Digital Evidence and Computer Crime, Second Edition
10.1 Windows Evidence Acquisition Boot Disk
Whether copying evidence from a disk, previewing a system to verify that a crime occurred, or performing a keyword search to determine if the computer contains useful evidence, the computer's operating system should be bypassed to avoid altering evidence, and to avoid any tricks or traps that an advanced user might have set up. As described in Chapter 8, most computers store their operating system on a hard drive, and this operating system can be bypassed using a boot disk. However, extra precautions are required to write protect the drive and ensure that the digital evidence is not altered while it is being processed.
The first step in creating a Windows Evidence Acquisition Boot Disk is to modify the "command.com" and "io.sys" system files to prevent it from accessing any system components on the evidentiary drive. The second step is to delete the "drvspace.bin" file because it attempts to open compressed volumes. A detailed description of this process along with a sample script is available in Larson (2002). Alternatively, Windows systems can be booted using a Linux floppy disk or CD-ROM such as FIRE described in the next chapter.
Until recently, the most common approach to write protecting a hard disk was using software. Recall from Chapter 8 that operating systems write data to hard disks through a computer's BIOS (basic input and output system). Specifically, there are a group of BIOS functions collectively named "INT13h" that control disk access (e.g. read, write, format). A carefully constructed program such as such as PDBlock [1] can intercept calls to these INT13h functions, thus preventing write access to a hard drive. This software approach to write protecting a hard disk is not always successful because of the variations between systems. A more reliable alternative is to connect a piece of hardware to the hard drive that blocks the signals that would cause the disk to be modified. These hardware write blockers have some limitations, preventing access to certain types of disks.
There are two notable nuances to using a Windows Evidence Acquisition Boot Disk. When devices such as a Zip drive or Ethernet card are being used to transfer data to a collection disk, the necessary drivers must be stored on and loaded from the boot disk. For instance, Ethernet drivers are needed when using a tool like EnCase to preview or acquire evidence via a network cable. Also, because MS-DOS does not support NTFS, it is not possible to save evidence files to an NTFS drive when using a Windows Evidence Acquisition Boot Disk. Using FAT32 on collection disks allows for large evidence files to be saved. Boot disks should be virus checked before use to avoid damaging the computer and the digital evidence that it contains.
[1]http://www.digitalintel.com/pdblock.htm
Категории