Presentation on theme: "The Modern Control Boot Disk. 2 What do we mean by a Modern control boot disk? In your previous lectures you learned about the original DOS control boot."— Presentation transcript:
2 What do we mean by a Modern control boot disk? In your previous lectures you learned about the original DOS control boot disks….where the Computer Forensic industry started. …however, DOS is slow and lacks driver, file system, and application support….so the industry has moved away from using DOS control boot disks to boot disks using more modern and complex OSs.
3 Any CF examiner could make a DOS control boot disk! Using a HEX editor, simple modifications were made to a DOS boot disk to turn it into a Control Boot Disk. Early software (Int-13) write blockers were written and widely used: PDBlock and HDL http://www.cftt.nist.gov/software_write_block.htm
4 DOS Utility Disks CF examiners built Utility Disks to go with their Control Boot Disks and hold all their forensic tools. Few DOS forensic tools to chose from… Imaging tools: Primarily SafeBack & EnCase for DOS Other tools: Searching, Hashing, 3 rd party file system drivers, HEX editor, etc.
5 The rise of Linux Live CDs What are Live CDs? The term "live" derives from the fact that these CDs each contain a complete, functioning and operational operating system on the distribution medium. http://en.wikipedia.org/wiki/Live_CD The multi-threaded fully-functional OSs allowed the use of better and faster forensic applications for acquisition, hashing, searching, etc. in a controlled boot environment. Became popular with the release of Knoppix in 2003.
6 Linux Live CDs Widely used in CF industry –Free –Open source, and therefore customizable. –Built-in tools for imaging (dd), hashing (md5sum/sha1sum), searching (grep), etc. –Must have Linux skills and comfort in a Linux command-line environment. –EnCase ported from DOS to Linux to create LinEn for use on Linux Live CDs. –Until 2009, Linux provided the only complex OS with available forensic tools in the form of a controlled boot disk.
7 Helix, Raptor, SPADA, Knoppix, Penguin Sleuth, and many others over the past several years…
8 Linux Live CDs as Control Boot Disks? But how Controlled is the Linux OS on the forensic Live CDs? The OS is MUCH more complex than the 3 binary files that make up a DOS bootable disk….and much more complex to modify into a controlled OS environment. And what about software write-blocking? We will discuss this in a few slides!
9 Linux Live CDs as Control Boot Disks? Forensic Linux Live CDs are modified to prevent auto-mounting of detected file systems and designed to mount Read- Only any file systems it does mount. Live CDs are compiled by Linux experts. Typical CF examiner is no longer able to create/modify their own clean OS into a controlled boot disk. Must rely on other peoples work and trust that the boot disk is truly forensically sound.
10 Software write-blocking? Linux Live CDs do NOT utilize software write-blocking. Most in the CF industry mistakenly believe that the use of no auto-mounting and mounting read-only is software write- blocking.
11 Software write-blocking? Many novice Linux users inadvertently write to disks at the physical level (/dev/hda) when logical file systems (/dev/hda1) are mounted read-only. Disclaimers? http://www.spada-cd.info/about.htm
12 Software write-blocking? Software write-blocking is accomplished through device drivers in complex OSs (Unix, Linux, Windows, etc.) More complex operating systems, for example Windows XP or a UNIX variant (e.g., Linux), may disallow any low level interface (through the BIOS or the controller) and only allow user programs access to a hard drive through a device driver, a component of the operating system that manages all access to a device. http://www.cftt.nist.gov/documents/SWB-STP-V3_1a.pdf
13 Software write-blocking? No Linux Live CD in the world includes software write-block device drivers. Linux software write-blocking does not exist. (as of the writing of this presentation in 09/2009) There is only one forensic Live CD in the world that uses a complex OS and utilizes actual software write-blocking…. SAFE TM, the first and only forensic Windows boot disk by ForensicSoft, Inc. (as of the writing of this presentation in 09/2009) http://www.forensicsoft.com/catalog/product_info.php?products_id=31
1.Consists of a highly modified Windows PE OS with true software write-blocking. 2.Users have the ability to block and unblock attached disks with the click of a button. 3.Hardware specs are documented into a session log to preserve a record of detected hardware. 4.Utilizes Windows device drivers, which are available for every disk controller ever created. This is a major benefit over Linux Live CDs, where Linux drivers are often unavailable. –User can add new drivers on-the-fly very easily. 5.Full file system support for NTFS. 15
The Modern Utility Disk 1.CDs hold more data than old DOS floppies and therefore forensic utilities can now be incorporated into the boot disk itself or on a USB thumbdrive. 2.SAFE TM runs on Windows PE and supports most Windows forensic tools. –EnCase, FTK Imager, X-Ways/WinHex –Hashing, searching, carving, data recovery, file viewing, etc. 3.SAFE TM has built-in: –Case documentation features –Hashing –Drive preparation (wiping, partitioning, formatting) –Searching –And many other features… 16
Trust only yourself! 1.No matter what any CF examiner or vendor tells you about their tool(s), always validate it for yourself before using it on evidence. 2.If you didnt write and/or modify it yourself, how do you know it is forensically sound? 3.Can you testify that the Control boot disk you use is in fact forensically sound and will not/does not alter data on systems that you boot with the control boot disk? 4.Test it yourself and document your test results. 5.Re-test any time anything changes. 17