tag:blogger.com,1999:blog-5057815281194312844.post2705197683713584178..comments2024-03-26T19:09:27.512+00:00Comments on Forensics from the sausage factory: Windows FE saves the day with a Dell Inspiron 530DC1743http://www.blogger.com/profile/14186532367794900206noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-5057815281194312844.post-84889294242305205762009-10-26T12:26:49.279+00:002009-10-26T12:26:49.279+00:00The read-only switch in Diskpart also writes a byt...The read-only switch in Diskpart also writes a byte to the hard drive that makes that hard drive read-only to Windows.cheap computershttp://www.electrocomputerwarehouse.com/noreply@blogger.comtag:blogger.com,1999:blog-5057815281194312844.post-42223463311075189362009-03-22T02:01:00.000+00:002009-03-22T02:01:00.000+00:00Hi DC1743.Loved your round of Win FE posts. Your ...Hi DC1743.<BR/><BR/>Loved your round of Win FE posts. Your great posts actually inspired me to dig and pull out the details (and how to create) a Win FE disk of my own.<BR/><BR/>I'm not a forensics expert, instead just a lowly sysadmin, but my work with Win PE building and understanding the value of forensic techniques in the sysadmin grind keeps me actively following the best of the Windows forensics blogs.<BR/><BR/>Anyway, I also got a comment on my Win FE blog post similar to the one you received above.<BR/><BR/>Your response and the comment challenged me to validate the statement made and see with my own eyes what the case was.<BR/><BR/>I posted the results of my limited testing on my blog to see if the claims against Windows FE not being “forensically sound” were true.<BR/><BR/>Posted the results here:<BR/><BR/><A HREF="http://grandstreamdreams.blogspot.com/2009/03/windows-fe-forensically-sound.html" REL="nofollow">Windows FE: Forensically Sound?</A> - Grand Stream Dreams blog<BR/><BR/>In summary: based on my humble and simple test Win FE appeared to come out clean in my MD5 hashing tests of both a Windows system and a non-Windows system and matched the same MD5’s generated by DEFT Linux forensics LiveCD results.<BR/><BR/>I'd be honored to have your review and perspective of my observations as you seem to be a real Windows forensics specialist and quite knowledgeable on these matters.<BR/><BR/>If I've made any glaring omissions or mistakes, I would value them so I could be accurate.<BR/><BR/>Cheers.<BR/><BR/>–Claus V.Claushttps://www.blogger.com/profile/11692921474310162470noreply@blogger.comtag:blogger.com,1999:blog-5057815281194312844.post-40510234333796182942009-03-18T08:48:00.000+00:002009-03-18T08:48:00.000+00:00It is easy to take issue with sweeping statements....It is easy to take issue with sweeping statements.<BR/><BR/>Windows FE may write a disk signature to a partitioned disk, if the disk does not already have a signature. The disk signature starts at 0x01B8. The partitioned space—volumes—are not written to. <BR/> <BR/>The read-only switch in Diskpart also writes a byte to the hard drive that makes that hard drive read-only to Windows. <BR/><BR/>For these reasons the whole device hashing approach may result in differing hash values - however this behavior does not necessarily make the use of Windows FE forensically unsound.DC1743https://www.blogger.com/profile/14186532367794900206noreply@blogger.comtag:blogger.com,1999:blog-5057815281194312844.post-58506418438801552372009-03-01T20:18:00.000+00:002009-03-01T20:18:00.000+00:00You should be aware that Windows FE is not "forens...You should be aware that Windows FE is not "forensically sound". You can prove this to yourself by booting any non-Windows system with it and hashing the drive(s) before and after booting with Windows FE.<BR/><BR/>ForensicSoft makes the only forensically sound write-blocked Windows boot disk in existence.Anonymousnoreply@blogger.com