Boot Disk

Data Forensics Engineering

The creation of a forensic boot disk for incident response and forensic imaging is critical to any investigation. Being able to boot into a system and not change any of the files access or creation dates is the first cardinal rule for a forensic investigation. Be prepared for anything.

Download your favorite Windows 98 boot disk or create a Windows 98 boot disk from a windows 98 system, I recommend windows 98 second edition.

Neutered Boot Disk procedures.

1. Delete any programs off the boot disk that will not be needed, such as Doublespace.bin, country.sys, debug.com, etc. you really only need the following programs - Fdisk, Format, Diskcopy, Doskey, command.com, io.sys, msdos.sys. Gdisk from Norton Utilities is a good substitute for fdisk.

2. Using a hex editor scan io.sys, msdos.sys and command.com for any references to the C:\ drive and change that reference to A;\.

3. Using a hex editor scan io.sys, msdos.sys and command.con for any programs with a .bin extension and replace the .bin extension with your three digit initials. This will show ownership of the disk.

4. search command.com for the word 'starting' and change it to say 'starting forensics process' which will be the first thing you see when your booting form a floppy, if this notice does not appear, you know that it is not booting to your floppy, and turn off the equipment immediately, until you resolve the conflict.

5. search in command.com for 'Microsoft(R) Windows 98 (C)Copyright Microsoft Corp 1981-1998'.' and change it to read 'Computer Forensics Services' this will let you know your boot disk has completed its operation.

6. Create a script to record the information you need for an intrusions response.

7. Validate the fact that your disk does not access the computer hard drive using a test configuration.

This floppy can be used to create a USB and CD-Rom bootable drive for use in intrusions or forensic imaging. You should keep the functions for boot with cdrom support in t he windows 98 boot disk, allowing you to access all of the space on the CD-Rom when your create a bootable CD-Rom.

Send mail to info@dataforensicsengineering.com with questions or comments about this web site. Copyright © 2005 Data Forensics Engineering Last modified: December 11, 2005

Send mail to info@dataforensicsengineering.com with questions or comments about this web site.
Copyright © 2005 Data Forensics Engineering
Last modified: December 11, 2005