Slack Space

Slack space can exist when a file’s size is not a multiple of the file system’s cluster size.  As a little refresher, a sector is the smallest amount of data that a hard drive can read or write at one; in many cases, this is 512 bytes.  A cluster, which can be made up of […]

Write Blocking Using the Windows Registry

It is possible to use the Windows registry to write protect USB mass storage devices.  An investigator can combine this USB write-blocking trick with an USB-IDE or USB-SATA adapter to protect the vast majority of evidence drives that he or she might encounter.  The write-blocking functionality was added with Windows XP SP2, and has worked […]

Imaging Using dcfldd

In this example, a 128MB USB thumb drive will be imaged on a Linux system using dcfldd onto a 1GB USB thumb drive. dcfldd is an improved version of dd; most of the syntax is identical, just a few functions have been added. It is important to locate the name that Linux uses to refer to […]

Imaging Using FTK Imager

AccessData produces a commercial forensic examination program called the Forensic Toolkit, or FTK.  While the FTK examination program costs thousands of dollars, AccessData also offers a no-cost companion program called FTK Imager.  FTK Imager is more flexible than dd in that it allows the user to create images of physical disks, logical drives, CD/DVD drives, […]

Creating a Forensically-Sound Image

The first step in any forensic data recovery operation or computer forensic investigation is to create an exact duplicate of the media to be examined.  As a rule, in most cases analysis should never be performed on the original media, as the investigative process can make irrecoverable changes to the source data.  Since the original […]