FORMAT: CREATING A TRUSTED BOOT DISK

Previous page
Table of content
Next page

Some of the utilities discussed in this chapter require a trusted boot disk. You don't need a tool for this; instead, you can use the format system command found on Windows operating systems. This short section provides an overview of how to create a boot disk if you have not already done so. If you know how to make a trusted boot disk, you can move on to the sections that discuss other forensic image tools: SafeBack and SnapBack.

Implementation

To create a generic boot disk, simply run the following command from a Windows 95/98 system to format and copy the required system files to make the disk bootable. If you have Windows XP, you can create a MS-DOS type floppy from the format screen: 

 C:\>format a: /s

As previously noted, one of the basic tenants of computer forensics is not to alter the original evidence in any way. Unfortunately, the DOS boot disk you just created contains an IO.SYS file, which has hard-coded references to C:\DRVSPACE.BIN, C:\DBLSPACE.BIN, and C:\ DRVSPACE.INI. If the suspect's drive uses DriveSpace or DoubleSpace disk compression, your boot disk may attempt to load the drivers and mount the logical uncompressed file system, modifying the date- and timestamps on the compressed volume file. To prevent this from happening, follow these steps:

  1. Create a normal Windows 95/98 boot disk.

  2. Use a hex editor and overwrite all references to DRVSPACE.BIN, DBLSPACE.BIN, and DRVSPACE.INI in the IO.SYS file. A find and replace function in an advanced hex editor such as WinHex makes this task much easier.

  3. Change all references of C:\ to A:\ in the IO.SYS, COMMAND.COM, and MSDOS.SYS files on the floppy disk.

  4. Remove the file DRVSPACE.BIN from the floppy.

Note 

The IO.SYS, DRVSPACE.BIN, and MSDOS.SYS files have the attributes System, Hidden, and Read-Only. As such, you will need to use the DOS attrib command to view, modify, or delete these files. As an example, C:\>attrib -S -H -R a:\drvspace.bin will remove these attributes, which allows you to delete the file with C:\>del a:\drvspace.bin .

Once you've created a controlled DOS boot floppy, you can add the required drivers you may need for your forensic workstation. For instance, if you need a special SCSI driver, this would be the time to add it. You may also want to include common DOS utilities such as fdisk.exe and a write-blocking utility.

When using a boot floppy, you should always double-check your BIOS setting to make sure that the floppy disk is the first device checked in the boot sequence. Otherwise, you could inadvertently boot from a suspect's hard drive.

Tip 

If you do not know for sure from what device the machine will be booting, be sure to disconnect the hard drive cables while you are figuring it out!


Previous page
Table of content
Next page
Anti-Hacker Tool Kit
Anti-Hacker Tool Kit, Third Edition
ISBN: 0072262877
EAN: 2147483647
Year: 2006
Pages: 175
Authors: Mike Shema, Chris Davis, David Cowen
BUY ON AMAZON
ADO.NET 3.5 Cookbook (Cookbooks (OReilly))
Crystal Reports 9 on Oracle (Database Professionals)
High-Speed Signal Propagation[c] Advanced Black Magic
The .NET Developers Guide to Directory Services Programming
Java for RPG Programmers, 2nd Edition
Microsoft VBScript Professional Projects
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy