1 / 7

Windows Evidence Acquisition Boot Disk: Forensic Method Overview

Learn how to use a Windows boot disk for evidence acquisition, prevent file alteration, and enhance data collection for forensic analysis. Discover the importance of write protection tools in digital investigations.

vera-bray
Télécharger la présentation

Windows Evidence Acquisition Boot Disk: Forensic Method Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. COEN 252Computer Forensics Windows Evidence Acquisition Boot Disk

  2. Windows Evidence Acquisition Boot Disk • Use a boot disk to • Copy evidence from the hard drive. • But there are usually better ways. • To preview a system to discover whether an incident has occurred. • To use a string search to see whether the computer contains evidence.

  3. Windows Evidence Acquisition Boot Disk • Windows Boot disk should prevent files to be altered. • Change • command.com • io.sys to prevent it fromaccessing system components.

  4. Windows Evidence Acquisition Boot Disk • Delete the drvspace.bin file because it attempts to open compressed volumes. • Add drivers to boot disk for ethernet connection, Zip drive, etc. needed to collect the evidence. • Windows boot disks cannot access NTFS drives directly.

  5. Windows Evidence Acquisition Boot Disk • Alternatively, use a Linux boot disk. • Forensic and Incident Response Environment (FIRE) • Helix (knoppix) • Knoppix STD • Local Area Security Linux • Penguin Sleuth Kit (knoppix) • Plan-B • Snarl (FreeBSD)

  6. Evidence Gathering • Write protect the evidence hard drive with Software. • By intercepting INT13h accessed to the disk. • Write protect the evidence hard drive with Hardware.

  7. Tools for Life-Examination • Avoid using system tools on the evidence machine. • This can get you into DLL hell. • Use filemon to check what files are being accessed when you run a command from your forensic CD.

More Related