![]() Software that worked on one drive may not work on another. Maybe steering the ship is only a few inches of turning the wheel left and right to keep the boat straight, but there is no such thing as a small mistake with those few inches of wheel sway.Īlthough this is an oversimplified analogy, the point is that imaging seems easy until it isn’t. But I would rather compare it to steering a ship through the Suez Canal. On the face of simply imaging a hard drive, it would seem to be an easy task. Through write protection, these small media are connected to a forensic workstation and imaged much like a computer hard drive. The concepts of write protection are the same since the small media would not be in operation (not powered on). ĭead box imaging also applies to digital media that is not connected to a computer system, such as external hard drives, USB flash drives, compact disks, and other small media. Raptor Forensics Boot Operating System, by Forward Discovery. Then go through this process again, maybe with another bootable media.įigure 1.4. Maybe the blank media will be caught in the booting process and prevent booting the evidence drive and if that happens, you will know that although your boot media was skipped, your blank media prevented evidence from being changed. If it does, shut down the system, reconnect the hard drive, and boot the system to your forensic disk.Ī reason for filling any other drives with blank media, like the floppy drive, is to give an added layer of protection if the boot process somehow bypasses your forensic CD. Boot the computer and make sure your forensic operating system boots. Any remaining drives can be filled with empty media, such as a blank floppy disk. Your forensic boot disk is placed in the CD drive, or if you are using a USB drive, plug it in. Save your changes, exit, and shut down the computer. If there is a floppy drive, choose the floppy as the second media. The second boot media should be any other drive other than the hard drive. The first boot media will be your forensic operating system on a CD or USB drive. Change the boot order with the hard drive being last. To avoid inadvertently booting the evidence computer’s operating system, test it first.įirst, disconnect the evidence hard drive in the computer by unplugging the cable to all hard drives in the computer. Booting a computer to a forensic disk is one of those times where being rushed will cause problems. Being rushed causes mistakes to be made, items overlooked, and regret after you leave the scene for doing a less than reasonable job. ![]() Failing to control the booting process runs the risk of booting your evidence to its operating system, changing thousands of files on the hard drive.ĭuring a search warrant or civil evidence collection, you may feel either a self-induced pressure or actual external pressures to hurry up. This method of booting an evidence computer carries a risk of inadvertently booting the suspect system causing modification of files on the evidence drive if precautions are not taken to control the booting process. In order to use a forensic boot media, the BIOS of the suspect computer system is first modified by the examiner to boot the forensic media rather than boot the hard drive in the computer. Forensic boot media provides write protection of the evidence hard drive(s) through software configurations. Once a computer has been booted to the forensic operating system, an image of the computer hard drive can be created and saved onto an attached external hard drive. There are also appliances and large enterprise software packages that are designed to automate and alleviate the labor requirements of large discovery/disclosure acquisitions that may span thousands of computers. They are small and portable and can replace the need for bulky PCs on a job site. Logicube will both hash and image a drive at a rate of about 3 GB/min. Forensic copying tools such as Logicube and Tableau are two examples of hardware write blockers, although many companies make them. Hardware write blockers are normally optimized for speed. But then, all write blockers are limited in this manner. Software write blockers are limited by the port speed of the port they are blocking, plus some overhead for the write-blocking process. Developing checklists that can be repeatable procedures is an ideal way to ensure solid results in any investigation. The other method of software write blocking is to use a forensic boot disk. One is a module that “plugs” into the forensic software and can generally be used to write block any port on the computer. Software write blockers are versatile and come in two flavors. Ellis, in Computer and Information Security Handbook (Third Edition), 2013 Creating Forensic Images Using Software and Hardware Write Blockersīoth software and hardware write blockers are available.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |