Computer Systems Forensic Analysis

Forensic Boot Tools

DOS boot disk (obsolete, but some times required).

  • There are three files required to boot a computer into MS-DOS:

    • O.SYS,MSDOS.SYS and COMMAND.COM

  • If present are also used in the boot process:

    • DRVSPACE.BIN or DBLSPACE.BIN, CONFIG.SYS and AUTOEXEC.BAT

How to create a forensic bootable diskette:

  • on the command line of Windows 98: format a: /U /S

    • /U unconditional format.

    • /S copy the necessary system files over to the diskette, in order to make it a boot disk.

  • then remove every file from the diskette except the mandatory three.

  • remove special attributes from the files to be deleted: attrib -H -R -S filename

    • later, if possible to customize the forensic boot disk by adding CONFIG.SYS and AUTOEXEC.BAT files write-blocking utilities and other forensic tools.

Bootable Diskette

If you don't have a Windows 98 running:

  • HP makes an easy to use utility called HP USB Disk Format Tool, which includes a "Create a DOS Startup Disk" option.

    • It's available for free download here along with the Windows 98/DOS boot files.

  • Once the bootable diskette is created follow the same procedure to make it "forensic":

    • remove every file from the diskette except the mandatory three O.SYS.MDDOS.SYS and COMMAND.COM later, it is possible to customiza the forensic boot disk by adding CONFIG:SYS and AUTOEXEC.BAT files write-blocking utilities and other forensic tools.

PreviousWindows Boot ProcessNextBootable CD-ROMS - Linux Based

Last updated