DiskPatch Forensic Mode

 

Starting DiskPatch in Forensic Mode 

Normally DiskPatch uses an administrative sector on each hard disk that is detected. While this is completely safe, it is vital that forensic software does not alter the contents of the source disk in any way. To ensure this, DiskPatch will not create an administrative sector on any of the disks attached to the system when it is run in Forensic mode. As a result of this, certain features that depend on the administrative sector will not be available (for example, saving state files - see the chapter that covers disk and state file selection).
If you need to clone a disk for forensic purposes you should always select 'Forensic mode'
!

To run DiskPatch in forensic mode, select "DiskPatch options (troubleshooting)" from the main start menu (the menu that appears after you start from the DiskPatch diskette, CD/DVD or bootable USB key) and then select "Start DiskPatch in forensic mode".

In Forensic mode, DiskPatch asks the user to select a disk that should be protected. The user must select a disk, or exit the program. The protected disk can not be altered during DiskPatch operations, thus making sure the disk's contents remain untouched. The protected disk is also safe from accidentally selecting it as the target disk for a clone or wipe operation.

Disk cloning for forensic purposes (evidence acquisition)

DiskPatch has all the tools on board that are needed to create a reliable forensic clone.
Following is a list of minimum requirements for a forensic clone and the corresponding DiskPatch procedure that will allow you to meet that requirement:

Requirement Action
the destination disk is clean before any data is copied to it: no 'leftover' data may contaminate the clone wipe the destination disk using the DiskPatch wipe feature before commencing the clone procedure
the source disk must not be altered at any point during the cloning procedure, or during the time DiskPatch is active start DiskPatch in forensic mode before starting the clone procedure: forensic mode ensures that the source disk is not changed in any way during the time DiskPatch is running
the clone must be verified as being completely identical to the original source disk use the 'verify clone' procedure immediately after the clone procedure has finished. DiskPatch compares both disks byte by byte; at the first sign of inconsistencies the verify will alarm you

Methods

  • DiskPatch uses the Ext13H interface to access the hard disk.
  • DiskPatch creates a so called 'bit-stream' copy. All information read from the source is copied 1 on 1. This implies that the file systems on the source disk are of no importance; whatever the file system, all readable data is copied.
  • DiskPatch does not 'cylinder align' the copied partitions. If at a later stage the disk layout (partitioning) on the clone needs to be analyzed while the clone is attached to a PC that uses a different disk geometry, DiskPatch can be configured to assume a different geometry.
  • If a sector can not be read during the disk cloning process, the read/write buffer is filled with null-strings (ASCII character 0) and the string 'CLNSRCRDSERR'. This is then written to the destination disk. All read errors are logged.
    The string 'CLNSRCRDSERR'  will allow easy identification of files (if any) that were affected by unreadable sectors; the clone can be searched for the occurrence of 'CLNSRCRDSERR'.
  • If data was ECC/CRC corrected during a read this will be logged.
  • DiskPatch stops the copy when the last sector for the smallest disk was read/copied.
  • If a write error is encountered on the destination disk, the clone is aborted.
  • Ranges that were copied or compared are logged.

Suggested Procedure

In this procedure the following naming conventions are used:
- Source Disk: the suspect hard disk, the disk that needs to be analyzed or copied.
- Destination Disk: the target disk for the clone operation.
- Forensic Computer: the designated PC that will perform the Forensic Operations using DiskPatch.

  • Disconnect the disk to be examined from the suspect's computer, label it (to identify the disk) and store it safely.
  • Attach the *destination* disk to the forensic computer. If it is not yet sanitized, use the DiskPatch wipe feature to do so now.
  • Attach the *source* disk (make sure the source and the destination disks are properly jumpered).
  • If required, use your favorite application for creating a unique and secure hash for the *source* disk.
  • Boot the forensic computer with the DiskPatch boot disk and start DiskPatch in forensic mode.
  • When prompted to select a disk to be locked, select the *source* disk.
  • Then select the *source disk* (the same as you 'protected') using the [Select Disk] menu.
  • Select [Disk related tasks], [Clone], select the *destination* disk from the list, enter a range (accept defaults to clone the entire disk; recommended for forensic cloning), select the Clone Type, and Confirm.
  • In forensic mode, after the disk has been copied successfully, use the 'verify clone' procedure to make sure that both disks now contain the same data for the area that was copied.
  • If required, use your favorite application for creating a unique secure hash for the destination disk. Note: this will only yield a reliable result if both disks are exactly the same in size; remember to exclude the proper disk area if the destination disk is larger than the source disk.
  • Power down the PC and remove the source disk. Store the source disk in a safe place.

http://www.diydatarecovery.nl