Creating EnCase Forensic Boot Disks

Initially, I’ll focus on creating EnCase DOS boot disks using EnCase 5 (or older). I’ll switch to EnCase 7 when the new features of that version merge into the process.

The purpose of the forensic boot disk is to boot the computer and load an operating system in a forensically sound manner so that the evidentiary media is not changed. A normal DOS boot disk will make calls to the C: drive primarily via COMMAND.COM but also with IO.SYS. Figure 4-1 shows COMMAND.COM making a call to the C: drive. Also, it will attempt to load DRVSPACE.BIN (disk compression software) if present. An EnCase forensic boot ...

Get EnCE EnCase Computer Forensics: The Official EnCase Certified Examiner Study Guide, 3rd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

EnCE EnCase Computer Forensics: The Official EnCase Certified Examiner Study Guide, 3rd Edition by

Creating EnCase Forensic Boot Disks

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly