Whilst using a hardware write blocker appears to be the recommended method for taking an exact (sector by sector) copy of a hard disk for evidence gathering and investigation, software based write blockers can also be used and have some advantages -
Hardware write blockers can be expensive.
It's not always practical (or easy) to remove a hard disk - required in order to physically attach it to a hardware write blocker.
Tiny PXE Server can be used as a digital forensic acquisition platform - PXE booting an operating system on a client PC in order to image it. Software write blockers are often booted from external media including USB drives and CD/DVD discs. Advantages of network booting a software based write blocker (e.g. WinFE) include -
PXE boot support is widely implemented - having been developed in the late 1990's.
Potential boot speed advantages - WinFE can be loaded in seconds with Gigabit Ethernet adapters (and infrastructure).
USB boot support, particularly on older hardware, can be poorly implemented - some hardware may only boot using USB 1.1 speeds (if it boots at all)
Booting from a network adapter is often left enabled (in BIOS settings).
It's possible to take advantage of imaging to network storage.
In a lab environment multiple connections can be made to Tiny PXE Server - enabling multiple concurrent captures from different Evidence PCs
Network booting WinFE (or alternative software write blockers) can be as simple as attaching the Evidence (Client) PC to a laptop via an Ethernet crossover cable - using the laptop as a Server. This allows for a high degree of portability and may be useful in digital forensic triage.
"...is a collection of utilities and libraries intended for forensic or forensic-related investigative use in a modern Microsoft Windows environment. The components in this collection are intended to permit the investigator to sterilize media for forensic duplication, discover where logical volume information is located and to collect the evidence from a running computer system while at the same time ensuring data integrity (e.g. with a cryptographic checksums) and while minimizing distortive alterations to the subject system...".
FAU includes nc.exe - a Netcat utility used on the Server to capture data over the network. On the Client side, dd.exe is then used to send data to nc.exe - imaging a hard disk.
Start pxesrv.exe. Start nc.exe on the Server using the following command -
Where
-v - output verbose information.
-n - numeric-only IP addresses, no DNS.
-L - Listen for inbound connections.
-p - listen on tcpip port (3000).
-s - listen on local interface (Server IP Address - 192.168.2.1).
-O - output file (d:\image.ima).
--localwrt - Enables writing output to a local fixed drive.
Screenshot of Netcat running on the server -
Client
Network boot the Client PC - loading Mini-WinFE
Start network services if they are not started automatically (Mini-WinFE does not run the Wpeutil InitializeNetwork command at start-up).
Run dd.exe using the following command -
Where
-v - output verbose information.
bs - blocksize (1048576 - 1 MiB).
if - input source (\\.\PhysicalDrive0 = hard disk 0)
of - destination for output (192.168.2.1 - Server IP Address).
conv=noerror - continue reading after errors.
--iport - send output to the specified tcpip PORT (3000).
On the Fly Compression
It's also possible to use on the fly compression during imaging - dd.exe and nc.exe support the following compression algorithms -
zlib
zlib+
gzip
gzip+
bzip
bzip+
lznt1 (reported to be the most efficient)
lznt1+
Server side -
Client side -
Other Imaging Solutions (WinFE)
Using dd.exe as described in the preceding Imaging to Network Storage via (FAU) dd section requires access to the server to run Netcat - there are a range of other imaging alternatives available in WinFE that can write directly to a network share. These programs include -
