tag:blogger.com,1999:blog-13777170.post8483313356352450540..comments2024-03-11T02:35:50.848-05:00Comments on grand stream dreams: Windows FE: Forensically Sound?Unknownnoreply@blogger.comBlogger4125tag:blogger.com,1999:blog-13777170.post-4710969909769642022009-03-25T20:25:00.000-05:002009-03-25T20:25:00.000-05:00Claus,Thanks for the write up. I am the creator o...Claus,<BR/><BR/>Thanks for the write up. I am the creator of Windows FE, and I very much appreciate your testing and write up.<BR/><BR/>I have tried to document instances where Windows FE might right to disk, as well as why. Basically, Windows FE will write a disk signature to any disk that does not already have a disk signature--that is, generally, non-Windows disks (disks that have not been attached to Windows systems). Windows disks have disk signatures, so that is why you don't see a write activity. <BR/><BR/>TroyAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-13777170.post-3047431496289156632009-03-23T03:24:00.000-05:002009-03-23T03:24:00.000-05:00Claus,An interesting read.In respect to the non wi...Claus,<BR/><BR/>An interesting read.<BR/><BR/>In respect to the non windows testing I was not sure exactly what was going on with the conv=noerror option. Are you saying that the drive you were testing had read errors?<BR/><BR/>I guess you may not have access to a hardware write blocker, but if you did, hashing the disk with the installed linux OS whilst connected to one may have given you a better base line. As things stand we are trying to validate one form of software write blocking by using another form of software write blocking in our testing. I appreciate that the methodology may still be sound but it gives the critics more to aim at.<BR/><BR/>RichardDC1743https://www.blogger.com/profile/14186532367794900206noreply@blogger.comtag:blogger.com,1999:blog-13777170.post-20435823868058002272009-03-22T01:04:00.000-05:002009-03-22T01:04:00.000-05:00Awesome. Validation is key, even for hardware, so ...Awesome. Validation is key, even for hardware, so what you did was much more than cut through the FUD, you highlighted the importance of validating your tools in a very relevant way.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13777170.post-24685280107733586312009-03-21T22:23:00.000-05:002009-03-21T22:23:00.000-05:00Aloha, Claus! Excellent writeup!I would recommend ...Aloha, Claus! Excellent writeup!<BR/><BR/>I would recommend using a hardware write-blocker, especially in forensic cases. I use WiebeTech's Forensic ComboDock:<BR/><BR/>http://www.wiebetech.com/products/ForensicComboDock.php<BR/><BR/>I haven't trusted software-only solutions ever since being unpleasantly surprised by disk changes Winternals Administrator's Pak (a Windows-based bootable rescue CD) made to a system without warning.<BR/><BR/>Yours Sincerely,<BR/><BR/>MilesAnonymousnoreply@blogger.com