ENROLL NOW




See Who We Have Trained


Authorized Training Centers


Online Screening Test


Sample Practical Exercise


Brochure


Forensic Software



    We provide fully licensed copies of the following software to our students in the online Computer Forensic Examiner training course.



    The individual cost of these utilities is over $500. A demo version of AccessData’s Forensic Tool Kit is also provided for use with training.



     FSUITE - Forensic Utilities

    Our software can be purchased separately by those who do not wish to take our training course.  Please visit our FSUITE page at KeyComputer.net for pricing and online purchasing.


    FSUITE forensic software was specifically written for forensic examinations and is currently being used by hundreds of forensic examiners world wide.  These utilities are DOS based.  See why below.  FSUITE consists of 5 utilities:

     

    • WIPER - a disk utility that will completely erase all information on a logical or physical drive by overwriting each and every byte with a character which is user selectable. The program is written entirely in assembly language and therefore is small and fast. It uses the BIOS disk services, even for the logical drives, thus will wipe a drive regardless of the operating system format. The user may select a one-pass wipe, using the default character of 00 or a character entered by the user, or a "secure", seven-pass wipe.  The "secure" wipe uses alternating ones and zeros for six passes, then finishes the process with a pass using the user-selected character or zero, leaving a completely blank drive, except for the low level formatting information.  The speed is about 3 to 4 minutes per GB per pass for a hard drive.



    • LISTDRV – an assembly language utility that examines a logical drive, or several logical drives on a physical drive, for FAT12, FAT16, or FAT32 files.  As they are found, they are saved to a comma-delimited and quotation mark-delimited file prepared for importation into a database program or a spreadsheet program such as EXCEL, for any desired manipulation.  LISTDRV will also list deleted files if desired. The listing includes the complete path, the long file name, if present, the alias or short file name, and the other date, time, size, and location information. If removable media is used to save the listing file, LISTDRV will span multiple disks. 

      •  

    • CHKSUM - an assembly language disk utility that calculates a 64-bit checksum for a physical or logical disk drive.  When used in conjunction with WIPER, it is an excellent tool for verifying that media contains no data before making a forensic copy to that media.  It also is an excellent tool for verifying that exact forensic copies were made from the original media to the copy.

      •  

    • FREESECS - an assembly language disk utility which searches a specified logical drive for the unallocated or free space, and saves the information contained in unallocated space to one or more files.  FREESECS can additionally search any physical drive (regardless of the operating system) and save all the information contained on all sectors to one or more files.
      • FREESECS, when used at a physical level, is an excellent inexpensive acquisition tool for Access Data's Forensic Tool Kit (FTK).

         
    • DISKDUPE – an assembly language utility that makes an exact forensic copy of a floppy diskettes.


    WIPER, CHKSUM, and FREESECS are DOS-based utilities, but they bypass the operating system and can work on any media format type at a physical level.  They can run from a DOS box in Windows 9X, by exiting Windows to a DOS prompt, or by running after booting with a DOS boot disk to a real mode DOS prompt. FREESECS and LISTDRV are being modified to recognize the NTFS file system used by Windows NT, 2000, and XP.  WIPER and CHKSUM need only minor modifications for NTFS capability, and DISKDUPE needs no modification since it only works on FAT12 floppy diskettes. A new utility, as yet unnamed, that will make forensic copies of hard drives, is under construction.



    Why are these and many other forensic utilities DOS based?

    When conducting a forensic examination, the examiner must have total control over what the operating system is doing when the original media is accessed.  Any alteration to the original media is not acceptable during a forensic examination.  Direct access of the original media during a forensic examination is normally done at a low level, frequently at a DOS level.  This is because all versions of Windows, even Windows 95 and Windows 98, will attempt to or will directly write to any other fixed drive media on a computer during the normal Windows boot process.  These writes occur even if the original media is located as a second, third or other drive on the computer. 

    Most forensic examiners use a modified 32 bit FAT operating system "real mode" boot disk.  During our course, we show you how to make some modifications to the IO.SYS file on the Windows 98 boot diskette to prevent Drive Space from loading compressed drives and to prevent some other operating system writes to the original media.  The ME and later versions of DOS do not allow that level of control.   Therefore, the Windows ME, Windows 2000, Windows NT or Windows XP versions of DOS should not normally be used for access to the original media.    Our utilities are designed to operate in a "real mode" DOS environment to prevent these inadvertent writes to the original media.

     

    Contact Us