Windows Forensic Boot Disk

SAFE Features

Windows Drivers.

The most common problem with Linux-based boot disks is that drivers for RAID and other disk controllers are often not included in and/or not available for common Live Linux boot CDs. Even when drivers are available, most non-Linux users would have difficulty installing any additional driver into their favorite Linux boot CD. The SAFE boot disk is based on the Windows 7 x86 operating system, and Windows drivers are readily available for all Intel-based RAID and disk controllers. SAFE comes loaded with most Windows drivers and the ability to install any additional Windows drivers with a very simple process that can be done on site at any time if needed.

NTFS File System Support.

DOS or Linux OS boot disks do not support writing to the NTFS file system, without the use of a third-party tool or experimental drivers, resulting in most examiners writing their forensic images to the FAT32 file system. Using SAFE, you have the fully functional ability to write to NTFS and NTFS compressed file systems, taking advantage of larger partition sizes, larger file size limits and the advantage of native NTFS compression. By writing directly to NTFS, SAFE saves substantial time and effort by the examiner.

SAFE Write Blocking.

The proven software write blocking technology used in SAFE Block XP has been integrated into the SAFE boot disk. This means that upon booting any machine with the SAFE boot disk, every attached disk and flash device are automatically blocked without any required user interaction. Further, this is true write blocking and not simply setting up an OS to logically mount read-only or not auto-mount like some other popular Linux boot disks.

Upon booting, if the examiner wishes to image a disk, with the click of a mouse the user simply unblocks the target disk that the examiner will write to and leaves all other disks blocked. All media is protected throughout the boot process and only become un-blocked when/if the examiner chooses to unblock a disk. If the examiner just wishes to preview and/or search the computer, then all media can be left blocked for the entire SAFE session.

Use Your Favorite Windows Forensic Tools.

Many forensic examiners have had to resort to the use of Linux boot CDs for some forensic tasks, requiring them to use DD, DCFLDD, MD5SUM, SHA1SUM and many other Linux tools they may not be comfortable with. Now with the SAFE boot CD, forensic examiners can use their favorite Windows forensic tools in the familiar Windows environment.

To add 3rd Party tools to the SAFE boot environment, you should also download the free Tools Disk Creator software.

Perform BitLocker Operations and Acquisitions

The SAFE boot disk includes the command line tool "manage-bde.exe", which allows for the detection and unlocking of BitLocker encrypted volumes, along with many other functions.

HPA and DCO Unlocking.

The SAFE boot disk identifies and provides access to Host Protected Areas (HPAs) and Device Configuration Overlay (DCOs) on IDE (PATA and SATA) disks of the booted computer. HPA and/or DCO can be temporarily removed by the investigator to provide access to the full disk for tasks such as acquisition or searching.

Case Logging.

SAFE has built-in logging that creates a forensic examiner's log file of all system attributes and various steps performed.

Built-in Tools.

SAFE's Windows environment has built in tools for exploration, viewing, and simple forensics functions.

Buy Now or Try Now