10.1 Windows Evidence Acquisition Boot Disk

Previous page
Table of content
Next page

10.1 Windows Evidence Acquisition Boot Disk

Whether copying evidence from a disk, previewing a system to verify that a crime occurred, or performing a keyword search to determine if the computer contains useful evidence, the computer's operating system should be bypassed to avoid altering evidence, and to avoid any tricks or traps that an advanced user might have set up. As described in Chapter 8, most computers store their operating system on a hard drive, and this operating system can be bypassed using a boot disk. However, extra precautions are required to write protect the drive and ensure that the digital evidence is not altered while it is being processed.

The first step in creating a Windows Evidence Acquisition Boot Disk is to modify the "command.com" and "io.sys" system files to prevent it from accessing any system components on the evidentiary drive. The second step is to delete the "drvspace.bin" file because it attempts to open compressed volumes. A detailed description of this process along with a sample script is available in Larson (2002). Alternatively, Windows systems can be booted using a Linux floppy disk or CD-ROM such as FIRE described in the next chapter.

Until recently, the most common approach to write protecting a hard disk was using software. Recall from Chapter 8 that operating systems write data to hard disks through a computer's BIOS (basic input and output system). Specifically, there are a group of BIOS functions collectively named "INT13h" that control disk access (e.g. read, write, format). A carefully constructed program such as such as PDBlock [1] can intercept calls to these INT13h functions, thus preventing write access to a hard drive. This software approach to write protecting a hard disk is not always successful because of the variations between systems. A more reliable alternative is to connect a piece of hardware to the hard drive that blocks the signals that would cause the disk to be modified. These hardware write blockers have some limitations, preventing access to certain types of disks.

There are two notable nuances to using a Windows Evidence Acquisition Boot Disk. When devices such as a Zip drive or Ethernet card are being used to transfer data to a collection disk, the necessary drivers must be stored on and loaded from the boot disk. For instance, Ethernet drivers are needed when using a tool like EnCase to preview or acquire evidence via a network cable. Also, because MS-DOS does not support NTFS, it is not possible to save evidence files to an NTFS drive when using a Windows Evidence Acquisition Boot Disk. Using FAT32 on collection disks allows for large evidence files to be saved. Boot disks should be virus checked before use to avoid damaging the computer and the digital evidence that it contains.

[1]http://www.digitalintel.com/pdblock.htm



Previous page
Table of content
Next page
Digital Evidence and Computer Crime
Digital Evidence and Computer Crime, Second Edition
ISBN: 0121631044
EAN: 2147483647
Year: 2003
Pages: 279
Authors: Eoghan Casey BS MA
BUY ON AMAZON
Managing Enterprise Systems with the Windows Script Host
Microsoft Windows Server 2003(c) TCP/IP Protocols and Services (c) Technical Reference
The New Solution Selling: The Revolutionary Sales Process That Is Changing the Way People Sell [NEW SOLUTION SELLING 2/E]
The Java Tutorial: A Short Course on the Basics, 4th Edition
Visual Studio Tools for Office(c) Using C# with Excel, Word, Outlook, and InfoPath
The Oracle Hackers Handbook: Hacking and Defending Oracle
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy