Digital Forensic Acquisition

Whilst using a hardware write blocker appears to be the recommended method for taking an exact (sector by sector) copy of a hard disk for evidence gathering and investigation, software based write blockers can also be used and have some advantages -

Tiny PXE Server can be used as a digital forensic acquisition platform - PXE booting an operating system on a client PC in order to image it. Software write blockers are often booted from external media including USB drives and CD/DVD discs. Advantages of network booting a software based write blocker (e.g. WinFE) include -

Network booting WinFE (or alternative software write blockers) can be as simple as attaching the Evidence (Client) PC to a laptop via an Ethernet crossover cable - using the laptop as a Server. This allows for a high degree of portability and may be useful in digital forensic triage.

Imaging to Network Storage via (FAU) dd

This is a simple example - booting Mini-WinFE (a WinPE based Windows Forensic Environment built using Winbuilder) from Tiny PXE Server configured on a laptop - attached to the Client PC via an Ethernet crossover cable.

Forensic Acquisition Utilities -

" a collection of utilities and libraries intended for forensic or forensic-related investigative use in a modern Microsoft Windows environment. The components in this collection are intended to permit the investigator to sterilize media for forensic duplication, discover where logical volume information is located and to collect the evidence from a running computer system while at the same time ensuring data integrity (e.g. with a cryptographic checksums) and while minimizing distortive alterations to the subject system...".

FAU includes nc.exe - a Netcat utility used on the Server to capture data over the network. On the Client side, dd.exe is then used to send data to nc.exe - imaging a hard disk.

Setup Tiny PXE Server to include Mini-WinFE using the instructions in the WinPE section of this guide (copying boot.wim, boot.sdi, boot\BCD, etc - filename=pxeboot.n12 in config.ini).

Server setup

Start pxesrv.exe. Start nc.exe on the Server using the following command -


Screenshot of Netcat running on the server -


Network boot the Client PC - loading Mini-WinFE

Start network services if they are not started automatically (Mini-WinFE does not run the Wpeutil InitializeNetwork command at start-up).

Run dd.exe using the following command -


On the Fly Compression

It's also possible to use on the fly compression during imaging - dd.exe and nc.exe support the following compression algorithms -

Server side -

Client side -

Other Imaging Solutions (WinFE)

Using dd.exe as described in the preceding Imaging to Network Storage via (FAU) dd section requires access to the server to run Netcat - there are a range of other imaging alternatives available in WinFE that can write directly to a network share. These programs include -

To connect to a network share from WinPE the following command syntax is used -

Where -


Document date - 28th February 2017(DRAFT)