SAFE Boot Disk by ForensicSoft

SAFE Boot Disk User's Guide

Introduction
SAFE Versions
SAFE Startup
Tools Disk
Adding Drivers
The SAFE Explorer
Taking Notes
Command Line Options
Microsoft® Task Manager
The SAFE Log
SAFE Shutdown

Introduction to the SAFE boot disk

Welcome to ForensicSoft's System Acquisition Forensic Environment (SAFE) boot disk, the first and only forensic product of it's kind! The SAFE boot disk (available in CD or USB) is designed to boot any Intel® based computer into a forensically sound Microsoft Windows® environment. All disks attached to the booted system, fixed and removable, are write-blocked using the SAFE software write-blocking engine during boot time as well as any disks attached at any time while the SAFE environment is running.

Misssing image 1

The SAFE boot disk allows for write-blocked acquisition, triage and/or analysis of any attached disks, including IDE (PATA and SATA), SCSI, USB, IEEE1394, SAS, Fiber Channel, flash media, etc. This includes any hardware RAID arrays, which can be acquired and/or analyzed in the SAFE environment as a single array rather than having to acquire individual disks and attempt to rebuild the RAID array in order to analyze it. Because Windows® device drivers are readily available for all disk controllers (i.e. SAS, SCSI, SATA, etc.), using the SAFE boot disk you will never be unable to forensically image a RAID array due to lack of drivers, which is a common issue with forensic examiners using Linux-based boot disks.

Since the SAFE boot disk is built on a Microsoft Windows® environment, you have the ability to utilize your favorite GUI forensic tools such as EnCase®, FTK® Imager, X-Ways® Forensics, etc. with zero learning curve. The SAFE boot disk will have you out performing on-site acquisition, triage, and analysis immediately. The user error risks and issues that come along with utilizing Linux-based boot disks, such as typos in command line applications like "dd" or confusing /dev/sda with /dev/sdb (or similar) do not exist within the SAFE boot disk environment.

Once you start using the SAFE boot disk you will wonder how you ever imaged a laptop or server without it!
[back to top]

SAFE Versions

The SAFE boot disk is sold in two different versions, the Consultant version and the Enterprise version. Both versions require a dongle to be attached in order to enable full functionality. Without this dongle, the system will start in trial mode so that the software can be evaluated.

SAFE can be installed on either:

Trial Mode

If a valid SAFE dongle is not detected during the boot process, you will have the option to continue booting and activating trial mode. In trial mode, the system will automatically shut down after 15 minutes, at which point you will be given the option to save the log.

Missing image 2

Trial mode also has the following limitations:

Missing image 3

Licensed Versions

With a valid dongle attached, full SAFE functionality will be enabled. All disks can be un-writeblocked, networking functionality can be used, and the system will operate for 72 hours before it automatically shuts down.

The differences between the two license types are:


[back to top]

SAFE System Startup

The SAFE environment is contained in a compressed image on the boot CD or USB disk. When any system is started using the SAFE boot disk, the image will be decompressed into the RAM of the booted system, creating a virtual "X:\" drive containing the SAFE OS. SAFE requires a minimum of 384MB of RAM to create the required RAM disk and successfully boot the SAFE environment.  Although 384MB of RAM is sufficient for booting a system, it is recommended that the booted system have 512MB of RAM or more to minimize low memory issues.

Due to I/O speed differences, booting the SAFE environment from a bootable SAFE USB disk is much faster than booting from a SAFE boot CD, as uncompressing the OS image from a CD can be slow.

All attached disks, fixed and removable, are immediately write-blocked using the SAFE software write-blocking engine, during boot time as well as any disks attached at any time while the SAFE environment is running.

Once the system is started, a prompt will ask to enable networking for the session. By default, all network adapters are started as disabled. If yes is selected, these adapters will be enabled and the system will attempt to obtain an IP address via DHCP if a DHCP server is available.

Missing image 4

At this point case information is entered and the system will detect and log all devices on the system. The log is initialized as a write-only file in RAM preventing any unintentional modifications to it.

Missing image 5

The SAFE boot disk will now detect attached hardware and complete the loading of the SAFE environment.

Missing image 6

[back to top]

Tools Disk

The SAFE boot disk environment supports many third-party Windows® tools. A current list of tested and supported tools can be found on the 3rd Party Tools Page.  However, many additional applications designed for Windows® XP may also work in the SAFE environment beyond those tested by ForensicSoft.  As additional tools are tested, they will be added into the SAFE Tools Disk Creator application. Using the automated SAFE Tools Disk Creator or manual instructions provided by ForensicSoft, you will be able to create a customized USB tools disk for use with your SAFE boot disk. When SAFE detects the existence of a tools disk, either at startup or inserted at any time during runtime, the selected tools will automatically be installed to the RAM drive and be enabled for use. All tools can be launched from the appropriate folder on the Y drive letter once installation is complete.

