Hello All,
Before starting, I should make it clear that the job I've been asked to do does not have any legal implications and I'm undertaking it on a best efforts-only basis (which the person is happy with).
In brief, I've been asked to try and extract and repair some JPEGs which have become corrupted on a USB flash drive. I'm aware that I'd need some kind of additional hardware if I wanted to make sure that I didn't write back to the drive but this isn't an issue in this case.
I'm taking the job on as a favour and want to try and use my Windows XP machine to carry out the imaging and repair work. I've put off moving over to Linux for the moment but have got a copy of Knoppix 5.1 to hand if necessary. My questions are
1. Is XP a suitable platform for this type of work?
2. If so, can anyone recommend any free or open source tools for XP?
3. Is there anything on the Knoppix CD that might be of immediate use to me (such as drive imaging tools, HEX editors, etc.)?
I don't mind spending a bit of time researching the options but I'd appreciate some initial guidance just to make sure I'm heading in the right direction. My intention is to try and use this job as a "test run" so I can find my feet before I start taking on any more of this kind of work in the future. Just in case it's not obvious from the tone of my message, I *do* have a good understanding of the legal implications of digital forensics work (I've worked as a network security consultant) but this job represents one of those "I know I should be able to do it but I haven't yet" moments for me - which also explains why I haven't moved over to Linux yet either )
Many Thanks,
Neil
Greetings,
You might want to look at this thread on free tools
http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=2295
And XP is a very common platform for doing analysis.
-David
Hello All,
Thank you for the information that everyone's provided - the tools I've been recommended in addition to the Windows Incident Response article seem like excellent starting points. There's hope for me yet it would appear!
Many Thanks,
Neil
In brief, I've been asked to try and extract and repair some JPEGs which have become corrupted on a USB flash drive. I'm aware that I'd need some kind of additional hardware if I wanted to make sure that I didn't write back to the drive but this isn't an issue in this case.
…snip…
1. Is XP a suitable platform for this type of work?
Sure, why not?
2. If so, can anyone recommend any free or open source tools for XP?
You could probably do this with nothing more than FTK Imager and scalpel.
Good luck.
H
I highly recommend
Ronan
You might also want to look at these registry keys on your XP machine
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies
Key name WriteProtect
You'll probably have to create that key, I don't think it is there by default.
The key WriteProtect needs to be a dword value and the value "0" enables writing to USB and "1" disables writing to USB devices.
You could also create two plain text files with a .reg extension to enable and disable writing to USB easily with the following contents
For write protect "off"Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies]
"WriteProtect"=dword00000000
For write protect "on"Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies]
"WriteProtect"=dword00000001
You should get an error message telling you that you cannot write to this device, or something similar when you attempt to write to a USB device with that key enabled.
You should get an error message telling you that you cannot write to this device, or something similar when you attempt to write to a USB device with that key enabled.
Great post SleepParalysis, thanks. I'd just like to caution the OP to test the writeblocking on another USB device first.