COEN 252Computer Forensics Windows Evidence Acquisition Boot Disk
Windows Evidence Acquisition Boot Disk • Use a boot disk to • Copy evidence from the hard drive. • But there are usually better ways. • To preview a system to discover whether an incident has occurred. • To use a string search to see whether the computer contains evidence.
Windows Evidence Acquisition Boot Disk • Windows Boot disk should prevent files to be altered. • Change • command.com • io.sys to prevent it fromaccessing system components.
Windows Evidence Acquisition Boot Disk • Delete the drvspace.bin file because it attempts to open compressed volumes. • Add drivers to boot disk for ethernet connection, Zip drive, etc. needed to collect the evidence. • Windows boot disks cannot access NTFS drives directly.
Windows Evidence Acquisition Boot Disk • Alternatively, use a Linux boot disk. • Forensic and Incident Response Environment (FIRE) • Helix (knoppix) • Knoppix STD • Local Area Security Linux • Penguin Sleuth Kit (knoppix) • Plan-B • Snarl (FreeBSD)
Evidence Gathering • Write protect the evidence hard drive with Software. • By intercepting INT13h accessed to the disk. • Write protect the evidence hard drive with Hardware.
Tools for Life-Examination • Avoid using system tools on the evidence machine. • This can get you into DLL hell. • Use filemon to check what files are being accessed when you run a command from your forensic CD.