Note that you may place a tools drive on the same USB drive as a bootable SAFE image. To do this, run the executable to create the bootable SAFE image, then run the executable to create a tools disk. The two executables must be run in that order (because the boot image creator always formats the entire drive).
[back to top]

Adding Drivers

Most devices attached to the system will automatically be recognized and installed during startup. Any devices for which drivers are not included in the SAFE boot disk, such as new mass storage disk controllers, simply place the Windows® driver on an external disk (typically a USB thumb drive or CD) and attach it to the machine running SAFE.  Click the "Add Driver" button from the main menu and browse to the .inf file for the desired device. The system will then install the driver and automatically attach it to the correct device, enabling it for use.

Missing image 7

[back to top]

The SAFE Explorer

The main application and central forensic control center of the SAFE boot disk is the SAFE Explorer.  Using the SAFE Explorer, you can perform the following functions:

Missing image 8

Blocking/Unblocking Disks

The write protection status (blocked/unblocked) of any physical disk is shown in the left pane of the SAFE Explorer.  A blocked disk is indicated by a gold padlock icon to the left of the physical disk's description.  An unblocked disk is indicated by a gray disk icon.  Upon booting any system with the SAFE boot disk, all attached disks will automatically be in a write protected (blocked) status.  To change the write protection status of any disk, simply select the disk in the left pane and click on the "Block/Unblock" button on the SAFE Explorer toolbar.  If unblocking a blocked disk, you will be prompted to confirm that you wish to unblock the disk.  Upon unblocking a disk, a corresponding log entry is made in the SAFE log.  If blocking an unblocked disk, you will be reminded to close any applications that may be accessing the disk before you block any further writes to the disk.  A corresponding log entry will be made in the SAFE log.

Missing image 9  Missing image 10

HPA/DCO

If any IDE disks are attached to the system via an IDE disk controller, the disk can be interrogated for the capacity and the existence of any ATA Host Protected Area, Device Configuration Overlay or combination of the two.  If an HPA, DCO or HPA/DCO exist, you can temporarily open them using "HPA/DCO" button on the SAFE Explorer toolbar to allow the acquisition and/or analysis of any data hidden by the HPA, DCO or HPA/DCO.  Select desired IDE physical disk in the left pane of the SAFE Explorer and click on the "HPA/DCO" button.  If any HPA, DCO or both exist, their existence and size will show as in "red" portions on the displayed bar.

Missing image 11

Using the slider, you may move the slider to the right (past the red portion(s)) and click "Apply" to temporarily open the hidden disk area.  After a short "refresh" delay, the disk will be re-detected within the SAFE Explorer, now showing the true full capacity of the IDE disk.  You may now acquire, search, or otherwise analyze the entire IDE disk.  When you have completed your desired processing, return to this IDE information dialog box and move the slider back to it's original position to replace the IDE disk back to it's original HPA/DCO state.

Hashing Disks or Files

Using the SAFE Explorer you can calculate either an MD5 or SHA1 hash of any physical disk or file.  To hash a physical disk, select the desired physical disk in the left pane of the SAFE Explorer and click the "Hash" button on the SAFE Explorer toolbar.  Choose either the MD5 or SHA1 option and click "OK".  Once the hash calculation is complete, a dialog box will display the result and a corresponding log entry will be made in the SAFE log. 

Missing image 12  Missing image 13

To hash a file, browse to the desired disk, partition and folder in the left pane of the SAFE Explorer.  Select the desired file in the right pane of the SAFE Explorer and click the Hash" button on the SAFE Explorer toolbar.  Choose either the MD5 or SHA1 option and click "OK".  Once the hash calculation is complete, a dialog box will display the result and a corresponding log entry will be made in the SAFE log. 

Missing image 14

Drive Preparation

Using the "Drive Prep" button on the SAFE Explorer toolbar, you can wipe, partition and format your target disk to prepare it for receiving evidence.  If the disk is blocked, you must remove the write protection first, using the Blocking/Unblocking steps described above in the "Blocking/Unblocking Disks" section of this help file before you can prepare the drive.

