Controlling the Boot Process of a Suspect System

Retrieving electronic evidence is an imperative part of any forensic investigation. One must follow a strict set of processes in order to ensure the proper extraction of data and to maintain the integrity of the media, establish chain of custody, and document hash values. One way to obtain evidence from a computer is to remove the hard drive and take it back to your lab for static analysis by attaching it to your own controlled forensic hardware and computer. However, there may be certain circumstances involved when an examiner would have to use a controlled boot process to start the subject’s computer with a controlled boot disk and run acquisition tools directly on the subject’s computer. Depending on the situation you encounter, you may decide that the best option is to boot the subject’s computer with a Controlled Boot Disk (CBD). A few examples of when you’d want to use a CBD are as follows:

• RAID arrays
• Macs (very hard to open without breaking them) to remove drive
• Triage / preview of subject computer is required prior to acquisition or seizure
• Required to conduct on-site acquisition of multiple computers / servers (multi-tasking feasible with multiple copies of CBD using multiple forensic computers)

Prior to booting to the CBD, the examiner must first check the suspect computer’s BIOS to be sure the boot order is set up to boot to the CD / USB drive. The examiner should also confirm the system they are booting, as keystrokes vary based on the type of system used to control the boot process. An examiner MUST first test the boot disk with the subject’s hard drive disconnected to ensure that your CBD boots properly in the subject’s computer. If you do not run this test, you run the risk of the boot failing, and the subject’s system loading to the operating system, hence altering the evidence. If this does happen, documentation is key. You are only successful if the machine you are booting actually boots to the CBD instead of the OS installed on its HD.

Write-blockers must be enabled on the CBD in order to keep the subject’s hard drive from being written to. Some CBDs do not utilize software write-blocking so the examiner must know their tools and their capabilities prior to imaging. One way to avoid any confusion surrounding software write-blockers is to always use a hardware write-blocker. This adds an extra layer of security during the acquisition process. The SAFE (System Acquisition Forensic Environment) Windows boot disk by ForensicSoft, Inc., uses a complex OS and utilizes actual software write-blocking. SAFE supports most Windows forensic tools such as EnCase, FTK Imager, X-Ways & WinHex. It has built in case documentation features, hashing, searching, DCO / HPA detection and removal, etc. No matter what tool you decide to use, an examiner should always test and self-validate on a known device with known baseline data and document your test results before using it on evidence. Contact us today to further discuss your specific digital forensics situation, questions, and needs!