We provide fully licensed copies of the following software to our students in the CCE BootCamp® training course. Be advised that this NEW PACKAGE of software is being provided with updated courseware. This software has been implemented since our May 2014 class in Falls Church, VA.
Previous Software (V2)
This will be discontinued following March 29th, 2010 Bootcamps
We provide fully licensed copies of the following software to our students in the CCE BootCamp® training course. Be advised that this is a package of software was provided with courseware. This was fully implemented starting with our July 28th, 2008 class in Ft. Lauderdale, FL.
These are all of the tools needed to complete your forensic training as well as the CCE Certification process. This valuable toolset is included in the price of the CCE BootCamp®.
Previous Software (V1)
This will be discontinued following June 23rd, 2008 Bootcamps
FSUITE - Forensic Utilities
FSUITE forensic software was specifically written for forensic examinations and is currently being used by hundreds of forensic examiners world wide. These utilities are DOS based. See why below. FSUITE consists of 5 utilities:
WIPER - a forensic wiping utility
LISTDRV - Lists the contents of an entire drive
CHKSUM - 64 bit checksum utility
FREESECS - copies unallocated space to files for examination
DISKDUPE - a diskette duplication utility
- WIPER - a disk utility that will completely erase all information on a logical or physical drive by overwriting each and every byte with a character which is user selectable. The program is written entirely in assembly language and therefore is small and fast. It uses the BIOS disk services, even for the logical drives, thus will wipe a drive regardless of the operating system format. The user may select a one-pass wipe, using the default character of 00 or a character entered by the user, or a "secure", seven-pass wipe. The "secure" wipe uses alternating ones and zeros for six passes, then finishes the process with a pass using the user-selected character or zero, leaving a completely blank drive, except for the low level formatting information. The speed is about 3 to 4 minutes per GB per pass for a hard drive.
- LISTDRV – an assembly language utility that examines a logical drive, or several logical drives on a physical drive, for FAT12, FAT16, or FAT32 files. As they are found, they are saved to a comma-delimited and quotation mark-delimited file prepared for importation into a database program or a spreadsheet program such as EXCEL, for any desired manipulation. LISTDRV will also list deleted files if desired. The listing includes the complete path, the long file name, if present, the alias or short file name, and the other date, time, size, and location information. If removable media is used to save the listing file, LISTDRV will span multiple disks.
- CHKSUM - an assembly language disk utility that calculates a 64-bit checksum for a physical or logical disk drive. When used in conjunction with WIPER, it is an excellent tool for verifying that media contains no data before making a forensic copy to that media. It also is an excellent tool for verifying that exact forensic copies were made from the original media to the copy.
- FREESECS - an assembly language disk utility which searches a specified logical drive for the unallocated or free space, and saves the information contained in unallocated space to one or more files. FREESECS can additionally search any physical drive (regardless of the operating system) and save all the information contained on all sectors to one or more files.
- FREESECS, when used at a physical level, is an excellent inexpensive acquisition tool for Access Data's Forensic Tool Kit (FTK).
- DISKDUPE– an assembly language utility that makes an exact forensic copy of a floppy diskettes.
WIPER, CHKSUM, and FREESECS are DOS-based utilities, but they bypass the operating system and can work on any media format type at a physical level. They can run from a DOS box in Windows 9X, by exiting Windows to a DOS prompt, or by running after booting with a DOS boot disk to a real mode DOS prompt. FREESECS and LISTDRV are being modified to recognize the NTFS file system used by Windows NT, 2000, and XP. WIPER and CHKSUM need only minor modifications for NTFS capability, and DISKDUPE needs no modification since it only works on FAT12 floppy diskettes. A new utility, as yet unnamed, that will make forensic copies of hard drives, is under construction.
Why are these and many other forensic utilities DOS based?
When conducting a forensic examination, the examiner must have total control over what the operating system is doing when the original media is accessed. Any alteration to the original media is not acceptable during a forensic examination. Direct access of the original media during a forensic examination is normally done at a low level, frequently at a DOS level. This is because all versions of Windows, even Windows 95 and Windows 98, will attempt to or will directly write to any other fixed drive media on a computer during the normal Windows boot process. These writes occur even if the original media is located as a second, third or other drive on the computer.
Most forensic examiners use a modified 32 bit FAT operating system "real mode" boot disk. During our course, we show you how to make some modifications to the IO.SYS file on the Windows 98 boot diskette to prevent Drive Space from loading compressed drives and to prevent some other operating system writes to the original media. The ME and later versions of DOS do not allow that level of control. Therefore, the Windows ME, Windows 2000, Windows NT or Windows XP versions of DOS should not normally be used for access to the original media. Our utilities are designed to operate in a "real mode" DOS environment to prevent these inadvertent writes to the original media.
Click here to be added to our mailing list for information on boot camp training.