The Modern Control Boot Disk. 2 What do we mean by a Modern control boot disk? In your previous lectures you learned about the original DOS control boot.

Slides:



Advertisements
Similar presentations
Administrator’s and User’s Guide for KillDisk
Advertisements

Chapter 8: Operating Systems and Utility Programs
1 Computer Forensics Michael Watson Director of Security Incident Management NSAA Conference 10/2/
OPERATING SYSTEMS Lecturer: Szabolcs Mikulas Office: B38B
Computer Forensics.
Computers Are Your Future Twelfth Edition Chapter 4: System Software Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 1.
Hands-on RAID on Moxa Computer Prepared by: (40min) Date: mm-dd-yyyy.
Write Blocking CSC 485/585.
PRIMERGY Installation
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill Technology Education Introduction to Computer Administration Introduction.
Operating Systems An Introduction. 2 What Does An Operating System Do? Manages the hardware and software resources of the system. In a desktop computer,
CSN08101 Digital Forensics Lecture 6: Acquisition
WINDOWS FORENSICS FOR INCIDENT RESPONSE CHRISTIAN KOPACSI CISSP CISM CEH CHFI SECURITY+
Live CDs. What is a Live CD? Prerak Parikh What is a Live CD? CD or DVD containing bootable CD-ROM disk that loads and boots an OS Instead of using the.
The Penguin Sleuth Kit By Ernest Baca
OPEN SOURCE TOOLS Dr. Abraham Professor UTPA. Open Source Freely redistributable Provides access to source code End user may modify source code.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
Guide to Computer Forensics and Investigations Fourth Edition
1 Web Server Administration Chapter 3 Installing the Server.
Guide to Computer Forensics and Investigations Third Edition Chapter 7 Current Computer Forensics Tools.
Guide to Computer Forensics and Investigations Third Edition
1 CSCD496 Computer Forensics Lecture 5 Applying Process to Computer Forensics Winter 2010.
COS/PSA 413 Day 12. Agenda Questions? Assignment 4 posted –Due October 10 Lab 4 tomorrow in N105 –Hands-on Projects 6-1 through 6-4 on Pages Discussion.
1 DOS with Windows 3.1 and 3.11 Operating Environments n Designed to allow applications to have a graphical interface DOS runs in the background as the.
Mohd Taufik Abdullah Department of Computer Science
COEN 252 Computer Forensics Forensic Duplication of Hard Drives.
COEN 252 Computer Forensics
Capturing Computer Evidence Extracting Information.
Guide to Computer Forensics and Investigations, Second Edition
Hands-on: Capturing an Image with AccessData FTK Imager
COEN 252 Computer Forensics Windows Evidence Acquisition Boot Disk.
Lesson 4 Computer Software
NIST CFTT: Testing Disk Imaging Tools James R. Lyle National Institute of Standards and Technology Gaithersburg Md.
IT GOVERNANCE AND CYBERCRIME Open Source Forensic Tools 19/04/10.
 FILE S SYSTEM  DIFFERENT FILE SYSTEMS  FILE SYSTEM COMPONENTS  FILE OPERATIONS  LOG STRUCTERD FILE SYSTEM  FILE EXAMPLES.
Administering Windows 7 Lesson 11. Objectives Troubleshoot Windows 7 Use remote access technologies Troubleshoot installation and startup issues Understand.
Guide to Computer Forensics and Investigations, Second Edition Chapter 2 Understanding Computer Investigation.
