Home Navigation

Recent Events Recent Events
Upcoming Courses Upcoming Courses

Contact Information

TELEPHONE:

Sales & Technical Support
(800) 852-0300

EMAIL:

info@forensics-intl.com
Technical Support:
support@forensics-intl.com

Information

Removable, Bootable Media

by Kim Schaffer

The floppy drive is important from a computer forensics or analysis standpoint in that it enables the investigator to take control of the computer system without modifying computer-related evidence. When installed on a standard bootable floppy disk, programs such as NTA Stealth, TextSearch Plus and TextSearch NT allow the investigator or security specialist to analyze the hard drives directly, with minimal hardware and software. The information gathered from the drives is written back to the floppy. Once a floppy is full, the program asks for a new floppy and continue writing the information. When the investigator returns to their office, the files created on the floppy drives are combined on a hard disk where the information can be analyzed using Windows or DOS-based analysis tools. The use of floppy diskettes eliminates the need for computer forensics data capture hardware, software dongles and other complex processes. Many times a computer forensics laboratory setting is not required or desired. That is where bootable removable storage devices come into play.

As the size of hard disk drives increase, the amount of information available for recovery also grows. In the case of large hard disk drives, the need for carrying and processing additional floppies becomes burdensome. In order to simplify this process it becomes attractive to use a device that can quickly boot a computer and that also has significant data storage space. USB flash devices are now available that can replace easily the internal floppy drive in many systems. In addition to having much larger storage capacities, these devices also operate at faster speeds. Most USB Flash memory drives and mini-drives are also physically smaller than a floppy diskette as illustrated here:








    These graphic illustrations were created and donated for use by NTI's clients by Dr. Henry B. Wolfe,
    Associate Professor, Computer Security & Forensics, Information Science Department, School of Business,
    University of Otago, Dunedin, New Zealand. His efforts and authorization to use these illustrations are
    appreciated.

Although many of these storage devices pose computer security risks in government and business ( see the article posted at
http://www.forensics-intl.com/art22.html ), these devices provide individuals with advantages and new potentials in the field. These benefits are especially beneficial to probation and parole officers who have the difficult job of monitoring the computer and Internet activities of convicted sex offenders. The new technologies also assist military and intelligence agencies who evaluate computer systems in the field for intelligence and military information. Because of their nature, the new USB devices can be operated covertly and no trace is left behind of their operation. This, in combination with their portability and large storage capacities, make them ideal for use in the field. NTI has conducted research on USB storage devices for use in the field by law enforcement, probation and parole and the military. Based upon that research, NTI makes USB storage devices available for purchase for use with NTA Stealth, TextSearch Plus and TextSearch NT.

Time to change?

I'm sure you've noticed that today's computers are moving away from floppy drives. More and more computers are being sold that have no floppy drive. Since floppy disk drives have been disappearing, USB ports have been gaining wide acceptance. Once thought of as connectors for printers, mice, and even keyboards, these ports are now being used to interface external storage media such as flash drives, hard drives and even floppy drives!

Floppy drives are no longer being included in the purchase by some computer hardware manufacturers for servers, laptops, and even workstations. As built-in floppy drives give way to newer technologies, the USB interface seems to be gaining momentum. Beginning with computers manufactured after 2001, many BIOSs support booting from USB external hard disk drives, floppy drives, and zip drive. The problem is that most of this equipment is rather bulky. In response to this, some manufactures have developed flash memory drives. This solid state hardware can be used in place of other external drives and it can be treated as a hard disk drive by the computer user. As you can see from the illustrations above, these devices are very small and some have been incorporated into other devices, e.g., pens, key chains and even a Swiss Army knife.

A USB flash drive is much faster and has a much larger storage capacity than a floppy disk. For a comparison, the USB 1.1 flash drive is approximately 24 times faster than a floppy drive and the storage sizes for USB flash drives range from 64 MB to 2 GB. The USB flash drive is so small that it can easily fit into your pocket. Unfortunately there are still issues to be resolved before you can forget your floppy disks and only use USB flash drives. That is why NTI recommends a select few brands.

Installing a Flash Drive

Windows 2000 and Windows XP typically support USB Flash Drives without additional software. Once windows has booted and the user is logged on, the device can be inserted in the USB port and the appropriate drivers are configured automatically without user interaction. In contrast, Windows 98/ME requires device drivers to be loaded prior to the insertion of the USB Flash drive in the USB port. Most manufacturers' drivers are unique to their devices, so consider using the same USB flash drive model for all your applications on a specific computer.

