The “Modern” ControlBoot Disk

2

What do we mean by a “Modern” control boot disk?

In your previous lectures you learned about the original DOS control boot disks….where the Computer Forensic industry started.

…however, DOS is slow and lacks driver, file system, and application support….so the industry has moved away from using DOS control boot disks to boot disks using more modern and complex OSs.

3

Any CF examiner could make a DOS control boot disk!

Using a HEX editor, simple modifications were made to a DOS boot disk to turn it into a “Control Boot Disk”.

Early software (Int-13) write blockers were written and widely used: PDBlock and HDL

http://www.cftt.nist.gov/software_write_block.htm

4

DOS Utility DisksCF examiners built “Utility Disks” to go with

their Control Boot Disks and hold all their forensic tools.

Few DOS forensic tools to chose from…

Imaging tools: Primarily SafeBack & EnCase for DOS

Other tools: Searching, Hashing, 3rd party file system drivers, HEX editor, etc.

5

The “rise” of Linux Live CDsWhat are “Live CDs”?

The term "live" derives from the fact that these CDs each contain a complete, functioning and operational operating system on the distribution medium. http://en.wikipedia.org/wiki/Live_CD

The multi-threaded fully-functional OSs allowed the use of better and faster forensic applications for acquisition, hashing, searching, etc. in a “controlled” boot environment.

Became popular with the release of Knoppix in 2003.

6

Linux Live CDs• Widely used in CF industry

– Free– Open source, and therefore customizable.– Built-in tools for imaging (dd), hashing

(md5sum/sha1sum), searching (grep), etc.– Must have Linux skills and comfort in a Linux

command-line environment.– EnCase ported from DOS to Linux to create

“LinEn” for use on Linux Live CDs.– Until 2009, Linux provided the only complex

OS with available forensic tools in the form of a “controlled” boot disk.

7

Helix, Raptor, SPADA, Knoppix, Penguin Sleuth, and many others over the past several years…

8

Linux Live CDs as “Control Boot Disks”?

But how “Controlled” is the Linux OS on the “forensic” Live CDs?

The OS is MUCH more complex than the 3 binary files that make up a DOS bootable disk….and much more complex to modify into a “controlled” OS environment.

And what about software write-blocking?

We will discuss this in a few slides!

9

Linux Live CDs as “Control Boot Disks”?

• “Forensic” Linux Live CDs are modified to prevent “auto-mounting” of detected file systems and designed to mount “Read-Only” any file systems it does mount.

• Live CDs are compiled by Linux experts.• Typical CF examiner is no longer able to

create/modify their own clean OS into a controlled boot disk. Must rely on other peoples’ work and trust that the boot disk is truly “forensically sound”.

10

Software write-blocking?

• Linux Live CDs do NOT utilize software write-blocking.

• Most in the CF industry mistakenly believe that the use of “no auto-mounting” and mounting “read-only” is software write-blocking.

11

Software write-blocking?• Many novice Linux users inadvertently

write to disks at the physical level (/dev/hda) when logical file systems (/dev/hda1) are mounted “read-only”.

• Disclaimers?

http://www.spada-cd.info/about.htm

12

Software write-blocking?• Software write-blocking is accomplished

through device drivers in complex OSs (Unix, Linux, Windows, etc.)

“More complex operating systems, for example Windows XP or a UNIX variant (e.g., Linux), may disallow any low level interface (through the BIOS or the controller) and only allow user programs access to a hard drive through a device driver, a component of the operating system that manages all access to a device.”

http://www.cftt.nist.gov/documents/SWB-STP-V3_1a.pdf

13

Software write-blocking?• No Linux Live CD in the world includes

software write-block device drivers.• Linux software write-blocking does not

exist. (as of the writing of this presentation in 09/2009)

• There is only one forensic “Live CD” in the world that uses a “complex” OS and utilizes actual software write-blocking…. SAFETM, the first and only forensic Windows boot disk by ForensicSoft, Inc. (as of

the writing of this presentation in 09/2009)

http://www.forensicsoft.com/catalog/product_info.php?products_id=31

14

The SAFETM boot disk

The SAFETM boot disk1. Consists of a highly modified Windows PE OS with true

software write-blocking.

2. Users have the ability to block and unblock attached disks with the click of a button.

3. Hardware specs are documented into a session log to preserve a record of detected hardware.

4. Utilizes Windows device drivers, which are available for every disk controller ever created. This is a major benefit over Linux Live CDs, where Linux drivers are often unavailable.

– User can add new drivers on-the-fly very easily.

5. Full file system support for NTFS.

15

The “Modern” Utility Disk1. CD’s hold more data than old DOS floppies and therefore

forensic utilities can now be incorporated into the boot disk itself or on a USB thumbdrive.

2. SAFETM runs on Windows PE and supports most Windows forensic tools.

– EnCase, FTK Imager, X-Ways/WinHex– Hashing, searching, carving, data recovery, file viewing, etc.

3. SAFETM has built-in:– Case documentation features– Hashing– Drive preparation (wiping, partitioning, formatting)– Searching– And many other features…

16

Trust only yourself!1. No matter what any CF examiner or vendor tells you

about their tool(s), always validate it for yourself before using it on evidence.

2. If you didn’t write and/or modify it yourself, how do you know it is “forensically sound”?

3. Can you testify that the “Control boot disk” you use is in fact forensically sound and will not/does not alter data on systems that you boot with the control boot disk?

4. Test it yourself and document your test results.

5. Re-test any time anything changes.

17

Questions?

Please use the discussion board!