Frequently Asked Questions
1. My case involves Internet web browsing issues. Is there a quick way to determine if a computer has been used on the Internet to browse pornography-based web sites?
Answer: NTI's new NTA Stealth software can be used to quickly identify past uses of a computer hard disk drive and it can be configured to identify leads that are tied to known child and adult pornography web sites. Information about the new NTA Stealth program can be found at http://www.forensics-intl.com/nta.html
2. Why is NTA Stealth a DOS tool? Most people use Windows and Windows XP.
Answer: Windows-based programs tend to modify evidence and data. Also, Windows-based programs cannot typically be booted and operated from a floppy diskette. They also cannot be operated in batch mode. For these reasons, NTI chose DOS as the operating system of choice for the NTA Stealth program. Remember, NTI is one of the leaders in the field of computer forensics and NTI specifically chose DOS as the operating system for use with the NTA Stealth program.
3. I understand that NTA Stealth can be configured to boot and run automatically from a floppy diskette, however, the creation of bootable DOS diskettes and custom AUTOEXEC.BAT files is complicated. Is there an easy way to configure boot diskettes so that NTA Stealth can be used to process computer hard disk drives automatically from a floppy diskette?
Answer: NTI makes specialized programs available to its clients which automatically create bootable floppy diskettes for use with NTA Stealth. The programs can be downloaded free of charge from this web site at http://www.forensics-intl.com/ntadisks.html.
4. I understand that NTA Stealth can be operated from a USB memory device to identify past Internet leads. Is there an easy way to configure a USB memory device for use with the NTA Stealth program?
Answer: Floppy disk drives are not standard equipment with some new computers, e.g., Dell. For this reason, it may be appropriate to evaluate a computer hard disk drive for leads of past Internet uses using NTA Stealth with a USB memory device. NTI has posted an article on the subject which should answer any USB-related questions tied to the use of the NTA Stealth program. The article can be found at http://www.forensics-intl.com/art23.html.
SafeBack Related Questions
1. I am having trouble restoring a logical drive using SafeBack. What should I do?
Answer: If you're using Windows 95 OSR2 or Windows 98 boot diskettes and restoring logical FAT-16 or FAT-32 drives, you must make sure that the destination logical drive is formatted. It is not sufficient to create the partition using FDISK without formatting it afterwards. Note that this applies only to restoring logical (drive letters, not numbers) drives.
2. I have used SafeBack to restore a large hard drive but I can't get it to boot. I have this problem with Windows 95 and Windows 98 sometimes and I get a "Disk I/O Error" or other similar message. What is the problem?
You may find that after restoring a fairly large hard drive that Windows 95 and 98 will refuse to boot the restored image, giving a "Disk I/O Error" or other similar message. This may be due to the host computer system not being able to support hard disk BIOS extensions properly. Astute observers will note that SafeBack gives three partitions types requiring BIOS extensions:
- Type 12 - FAT-32 using XBIOS
- Type 14 - FAT-16 using XBIOS
- Type 15 - Extended using XBIOS
So what to do if your system doesn't support hard disk BIOS extensions? The first, and most obvious course of action is to try to find a BIOS upgrade for your computer. Unless you have a major name-brand system, however, this may be all but impossible. Another approach that may meet with some success is to use a disk editor to change the partition type in the master boot record as follows:
- Type 12 changes to type 11
- Type 14 changes to type 6
- Type 15 changes to type 5
This will usually allow your system to get booted. If that doesn't do the trick, call NTI for assistance to get the restored system to boot.
3. Our department has limited funds and I am forced to use several older computers to process computers for evidence. I seem to be having problems when using SafeBack with IDE drives larger than 8.4 GB on these older systems. What is the problem?
SafeBack can certainly handle IDE hard drives larger than 8.4GB. However, some caution is necessary regarding some of large drives such as the 12 GB Quantum Bigfoot TX.
Not all PCs properly support the necessary BIOS extensions that are required to back up or restore large IDE drives in BIOS mode. In particular, BIOS released earlier than about November, 1997 are unlikely to provide the necessary support. The most common manifestation of a failure is that the drive capacity is truncated at 8.4GB, with the remainder of the drive being inaccessible.
However, all is not lost. SafeBack's direct controller access mode can be used successfully for both backup and restore operations on these drives. Please note that you still may not be able to boot a restored drive, nor will you be able access all of the drive contents if the host system BIOS is deficient, as the boot code and initial geometry determination is made by Windows and MS-DOS using your system's BIOS.
4. I have used SafeBack for years and from time to time issues come up concerning different drive types and technology related issues. What are some of the common issues that SafeBack users encounter in processing computers for evidence?
- When using external SCSI drives, be sure to use the same ASPI-disk-driver software. For example, if you're using an Adaptec 2940, you'll have loaded ASPI8DOS.SYS and ASPIDISK.SYS to access an external drive. If you subsequently use the same drive with, say a H45 parallel-to-SCSI adapter, be sure to use Adaptec's ASPIDISK.SYS instead of H45's ASPIHDRM.SYS. It seems that ASPIDISK.SYS and ASPIHDRM.SYS organize a hard disk differently.
- Long-format Iomega Jaz and Zip cartridges before use to avoid unexpected "General Failure" errors from DOS and SafeBack.
- When backing up a physical drive, try to use BIOS access first. If drive-management software is present and will prevent you from accessing the entire hard disk, SafeBack will warn you.
- Some non-Microsoft operating systems, such as Unix, may require that you boot your copy using the same type of hard disk controller. That is, if a specific SCSI controller was used on the original system, you may have to use that same type of SCSI controller on the restored system if you want to boot it.
- SafeBack is aware of Windows 95/98 FAT-32 file systems, but if you want to make a backup of a FAT-32 partition without backing up the entire physical drive, you must boot SafeBack using a boot diskette created using Windows 95B (also called OSR2) or Windows 98.
- When using a SCSI tape in a system with a SCSI disk drive, avoid connecting the tape drive and the disk drive to the same controller. This is particularly true if the disk drive is of an ultra-or wide-SCSI variety. It's safe practice to make sure that the tape drive is on its own dedicated controller.
5. There are many commercial backup programs available in the marketplace. How does SafeBack differ from commercial backup utilities?
SafeBack is different in several important ways. First of all, SafeBack is not file-oriented. It knows nothing about the file structure or content of the drive that you're processing, nor does it need to. It reads the entire hard disk or hard disk partition and stores it away. This means that you can't selectively backup files or restore just a piece of a hard drive. But it also means that you can back up just about any hard disk that can be read by your system.
Second, SafeBack doesn't require the use of a hard disk to run. It can be run from a floppy and it will never write to your hard disk (unless directed to). Incidentally, this is also why SafeBack is a DOS utility, and not a utility that runs under Windows or other operating systems. As part of their normal operation, Windows, OS/2 and other large GUI-type systems must write swap and initialization information on a hard disk--and this is the first place you want to look for evidence!.
Third, SafeBack processes are validated mathematically for a very high degree of accuracy. This is because SafeBack is primarily used to preserve computer related evidence and a high degree of accuracy is required or the data cannot be used in court.
Fourth, SafeBack does not compress relevant data. This is a design feature of SafeBack to avoid legal challenges that the software may have altered the data through translation or decompression.
6. I have been using ILook with SafeBack version 2.2 files. Is SafeBack 3.0 designed to work with ILook?
No, SafeBack 3.0 does not currently work with iLook. It is possible that iLook compatibility will be added to a future version of SafeBack or iLook.
7. I am aware that SafeBack supports SCSI tape drives. What is SCSI and what do I need to know when using a SCSI tape drive with SafeBack?
SCSI is a large topic and SCSI tape drives are the only ones that are compatible with SafeBack. A greater explanation of SCSI and what types of hardware and backup solutions are compatible with SafeBack is available here.
