Return to the Manual Index

ByteBack Data Recovery Investigative SuiteTM Forensic Mode

Important: when a suspect hard disk is attached, or when a hard disk is attached that is to be examined for forensic purposes, you must start ByteBack D.R.I.S.TM in forensic mode. This will ensure that the attached disk will not be changed in any way.

Disk cloning for forensic purposes (evidence acquisition)

To allow ByteBack D.R.I.S.TM to be used to clone disks for forensic purposes, several mechanisms are implemented in the ByteBack D.R.I.S.TM Forensic Mode to ensure that:

  • The destination disk is 'clean' (tabula rasa) before data is copied to it: the destination disk can be sanitized (wiped) using ByteBack D.R.I.S.TM.

  • The state of the source and destination can be verified after the clone: ByteBack D.R.I.S.TM can perform a bit-steam comparison of the source and destination disk.

  • The source disk is not altered at any point during the clone process, or during the time ByteBack D.R.I.S.TM is active: when ByteBack D.R.I.S.TM is started in Forensic mode you MUST select the disk that will be protected during the ByteBack D.R.I.S.TM run. The contents of this disk (the source disk for the forensic clone) can not be altered for the duration of the ByteBack D.R.I.S.TM run, thus ensuring an untainted source disk.

Methods

  • For accessing hard disks ByteBack D.R.I.S.TM uses the extended int13h interface.
  • ByteBack D.R.I.S.TM creates a so called 'bit-stream' copy. All information read from the source is copied 1 on 1. This implies that the file systems on the source disk are of no importance; whatever the file system, all readable data is copied.
  • ByteBack D.R.I.S.TM does not 'cylinder align' the copied partitions. If at a later stage the disk layout (partitioning) on the clone needs to be analyzed, while the clone is attached to a PC 'using' a different disk geometry, ByteBack D.R.I.S.TM can be configured to assume a different geometry.
  • If a sector can not be read during the disk cloning process, the 512 byte read/write buffer is filled with an F6h byte pattern and this is written to the destination disk. All read errors are logged.
    The F6h byte pattern will allow easy identification of files (if any) that were affected by unreadable sectors; the clone can be searched for the occurrence of the F6h byte pattern.
  • If data was ECC/CRC corrected during a read this will be logged.
  • ByteBack D.R.I.S.TM stops the copy when the last sector for the smallest disk was read/copied.
  • when the clone has completed, ByteBack D.R.I.S.TM will compare the source and the destination disk sector by sector and notify the user if any differences were found. ByteBack D.R.I.S.TM stops the compare when the last sector for the smallest disk was read/compared. This is only done when ByteBack D.R.I.S.TM is running in Forensic Mode.
  • When a write error is encountered on the destination disk, the clone is aborted.
  • Ranges that were copied or compared are logged.
  • During disk sanitation (in preparation for disk cloning), ByteBack D.R.I.S.TM writes a byte pattern to each sector. This pattern contains of 512 times (the number of bytes for 1 sector) the byte value F6h.

Suggested Procedure

In this procedure the following naming conventions are used:
- Source Disk: the suspect hard disk, the disk that needs to be analyzed or copied.
- Destination Disk: the target disk for the clone operation.
- Forensic Computer: the designated PC that will perform the Forensic Operations using ByteBack D.R.I.S.TM.

  1. Disconnect the disk to be examined from the suspect's computer, label it (to identify the disk) and store it safely.
  2. Attach the *destination* disk to the forensic computer. If it is not yet sanitized, use the ByteBack D.R.I.S.TM wipe feature to do so now.
  3. Attach the *source* disk (make sure the source and the destination disks are properly jumpered).
  4. If required, use your favorite application for creating a unique and secure hash for the *source* disk.
  5. Boot the forensic computer with the ByteBack D.R.I.S.TM boot diskette. Select option 3: "Command Prompt". Start ByteBack D.R.I.S.TM in forensic mode using the /for switch: at the a:> prompt type BB4 /for [enter].
  6. When prompted to select a disk to be locked, select the *source* disk. In the title bar ByteBack D.R.I.S.TM will display "Forensic" to indicate it is in forensic mode, and next to that the decimal hard disk number (128 for the 1st physical disk, 129 for second physical disk etc.) of the disk that was selected to be locked (write protected).
  7. Then select the *source disk* (the same as you 'protected') using the [Select Disk] menu.
  8. Select [Disk Operations], [Clone], select the *destination* disk from the list, enter a range (accept defaults to clone the entire disk; recommended for forensic cloning), select the Clone Type ([From Start to End], and Confirm.
  9. In forensic mode, after the disk was copied, ByteBack D.R.I.S.TM will compare the source and the destination area to verify that the copied data is identical for both disks. If you do not want ByteBack D.R.I.S.TM to compare the disks, you have 30 seconds to cancel the compare procedure. Once the compare was started it can be aborted at any time using the [ESC] key.
    ByteBack D.R.I.S.TM will compare the disks until a difference is found (the user will be notified), or until the end of the copied area is reached.
  10. If required, use your favorite application for creating a unique secure hash for the destination disk.
  11. Power down the PC and remove the source disk. Store the source disk in a safe place.

http://www.toolsthatwork.com