A: On the CD-ROM there are several statically linked binaries of useful
tools. You can use them during a forensic analysis if your PC has
been compromised.


TROUBLESHOOTING


Q: I burned the CD-ROM but it doesn't boot.
A: There are at least four possible reasons for your problem:
1) The downloaded .iso-file is damaged. Please verify the MD5 checksum as
described above.
2) Something went wrong when you burned the CD-ROM.
See for instructions.
3) Your computer has difficulties booting from CD-ROMs.
See the next question.
4) Your computer does not meet the requirements, e.g. it has not enough RAM.


Q: My computer is very old and it does not support booting from CD-ROM.
A: Try installing "Smart Boot Manager"
onto a floppy disk. Boot from the floppy disk.
Then tell the boot manager to boot from CD-ROM.

If this does not work either, you have to update your BIOS and hope
that CD-ROM booting is supported in the new BIOS version.


Q: I have a graphics card with i815 chipset and cannot get the X Window System
to work.
A: F.I.R.E. uses the VESA frame buffer driver for X11. The i815 chipset
does not support VESA frame buffer. Sorry.


Q: The shell behaves strangely. Sometimes I cannot type anything.
A: Bash is configured to work in vi-mode. Type:

# set -o emacs

This causes the shell to switch to Emacs mode. Probably you
feel more comfortable with it now.


Q: How can I get a German keyboard layout on the console?
A: The command would be

# loadkeys de

but an include file is missing. This is a bug and will probably be
corrected in the next release.
As a workaround you can try the Italian keymap:

# loadkeys it

Then at least most of the keys will work (but z and y are still switched).


Q: I have got an NE2000 compatible PCI ethernet card (e.g. RealTek 8029 chipset) but cannot get it working.
A: Try loading the kernel modules manually:

# insmod 8390
# insmod ne2k-pci

Then use the menu to complete the the IP configuration (DHCP or static).


Q: I created a "autoexec.sh" file but it is not executed automatically.
A: Just run it manually by typing

# /sbin/chkfloppy.sh


Q: I have found a bug. What shall I do?
A: Please visit our Bug Tracking System at Sourceforge.
If the bug it hasn't been recorded yet, please describe it there.
If you have an idea how to fix it, that's even better. Let us know!


MISCELLANEOUS


Q: Where do I find more documentation?
A: Joe Lofshult has written an article about an older version of FIRE,
which was called Biatchux. It is available in Winword format at
.

Moreover, have a look at the F.I.R.E. forum at Sourceforge:



Q: I have found a cool program that should be included.
A: If it isn't included already (please check),
feel free to suggest it on the Feature Request Page

or on the forum:


FIRE Download:


Downloading version 0.3.5 is recommended.
Google
Web fire.dmzs.com
Supporters:

F.I.R.E at SourceForge
Things I'm into:
The Deep Rants of William Salusky
Handler with The Internet Storm Center
Member of The Honeynet Project

Recommended Links:
Sleuthkit and Autopsy
NSRL
Friends of FIRE:
History Store - The Aurora History Boutique

Feed the FIRE with donations!

Donate!
Tracker Tracker

 - Bugs ( 23 open / 53 total )
Bug Tracking System

 - Support Requests ( 12 open / 25 total )
Tech Support Tracking System

 - Patches ( 0 open / 2 total )
Patch Tracking System

 - Feature Requests ( 3 open / 78 total )
Feature Request Tracking System

Forums Forums ( 522 messages in 2 forums )
Docs Doc Manager
Mail Lists Mailing Lists ( 3 mailing lists )
Screenshots Screenshots
FTP Released Files
TinyBiatchux!!! Requests.... comments... flames... change (@) dmzs.com