Digital Forensics Research
Cyber Security Research
Network Boot DiskView Research Poster
Acquiring data in a network environment is currently very difficult, if near impossible, for investigators to do with today's existing tools. Current tools do not help investigators solve any of the following problems:
- Currently available forensic boot disks don't have the most up to date drivers to support the newest hardware.
- In many cases the hard drives that an investigator is trying to access are stored inside hardware that is difficult to access or even inaccessible all together.
- Current procedures, such as imaging with hardware write-blockers, create difficult issues when dealing with RAID. Currently, investigators must remove each individual disk from the array, block and image each individual disk, and then perform complex RAID reconstruction using the individual images.
- Currently hardware write-blockers do not offer support for SAS (Serial Attached SCSI) drives that are common in servers.
- Data storage is now wide-spread and investigators can face the challenge of having to seize data from geographically spread servers/storage.
The Network Boot Disk Research Group has developed a Forensically Sound Windows Boot Disk. This boot disk, known as SAFE, solves many of the above mentioned problems that investigators face.
- A Windows boot disk contains drivers for new hardware, and also gives investigators the ability to dynamically inject drivers on site.
- By using a boot disk to boot servers and storage controllers, an investigator no longer has to worry about having physical access to a device in order to image it.
- The Windows boot disk contains advance software write blocking technology that will block hardware RAID. This allows investigators to image the entire RAID volume at once.
- The advanced software write blocking technology also has the capability of blocking SAS drives.
- The Windows boot disk has the ability to export remote drives after the boot process.