8. I understand that the SafeBack license has changed with the release of version 3.0. What are the differences?
With the release of SafeBack 3.0 we have tightened the software licensing to better protect our investment and ownership in the technology. This change should not affect our clients but it will require the signing of a new license agreement. Our license is still based on a per user basis and the name of the licensed software user is embedded in the software.
Graphic Image Related Questions
1. My case involves the identification and review of computer graphics images of pornography and time limitations do not permit me to conduct a through examination of the computer hard disk drive. How can I quickly determine how a specific computer was used to view computer graphics files on the Internet and on the subject computer?
2. My case involves computer based pornography and I have suspicions that a specific computer was used for illegal or inappropriate purposes. How can I quickly identify and review all of the Internet-based graphics files contained on a specific computer hard disk drive relative to past Internet web browsing activities?
NTI's Graphics File Extractor software can be used to quickly sample the Windows Swap/Page File and help the computer forensics investigator in making a quick determination about possible past Internet computer usage tied to a specific computer. Typically such a sampling can be completed in under one hour using Graphics File Extractor and the output will consist of reconstructed graphic image files. These output files can quickly be reviewed using a graphics file viewer like Firehand Ember. Although there are several graphics file viewing programs, we like Firehand Ember because it is easy to use and it is priced right to fit with limited law enforcement budgets.
3. I used NTI's Graphics File Extractor software and it identified a previously deleted child porn graphics file that is relevant to my case. How can I find the source data for the relevant file on the subject computer hard disk drive?
4. I use NTI's Graphics File Extractor software and in some cases duplicate graphic files are identified. However, one of the duplicates seems to be thumb nail size. Did the source computer hard disk drive contain two copies of the same graphics file or is this tied to some technical graphics image issue?
Once a relevant file has been identified, e.g., in a child pornography case, using Graphics File Extractor software, then the first 40 bytes of the file should be used to search for the source data in the unallocated storage space of the subject computer storage device. This search can easily be done with NTI's HexSearch software. Once the relevant clusters have been identified, then they can manually be restored by the computer forensics specialist.
5. Graphics files were deleted from a digital flash memory card. How can I identify and restore the deleted files using computer forensics software?
Previously deleted graphics files can be restored from flash memory cards by using Graphics File Extractor in combination with NTI's GetFree software. This is accomplished by mounting the flash memory card using a USB or parallel port flash memory card reader, e.g., the Memorex USB CompactFlash Card Reader. Once the drive is mounted the unallocated file space can be captured in DOS or in a Windows DOS box using GetFree. When this is done the output file should be directed to a separate computer storage device rather than the subject flash memory card. The output file can then be quickly processed using Graphics File Extractor to recover all of the deleted GIF and JPG files.
6. My case involves flash memory chips used in digital computers. How can I best process the digital evidence and still preserve the evidence?
This article by Officer Fred J.Wiechmann of the Portland Police Bureau is a good overview of the techniques and hardware required to process digital evidence stored on flash memory chips.
Hardware Related Questions
1. I am interested in purchasing a computer system for processing computer evidence. Do I need a special computer system to perform computer forensics related work?
In NTI's Computer Forensics Laboratory we don't buy any specific pre-built computers or specialized machines. We find that it is more important to have computer systems built using specific motherboards. Our lab managers likes ABIT and ASUS because other motherboards can give you problems when accessing large IDE drives.
2. I am having trouble getting my tape drive to work with an Adaptec AHA2940W, AHA2940UW or AHA2940U2W wide-SCSI controller. What should I do?
If you're having trouble getting your tape drive to work with an Adaptec AHA2940W, AHA2940UW or AHA2940U2W wide-SCSI controller, do the following:
- When your system boots, wait for the Press Ctrl-A for SCSI Setup message to appear, then press Ctrl-A
- When the SCSI setup menu appears, choose Configure/View Host Adapter Settings.
- Choose SCSI Device Configuration
- Set Initiate Sync Negotiation to NO for all SCSI IDs
- Set Maximum Sync Transfer Rate to 10.0 for all IDs
- Set Enable Disconnection to NO for all IDs
- Press ESC and save all changes