FBCD

Overview - Historically forensic practitioners have blindly acquired the target system and then analyzed the image back in their lab at a later date. There was no preview of the system to determine if pertinent data was present. But today's environment may be calling for a change in this approach. Because of legal and privacy issues, combined with the enormous size of hard drives, an emerging trend in Data Forensics is that of previewing a system before acquiring it. If during the preview pertinent data is found the practitioner can switch from preview to acquisition mode. But if no pertinent data is found, or if the preview results in the conclusion that the pertinent data is residing on another system, then the forensic practitioner can move to that system.

Why preview before acquire?
     * A preview may identify other target devices not currently attached to the system under preview.
     * A preview may identify where important log files reside if not on the system under preview.
     * A preview may identify data pertinent to the case so that the acquisition phase may commence.

Previewing on-site may ultimately prove to be the smartest choice you make. Because all it takes is one case where you acquire only the internal hard drive and find later during analysis that pertinent data is stored elsewhere - on a removable drive, across the network, etc.

FBCD is designed to provide you with a forensically sound environment from which you can preview data residing within various storage devices. Using FBCD, you can;
     * Boot most any x86 Intel system
     * Mount file systems in a forensically sound manner, using a GUI
     * Preview data using a single, unified GUI (Delve)
     * Authenticate, Acquire and Analyze storage media
     * Decrypt EFS-encrypted files
     * Access and parse the Windows Registry
     * Generate thumbnails for graphics files
     * Dump file meta-data (graphics files, PDF documents, etc.)
     * Obtain the passwords for system users
     * Undelete files from the ext2, FAT, and NTFS file system types
     * Identify and reset Host Protected Areas (HPA) on IDE drives
     * Dump the system BIOS tables
     * Parse the Windows pagefile.sys file for e-mail addresses and URLs
     * Dump file system meta-data (initialized date, last mount date, etc.)
     * Read various Windows and Linux log files
     * Parse web browser cache files for history and cookie information

news

details

Evaluate