ForensicSoft Announces Forensically Sound Windows Bootable Environment

ForensicSoft has announced the release of its newest computer forensic tool, SAFE. SAFE, which stands for System Acquisition Forensics Environment, is a new Windows-based computer forensic platform specifically designed to support the expanding needs of computer forensic, computer security, and litigation support professionals to confidently acquire, preview and analyze digital evidence to be presented in a court of law…Unlike conventional forensic boot disks that use superficial protection techniques, such as mounting drives as read-only, ForensicSoft’s SAFE platform employs the company’s proprietary SAFE Block software technology to block all disks at the physical level to ensure a forensically sound preview, exploration and capture of the digital evidence. Investigators can be confident that all digital evidence is unaltered during the SAFE exploration and acquisition, and therefore is reliable and defensible when presented during litigation. SAFE Block technology is the only software write-blocker to successfully pass all of the U.S. National Institute of Standards (NIST) test criteria – visit the company’s website to review these results.

SAFE uses Microsoft Windows PE, a fully licensed copy of which is included with the product. SAFE is capable of running your favorite Windows-based forensic tools such as FTK, EnCase, X-Ways, etc. With the familiar Windows user experience, SAFE requires minimal training for investigators to become proficient with its use. And, since SAFE is a Windows-based computer forensic platform, investigators have access to the widest array of drivers for existing computer hardware, and immediate availability of new Windows drivers for new computer hardware. Drivers can be added at any time during a SAFE session, requiring no special skills or the need to recompile a new boot disk.

SAFE v1.0, delivered as a CD-ROM, ISO download file, or USB bootable drive image, boots any X86-based computer from CD or USB drive. Upon boot-up, SAFE securely locks-down the target computer with SAFE Block to ensure no erroneous write operations corrupt the target disk, then Windows PE is launched in a RAM disk on the target machine. Using the familiar Windows interface, disks and ports (USB, Firewire …) of the target machine can be easily unblocked or blocked throughout your investigation, with all events being logged and time-stamped. All of this is managed by the SAFE platform without removing or modifying the target machine’s hardware.

Specific benefits include:

Get The Latest DFIR News!

Top DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

* Familiar Windows interface requiring minimal training
* Write-blocking of all disk interfaces including SAS, RAID, Fibre Channel, and more
* Allows for non-invasive, forensically sound data capture of any target media
* Data capture and imaging at speeds of up to 4GB/min
* Natively supports NTFS and NTFS Compressed file systems, allowing examiners to write images faster and without file size limitations that exist with FAT

For more information visit http://www.forensicsoft.com or contact [email protected] or Neil Bryant, [email protected]

Leave a Comment

Latest Videos

Quantifying Data Volatility for IoT Forensics With Examples From Contiki OS

Forensic Focus 22nd June 2022 5:00 am

File timestamps are used by forensics practitioners as a fundamental artifact. For example, the creation of user files can show traces of user activity, while system files, like configuration and log files, typically reveal when a program was run. 

Despite timestamps being ubiquitous, the understanding of their exact meaning is mostly overlooked in favor of fully-automated, correlation-based approaches. Existing work for practitioners aims at understanding Windows and is not directly applicable to Unix-like systems. 

In this paper, we review how each layer of the software stack (kernel, file system, libraries, application) influences MACB timestamps on Unix systems such as Linux, OpenBSD, FreeBSD and macOS.

We examine how POSIX specifies the timestamp behavior and propose a framework for automatically profiling OS kernels, user mode libraries and applications, including compliance checks against POSIX.

Our implementation covers four different operating systems, the GIO and Qt library, as well as several user mode applications and is released as open-source.

Based on 187 compliance tests and automated profiling covering common file operations, we found multiple unexpected and non-compliant behaviors, both on common operations and in edge cases.

Furthermore, we provide tables summarizing timestamp behavior aimed to be used by practitioners as a quick-reference.

Learn more: https://dfrws.org/presentation/a-systematic-approach-to-understanding-macb-timestamps-on-unixlike-systems/

File timestamps are used by forensics practitioners as a fundamental artifact. For example, the creation of user files can show traces of user activity, while system files, like configuration and log files, typically reveal when a program was run.

Despite timestamps being ubiquitous, the understanding of their exact meaning is mostly overlooked in favor of fully-automated, correlation-based approaches. Existing work for practitioners aims at understanding Windows and is not directly applicable to Unix-like systems.

In this paper, we review how each layer of the software stack (kernel, file system, libraries, application) influences MACB timestamps on Unix systems such as Linux, OpenBSD, FreeBSD and macOS.

We examine how POSIX specifies the timestamp behavior and propose a framework for automatically profiling OS kernels, user mode libraries and applications, including compliance checks against POSIX.

Our implementation covers four different operating systems, the GIO and Qt library, as well as several user mode applications and is released as open-source.

Based on 187 compliance tests and automated profiling covering common file operations, we found multiple unexpected and non-compliant behaviors, both on common operations and in edge cases.

Furthermore, we provide tables summarizing timestamp behavior aimed to be used by practitioners as a quick-reference.

Learn more: https://dfrws.org/presentation/a-systematic-approach-to-understanding-macb-timestamps-on-unixlike-systems/

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_i0zd7HtluzY

A Systematic Approach to Understanding MACB Timestamps on Unixlike Systems

Forensic Focus 21st June 2022 5:00 am

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles

Share to...