We
provide fully licensed copies of the following software to our students
in the CCE BootCamp® training course. Be advised that this is a NEW PACKAGE of software that will be provided with the revised courseware. This will be fully implemented starting with our July 28th, 2008 class in Ft. Lauderdale, FL.
This software package normally retails for over $2,500.
These are all of the tools needed to complete your forensic training as well as the CCE Certification process. This valuable toolset is included in the price of the CCE BootCamp®.
Previous Software (Replaced by SMART)
This will be discontinued following June 23rd, 2008 Bootcamps
FSUITE - Forensic Utilities
FSUITE forensic
software was specifically written for forensic examinations and is currently
being used by hundreds of forensic examiners world wide. These utilities
are DOS based. See why below. FSUITE consists
of 5 utilities:
WIPER - a forensic wiping utility
LISTDRV - Lists the contents
of an entire drive
CHKSUM - 64 bit checksum
utility
FREESECS - copies unallocated
space to files for examination
DISKDUPE - a diskette duplication
utility
- WIPER - a disk utility that will completely erase all information
on a logical or physical drive by overwriting each and every byte with
a character which is user selectable. The program is written entirely in
assembly language and therefore is small and fast. It uses the BIOS disk
services, even for the logical drives, thus will wipe a drive regardless
of the operating system format. The user may select a one-pass wipe, using
the default character of 00 or a character entered by the user, or a "secure",
seven-pass wipe. The "secure" wipe uses alternating ones and zeros
for six passes, then finishes the process with a pass using the user-selected
character or zero, leaving a completely blank drive, except for the low
level formatting information. The speed is about 3 to 4 minutes per
GB per pass for a hard drive.
- LISTDRV – an assembly language utility that examines a logical
drive, or several logical drives on a physical drive, for FAT12, FAT16,
or FAT32 files. As they are found, they are saved to a comma-delimited
and quotation mark-delimited file prepared for importation into a database
program or a spreadsheet program such as EXCEL, for any desired manipulation.
LISTDRV will also list deleted files if desired. The listing includes the
complete path, the long file name, if present, the alias or short file
name, and the other date, time, size, and location information. If removable
media is used to save the listing file, LISTDRV will span multiple disks.
- CHKSUM - an assembly language
disk utility that calculates a 64-bit checksum for a physical or logical
disk drive. When used in conjunction with WIPER,
it is an excellent tool for verifying that media contains no data before making
a forensic copy to that media. It also is an excellent tool for verifying
that exact forensic copies were made from the original media to the copy.
- FREESECS - an assembly language
disk utility which searches a specified logical drive for the unallocated
or free space, and saves the information contained in unallocated space to
one or more files. FREESECS can additionally search any physical drive
(regardless of the operating system) and save all the information contained
on all sectors to one or more files.
-
FREESECS,
when used at a physical level, is an excellent inexpensive acquisition tool
for Access Data's Forensic Tool Kit (FTK).
- DISKDUPE– an assembly language
utility that makes an exact forensic copy of a floppy diskettes.
WIPER, CHKSUM, and FREESECS
are DOS-based utilities, but they bypass the operating system and can work
on any media format type at a physical level. They can run from a DOS
box in Windows 9X, by exiting Windows to a DOS prompt, or by running after
booting with a DOS boot disk to a real mode DOS prompt. FREESECS and
LISTDRV are being modified to recognize the NTFS file system used by
Windows NT, 2000, and XP. WIPER and CHKSUM need only minor modifications
for NTFS capability, and DISKDUPE needs no modification since it only works
on FAT12 floppy diskettes. A new utility, as yet unnamed, that will
make forensic copies of hard drives, is under construction.
Why are these and many other forensic utilities DOS based?
When conducting
a forensic examination, the examiner must have total control over what the
operating system is doing when the original media is accessed. Any
alteration to the original media is not acceptable during a forensic examination.
Direct access of the original media during a forensic examination is normally
done at a low level, frequently at a DOS level. This is because all
versions of Windows, even Windows 95 and Windows 98, will attempt to or
will directly write to any other fixed drive media on a computer during
the normal Windows boot process. These writes occur even if the original
media is located as a second, third or other drive on the computer.
Most forensic
examiners use a modified 32 bit FAT operating system "real mode" boot disk.
During our course, we show you how to make some modifications to the IO.SYS
file on the Windows 98 boot diskette to prevent Drive Space from loading
compressed drives and to prevent some other operating system writes to the
original media. The ME and later versions of DOS do not allow that
level of control. Therefore, the Windows ME, Windows 2000, Windows
NT or Windows XP versions of DOS should not normally be used for access to the
original media. Our utilities are
designed to operate in a "real mode" DOS environment to prevent these inadvertent
writes to the original media.
Click
here to be added to our mailing list for information on boot camp
training.
