Re: Hard drive write blocking in Windows

From: daniel heinonen (d.heinonenat_private)
Date: Wed Jan 09 2002 - 03:24:43 PST

Next message: daniel heinonen: "RE: Hard drive write blocking in Windows"

Previous message: Titus, Jennifer: "Palm Forensics"
In reply to: Sawyer, John H.: "Hard drive write blocking in Windows"
Next in thread: daniel heinonen: "RE: Hard drive write blocking in Windows"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

"EnCase presents several options to non-invasive acquire hard drives, many 
of which are unique to the field of computer forensics"  [1]

So I am guessing the full version would do it, or at least with certain 
configurations.  I do know that the company produce a hardware device that 
write protects.  This is called fastbloc [2].  Also under features it lists 
that it can "View files without changing the file contents or time stamps" [3].

I would like to say that in the past I used fat32 drivers for Winnt.  It 
stated that it was read only.  But when you did a small change on a text 
file it worked.  So whatever you decide to use, if you are going to use it 
for a case test test test.

I know some of the above is NO DUH stuff but thought it might help 
knowing.   If you haven't notice by my above post, i have not had 
experience with encase or windows acquisitions so don't believe a word i say :)

Regards,
Daniel

[1] Casey, H. 2001, "Handbook of computer crime investigation - Forensic 
tools and technology" Academic Press
[2] http://www.encase.com/html/forensic_hardware.html
[3] http://www.encase.com/html/encase_ver3_overview.html

At 11:57 AM 08/01/02 -0500, you wrote:
>Hey Everyone.
>
>I am just learning about computer forensics on Windows platforms.  The
>problem I have run into is not being able to block writes to hard drives
>while in Windows.  I found PDBlock and NTFSDOS (read-only) but they both run
>in DOS.  I have a demo version of EnCase and when it runs, it says the hard
>drive is not mounted read-only.  Are there any utilities that run in Windows
>or load before Windows so that a drive can be mounted read-only but still
>accessible to programs such as EnCase?  I was hoping to find a utility for
>Windows instead of mounting the drive read-only in Linux and then using
>Samba to share the drive to Windows.
>
>Thanks in advance,
>
>
>-jhs
>
>------------------------------------------------
>John H. Sawyer
>Computer Support Specialist
>Environmental Horticulture Dept
>University of Florida
>jsawyerat_private
>
>-----------------------------------------------------------------
>This list is provided by the SecurityFocus ARIS analyzer service.
>For more information on this free incident handling, management
>and tracking system please see: http://aris.securityfocus.com

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: daniel heinonen: "RE: Hard drive write blocking in Windows"
Previous message: Titus, Jennifer: "Palm Forensics"
In reply to: Sawyer, John H.: "Hard drive write blocking in Windows"
Next in thread: daniel heinonen: "RE: Hard drive write blocking in Windows"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jan 09 2002 - 18:30:48 PST