DiskSig Pro replaces and upgrades NTI's popular DiskSig forensic utility. It is a powerful 'cross validation tool' which is used to ensure that a bit stream backup of an original hard disk drive is accurate. It is also used to quickly determine the number of allocated partitions on a computer hard disk drive and the operating systems involved. In this regard it contains the functionality of NTI's former PTable forensics tool which was discontinued in 2004 because DiskSig Pro has the same features and more.
The DiskSig program and PTable and their uses are described several books and publications, e.g., Computer Forensics, Incident Response Essentials by Warren G. Kruse II and Jay G. Heiser, Cybersecurity Operations Handbook by Dr. John W. Rittinghouse and Dr. William M. Hancock and Cyber Crime Investigator's Field Guide by Bruce Middleton.
DiskSig Pro was developed with NTI's popular SafeBack software in mind. SafeBack is a self-authenticating bit stream backup utility which has set the standard for computer evidence preservation in law enforcement and the military since 1990. SafeBack has also gained wide acceptance in the Big 4 accounting firms and with numerous Fortune 500 corporations. SafeBack is extremely accurate and in 2003 it was upgraded for more accuracy. When the new SafeBack Version 3.0 is combined with DiskSig Pro, the combination creates a powerful defense against legal junk science attacks which are becoming a problem for law enforcement agencies. NTI has posted an article for NTI's law enforcement clients, Defenses Against Junk Science Attacks, that describes the use of DiskSig Pro in overcoming legal junk science attacks. For your information, NTI no longer endorces or supports the use of SafeBack versions 2x. If your are a SafeBack user, you are strongly encouraged to upgrade to SafeBack 3.0 and use it with DiskSig Pro when you are processing of computer related evidence.
As mentioned above, DiskSig Pro also incorporates the features and benefits of NTI's former PTable computer forensics utility. DiskSig Pro can therefore be used to review and analyze the hard disk partition tables to determine what operating systems are involved and how many partitions exist on a hard drive. The partition table analysis logic in DiskSig Pro has been upgraded to address modern hard drives and it interacts automatically with many of NTI's computer forensic tools. Because of the upgraded partition table analysis logic, DiskSig Pro has replaced the NTI's PTable software tool. This new and upgraded computer forensics tool is essential for network forensics and in cases where different or multiple operating systems are involved. This software can also be used to identify hidden data storage areas between partitions ( partition gaps ) and ‘unknown' partitions. This tool provides more information than other forensics tools so computer forensics investigators can make better and more informed decisions.
DiskSig Pro - Primary Uses:
- Used in criminal investigations involving computer-related investigations.
- Used in corporate investigations and internal audits involving computer-related evidence and issues.
- Used to documents and verify that computer evidence was not altered during the processing of evidence stored on a computer hard disk drive.
- Used to mathematically compares the contents of one physical hard disk drive to another.
- Used to mathematically compares the contents of one logical hard disk partition to another.
- Used to mathematically compares the contents of one logical data area, on a hard disk drive, to another hard disk drive.
- Used to validates the accuracy of a forensic bit stream backup using SafeBack 3.0 or any other evidence grade bit stream backup utility.
- Used to identify and document the number and size of partitions on a specific hard disk drive.
- Used to identify the operating systems associated with the subject computer hard disk drive.
- Used to determine the occurrence of and to document when multiple operating systems are on the same computer hard disk drive.
- Used to identify the "volume identifier" associated with a hard drive partition when Windows NT/2000/XP partitions are involved.
- Used to calculate the amount of potential data stored on a hard disk drive outside assigned partitions, i. e., partition gaps.
- Used to determine which hard disk drive volumes are bootable when multiple partitions are involved.
DiskSig Pro - Program Features and Benefits:
- DOS based for ease of operation, speed and a forensically clean operation.
- No Software Dongle! - We know that software dongles get in the way and they restrict your ability to process several computers at the same time. That is why NTI does not use software dongles and our licensing of this software allows you to process multiple computers at the same time. NTI's goal is to make your life easier and this software was designed with ease of use in mind.
- Compact program size - easily fits on a bootable floppy diskette with other forensic and security review software tools.
- Can be operated in batch processing mode with other forensic utilities.
- Does not write to or modify the contents of the evidence hard disk drive.
- Output can be routed to the screen or a file using standard DOS conventions at the option and direction of the computer specialist.
- Operates in a DOS box under most Microsoft-based operating systems including WindowsNT/2000/XP.
- Identifies and displays the volume serial number to help ‘fingerprint' a hard disk drive volume using the unique number assigned at the time the hard disk drive volume was created.
- Reports over 120 different types of operating system/partition formats.
- Better reporting of volume types, especially NTFS and HPFS. Solves the ambiguity problem and reports them correctly.
- Built in viewer for DOS.
- Verbose output enhancements include: sector addresses, volume and disk sizes, volume label, geometry, OEM info, cluster size, etc.
- At the option of the user, it will provide a CRC hash result using SHA256 (U. S. Government Tested), RSA Md5 and/or CRC32 algorithms.
- The user can target specific hashing areas for the target hard disk drive, specific sector ranges and data storage areas.
- At the option of the user, the boot area can be ignored to overcome problems associated with hardware and cylinder boundary translation issues.
The current release is Version 3.1 and the GSA Product Number is SIGPro3.1.
U. S. Government clients should click here for information about GSA purchases.