Guide to Linux Installation and Administration, 2e1 Chapter 3 Installing Linux.
ITE 1 Chapter 5. Chapter 5 is a Large Chapter It has a great deal of useful information about operating systems. You will find this VERY helpful when.
Teaching Digital Forensics w/Virtuals By Amelia Phillips.
Preserving Evidence ● Number one priority ● Must also find incriminating evidence ● Must search the contents of the hard drive ● Can not change the hard.
10/1/2015 Chapter 2 Installing Windows XP Professional.
1 Web Server Administration Chapter 3 Installing the Server.
Installing Windows Vista Lesson 2. Skills Matrix Technology SkillObjective DomainObjective # Performing a Clean Installation Set up Windows Vista as the.
Software.
Data Recovery Techniques Florida State University CIS 4360 – Computer Security Fall 2006 December 6, 2006 Matthew Alberti Horacesio Carmichael.
Guide to Computer Forensics and Investigations Fourth Edition Chapter 7 Current Computer Forensics Tools Last modified :40 am.
Chapter 4 System Software. Software Programs that tell a computer what to do and how to do it. Sets of instructions telling computers to perform actions.
Installation Overview Lab#2 1Hanin Abdulrahman. Installing Ubuntu Linux is the process of copying operating system files from a CD, DVD, or USB flash.
Multiboot System under Windows XP – Ubuntu – Windows 7 Qiong LIN - 28 April 2012.
Systems Software Operating Systems. What is software? Software is the term that we use for all the programs and data that we use with a computer system.
Guide to Computer Forensics and Investigations Fourth Edition
IST 222 Day 3. Homework for Today Take up homework and go over Go to Microsoft website and check out their hardware compatibility list.
© Paradigm Publishing, Inc. 4-1 Chapter 4 System Software Chapter 4 System Software.
Chapter 8: Installing Linux The Complete Guide To Linux System Administration.
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill Technology Education Chapter 6A Operating System Basics PART I.
Chapter 3 Data Acquisition Guide to Computer Forensics and Investigations Fifth Edition All slides copyright Cengage Learning with additional info from.
COEN 252 Computer Forensics Forensic Duplication of Hard Drives.
Computer Forensics Tim Foley COSC 480 Nov. 17, 2006.
Chapter 8 Forensic Duplication Spring Incident Response & Computer Forensics.
OPERATING SYSTEMS DO YOU REQUIRE AN OPERATING SYSTEM IN YOUR SYSTEM?
GUIDE TO COMPUTER FORENSICS AND INVESTIGATIONS FOURTH EDITION CHAPTER 7 CURRENT COMPUTER FORENSICS TOOLS.
UNIX U.Y: 1435/1436 H Operating System Concept. What is an Operating System?  The operating system (OS) is the program which starts up when you turn.
INTRODUCTION TO COMPUTERS. A computer system is an electronic device used to input data, process data, store data for later use and produce output in.
Computers: Tools for an Information Age
Guide to Linux Installation and Administration, 2e
Digital Forensics Dr. Bhavani Thuraisingham
Forensic Recovery of Evidence Device (FRED)
1 Guide to Computer Forensics and Investigations Sixth Edition Chapter 6 Current Digital Forensics Tools.
Presentation transcript:

