The “Modern” Control Boot Disk. What do we mean by a “Modern” control boot disk?. In your previous lectures you learned about the original DOS control boot disks….where the Computer Forensic industry started.
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
The “Modern” ControlBoot Disk
In your previous lectures you learned about the original DOS control boot disks….where the Computer Forensic industry started.
…however, DOS is slow and lacks driver, file system, and application support….so the industry has moved away from using DOS control boot disks to boot disks using more modern and complex OSs.
Using a HEX editor, simple modifications were made to a DOS boot disk to turn it into a “Control Boot Disk”.
Early software (Int-13) write blockers were written and widely used: PDBlock and HDL
CF examiners built “Utility Disks” to go with their Control Boot Disks and hold all their forensic tools.
Few DOS forensic tools to chose from…
Imaging tools: Primarily SafeBack & EnCase for DOS
Other tools: Searching, Hashing, 3rd party file system drivers, HEX editor, etc.
What are “Live CDs”?
The term "live" derives from the fact that these CDs each contain a complete, functioning and operational operating system on the distribution medium. http://en.wikipedia.org/wiki/Live_CD
The multi-threaded fully-functional OSs allowed the use of better and faster forensic applications for acquisition, hashing, searching, etc. in a “controlled” boot environment.
Became popular with the release of Knoppix in 2003.
Helix, Raptor, SPADA, Knoppix, Penguin Sleuth, and many others over the past several years…
But how “Controlled” is the Linux OS on the “forensic” Live CDs?
The OS is MUCH more complex than the 3 binary files that make up a DOS bootable disk….and much more complex to modify into a “controlled” OS environment.
And what about software write-blocking?
We will discuss this in a few slides!
“More complex operating systems, for example Windows XP or a UNIX variant (e.g., Linux), may disallow any low level interface (through the BIOS or the controller) and only allow user programs access to a hard drive through a device driver, a component of the operating system that manages all access to a device.”
Please use the discussion board!