COEN 252Computer Forensics

Windows Evidence Acquisition Boot Disk

Windows Evidence Acquisition Boot Disk

Use a boot disk to Copy evidence from the hard drive.

But there are usually better ways. To preview a system to discover

whether an incident has occurred. To use a string search to see whether

the computer contains evidence.

Windows Evidence Acquisition Boot Disk

Windows Boot disk should prevent files to be altered.

Change command.com io.sys

to prevent it from accessing system components.

Windows Evidence Acquisition Boot Disk

Delete the drvspace.bin file because it attempts to open compressed volumes.

Add drivers to boot disk for ethernet connection, Zip drive, etc. needed to collect the evidence.

Windows boot disks cannot access NTFS drives directly.

Windows Evidence Acquisition Boot Disk Alternatively, use a Linux boot disk.

Forensic and Incident Response Environment (FIRE)

Helix (knoppix) Knoppix STD Local Area Security Linux Penguin Sleuth Kit (knoppix) Plan-B Snarl (FreeBSD)

Evidence Gathering

Write protect the evidence hard drive with Software. By intercepting INT13h accessed to

the disk. Write protect the evidence hard

drive with Hardware.

Tools for Life-Examination

Avoid using system tools on the evidence machine. This can get you into DLL hell.

Use filemon to check what files are being accessed when you run a command from your forensic CD.