BIOSs supporting USB Flash

Booting from a USB flash drive is simple, if the computer system's BIOS supports it. With the power off, plug in the USB device into the USB port on the computer. Turn the power on. During startup, a Boot Device Menu is usually available by pressing the F8 function key. Simply select the "USB drive" from the Boot Device Menu and the computer should boot from the flash drive. If a Boot Device Menu is not available after the computer system has inventoried the drives available, you may have still be able to boot a flash drive by configuring the boot sequence order in the BIOS setup. After booting, the flash drive should be identified as drive "A" or "B" even though the device is not a floppy disk drive.

Generally, computers manufactured after 1999 are likely to have at least one USB port. However, the BIOS of the computer determines if a USB drive can be recognized and booted at startup time. If the BIOS supports USB flash drives, the operating system will recognize the drive as a floppy drive. A computer with a BIOS prior to 2002 is unlikely to support booting the USB flash drive.

Making a USB Flash Drive Bootable

External storage devices have been around for a long time; early drives were plugged into the parallel port of the computer system. Through BIOS selection settings or a driver loaded from a bootdisk, external drives could be accessed by the computer system. These drives supported large volumes of data stored on removable drives. Some computer manufacturers even supported BIOS which allowed booting from a removable disk for recovery of corrupted hard disk drives that were no longer bootable.

Later came USB interfaces for hard drives and floppy drives. The USB floppy drive is now becoming important as newer machines often do not include an internal floppy drive. As the computer manufacturers discontinue the inclusion of an internal floppy disk drive, they are also building in support for the booting from USB devices, e.g., USB floppy drives. USB Flash drive manufacturers are taking advantage of this built-in boot support to allow the computer user to boot from USB flash drives.

Making the USB flash drive look like a floppy

Flash drives can be made bootable on a Win98 platform using SYS.EXE. From a command prompt (DOS window) type "sys drive:" where drive is the letter of the flash drive as recognized in "My Computer". When this is done, the PC indicates that the system files were transferred after the process is completed. At this point, the USB flash disk drive is bootable.

You can also boot to a USB hard disk drive or floppy disk drive using DOS. If the computer's BIOS is properly configured, the USB flash drive will be recognized as a floppy drive from DOS. Using the "sys drive:" from DOS will also create a bootable flash drive. Note that in addition to Microsoft or IBM versions of DOS, FreeDOS can also be used. As the name implies, it is open source and there is no charge to use the operating system.

Note that SYS.EXE does not exist on Windows 2000 or Windows XP-based computer systems. Despite the advances in Windows 2000 and XP in mounting USB Flash drives without preloading drivers, these platforms cannot create a bootable drive. Some USB Flash device manufacturers support making bootable devices using these platforms by copying files from a bootable floppy disk, but you will need a floppy made bootable from a Windows-based computer system prior to working with the Windows 2000-based computer system.

Removal of Flash Drives

When booted from a USB Flash device, removal of the device before system shutdown creates problems and a high probability exists that the data stored on the device will be corrupted. Typically, on a USB drive, there is an LED that will flash to indicate read/write activity on the drive. Since you will typically be running from DOS, wait until the drives are no longer being accessed before shutting down the computer, then remove the USB drive and there should be no problems.

When removing the USB Flash drive from a Windows 2000 or Windows XP, you should use the "Safely Remove Hardware" icon in the Toolbar. Not using the removal notification and then re-inserting the drive may add an additional entry in the registry. It is reported that there is a point where the drive will no longer be recognized without modification of the registry.

Windows 98 does not have caching capabilities as a default. Once the initial installation is complete a USB Flash drive can be inserted and removed from the USB port without "docking" or "undocking." Should the device drivers become corrupted, reload the device drivers by deleting any existing drivers when booted in safe mode, then reboot in normal mode and reinstall the drivers before inserting the USB device.

DOS support for USB devices.

If you plug a flash drive into a USB port after booting in DOS, there is no simple way to recognize it as a drive. Device drivers for DOS are almost impossible to find and even more difficult to configure. A good place to check for the latest information on DOS USB drivers is http://www.stefan2000.com/darkehorse/PC/DOS/Drivers/USB/.

I hope you find this information to be helpful. If you have questions concerning USB devices with NTI's products, e.g., NTA Stealth, TextSearch Plus and TextSearch NT, don't hesitate to contact NTI for information and technical support. As stated previously, NTI makes tested USB flash memory storage devices available for purchase. For more information about flash memory storage devices, please review the articles posted on NTI's web site at http://www.forensics-intl.com/art16.html and http://www.forensics-intl.com/art22.html.