Once the desired disk is unblocked, select the disk in the left pane of the SAFE Explorer and click on the "Drive Prep" button on the SAFE Explorer toolbar to start the "Drive Preparation Wizard".  Click "Next", select the desired operations you wish to perform on the disk and click "Next".  You will be asked to confirm the actions you wish to perform on the disk and must click "OK" to continue or "Cancel" to abort the operations.

Missing image 15  Missing image 16  Missing image 17

As the disk is wiped, a status dialog box will display showing you the operation's progress.  Once all operations are completed, a dialog box will display confirming the success/failure of the actions and a corresponding log entry will be entered into the SAFE log.

File Searching

The SAFE Explorer provides for basic file searching using Filename, Extension and MAC dates/times as search criteria.

Missing image 18

Basic File Operations

The SAFE Explorer provides for basic file and folder operations including the ability to Copy, Move, Delete, Rename and Create files and folders.  These file/folder operations can be performed in a variety of ways in the SAFE Explorer using either the options under the File and Edit menu options and/or right-clicking on a given file, folder or partition in the left and right panes of the SAFE Explorer.  Of course, to perform any of these file/folder operations other than copying files from a write protected (blocked) disk, you must unblock the disk prior to making any changes to a protected disk.
[back to top]

Taking Notes

Notes can be taken using the Microsoft Notepad® application, which is available via the "Notepad" button on the main menu. Simply save the text file to any un-blocked target drive when you are done.

Missing image 19

[back to top]

Command Line Options

Many common Windows® command line applications are built into SAFE. These include but are not limited to:

To open a command prompt, simply click on the "Command Line" button on the main menu.

Missing image 20

A full list of available applications can be found by typing "dir x:\Windows\System32\*.exe" in the command prompt window. Built-in help for any of the command line applications can be displayed by typing the command followed by /? as shown in the above screenshot.
[back to top]

Microsoft® Task Manager

Microsoft® Task Manager is available to monitor, cancel any running applications or processes, or start new tasks, just as in Microsoft Windows. Task Manager can be opened via the button on the main menu, or by pressing the Alt-Tab key combination at any time while in the SAFE environment.

Missing image 21

[back to top]

The SAFE Log

During startup an XML log is created and automatically logs various items, including the Case Information you entered at SAFE startup, which documents the system BIOS date & time and any time discrepancy noted by the investigator. All detected system hardware is added to the XML log. All operations performed while in the SAFE Explorer environment are logged. The below example shows the log recording the un-writeblocking of a target disk, creating a new folder on the target disk and then copying a file from the system's C:\ drive to the examiner's target disk.

Missing image 22

The log is stored in XML format and can be converted to HTML for easy viewing. To view this log, press the "View Log" button on the main menu. Within the SafeLog viewer you have the ability to search for text strings using the magnifying glass icon on the SafeLog toolbar or using the menu option Edit/Find. At any time you may manually add additional information into the log by clicking on the paperclip icon on the SafeLog toolbar or selecting the menu option Edit/Enter Log Comment. Using the SafeLog application you may only add comments to the log and may not remove or change any existing log content at any time.

Missing image 23

The SafeLog viewer allows you to view the log in HTML format using the HTML viewer built into SAFE. Simply press the "View as HTML" toolbar button or select the menu option View\View Log as HTML.

Saving the Log

The XML log is temporarily stored in the X:\Log folder, which is located on the RAM drive created by SAFE during boot time. Within the SafeLog application you have the ability to manually save the XML log to any disk at any time prior to shutdown, provided you remove the write blocking from the disk to which you want to write the log, using the menu option File/Save As.  You will automatically be prompted to permanently save the log when SAFE is shut down.

Missing image 24

If you click "Cancel" you will be asked to confirm that you really do not wish to save the log.

Missing image 25

If you do choose to save your log during shutdown, you will be asked whether or not you need to unblock the write protection of the attached disk to which you will write the log (in case it has not already been unblocked by you).

Missing image 26

Once you have an unblocked disk to which you can write your log file, you will browse to the location and save the .XML file. The log file itself will be saved in XML format, along with an HTML version of the log as well as files that facilitate the HTML conversion. The log will also be hashed using MD5 and a copy of this hash will be saved in a separate file.
[back to top]

SAFE System Shutdown

To shutdown the system you have booted with SAFE, at any time, simply click on the "Shutdown System" button from the main menu.

Missing image 27

You will be prompted about saving your log, as discussed above in the SAFE Log section of this help file.

After you choose to save your log or not, you will finally be reminded to take your CD, removable media, and SAFE dongle with you.

Missing image 28

[back to top]