The Modern Control Boot Disk

2 What do we mean by a Modern control boot disk? In your previous lectures you learned about the original DOS control boot disks….where the Computer Forensic industry started. …however, DOS is slow and lacks driver, file system, and application support….so the industry has moved away from using DOS control boot disks to boot disks using more modern and complex OSs.

3 Any CF examiner could make a DOS control boot disk! Using a HEX editor, simple modifications were made to a DOS boot disk to turn it into a Control Boot Disk. Early software (Int-13) write blockers were written and widely used: PDBlock and HDL

4 DOS Utility Disks CF examiners built Utility Disks to go with their Control Boot Disks and hold all their forensic tools. Few DOS forensic tools to chose from… Imaging tools: Primarily SafeBack & EnCase for DOS Other tools: Searching, Hashing, 3 rd party file system drivers, HEX editor, etc.

5 The rise of Linux Live CDs What are Live CDs? The term "live" derives from the fact that these CDs each contain a complete, functioning and operational operating system on the distribution medium. The multi-threaded fully-functional OSs allowed the use of better and faster forensic applications for acquisition, hashing, searching, etc. in a controlled boot environment. Became popular with the release of Knoppix in 2003.

6 Linux Live CDs Widely used in CF industry –Free –Open source, and therefore customizable. –Built-in tools for imaging (dd), hashing (md5sum/sha1sum), searching (grep), etc. –Must have Linux skills and comfort in a Linux command-line environment. –EnCase ported from DOS to Linux to create LinEn for use on Linux Live CDs. –Until 2009, Linux provided the only complex OS with available forensic tools in the form of a controlled boot disk.

7 Helix, Raptor, SPADA, Knoppix, Penguin Sleuth, and many others over the past several years…

8 Linux Live CDs as Control Boot Disks? But how Controlled is the Linux OS on the forensic Live CDs? The OS is MUCH more complex than the 3 binary files that make up a DOS bootable disk….and much more complex to modify into a controlled OS environment. And what about software write-blocking? We will discuss this in a few slides!

9 Linux Live CDs as Control Boot Disks? Forensic Linux Live CDs are modified to prevent auto-mounting of detected file systems and designed to mount Read- Only any file systems it does mount. Live CDs are compiled by Linux experts. Typical CF examiner is no longer able to create/modify their own clean OS into a controlled boot disk. Must rely on other peoples work and trust that the boot disk is truly forensically sound.

10 Software write-blocking? Linux Live CDs do NOT utilize software write-blocking. Most in the CF industry mistakenly believe that the use of no auto-mounting and mounting read-only is software write- blocking.

11 Software write-blocking? Many novice Linux users inadvertently write to disks at the physical level (/dev/hda) when logical file systems (/dev/hda1) are mounted read-only. Disclaimers?

12 Software write-blocking? Software write-blocking is accomplished through device drivers in complex OSs (Unix, Linux, Windows, etc.) More complex operating systems, for example Windows XP or a UNIX variant (e.g., Linux), may disallow any low level interface (through the BIOS or the controller) and only allow user programs access to a hard drive through a device driver, a component of the operating system that manages all access to a device.

13 Software write-blocking? No Linux Live CD in the world includes software write-block device drivers. Linux software write-blocking does not exist. (as of the writing of this presentation in 09/2009) There is only one forensic Live CD in the world that uses a complex OS and utilizes actual software write-blocking…. SAFE TM, the first and only forensic Windows boot disk by ForensicSoft, Inc. (as of the writing of this presentation in 09/2009)

14 The SAFE TM boot disk

1.Consists of a highly modified Windows PE OS with true software write-blocking. 2.Users have the ability to block and unblock attached disks with the click of a button. 3.Hardware specs are documented into a session log to preserve a record of detected hardware. 4.Utilizes Windows device drivers, which are available for every disk controller ever created. This is a major benefit over Linux Live CDs, where Linux drivers are often unavailable. –User can add new drivers on-the-fly very easily. 5.Full file system support for NTFS. 15

The Modern Utility Disk 1.CDs hold more data than old DOS floppies and therefore forensic utilities can now be incorporated into the boot disk itself or on a USB thumbdrive. 2.SAFE TM runs on Windows PE and supports most Windows forensic tools. –EnCase, FTK Imager, X-Ways/WinHex –Hashing, searching, carving, data recovery, file viewing, etc. 3.SAFE TM has built-in: –Case documentation features –Hashing –Drive preparation (wiping, partitioning, formatting) –Searching –And many other features… 16

Trust only yourself! 1.No matter what any CF examiner or vendor tells you about their tool(s), always validate it for yourself before using it on evidence. 2.If you didnt write and/or modify it yourself, how do you know it is forensically sound? 3.Can you testify that the Control boot disk you use is in fact forensically sound and will not/does not alter data on systems that you boot with the control boot disk? 4.Test it yourself and document your test results. 5.Re-test any time anything changes. 17

Questions? Please use the discussion board!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.