Another utility used for performing forensic imaging is SnapBack DatArrest, which is available at SnapBack was originally designed as a network backup utility for system administrators; however, it is now marketed as a forensic imaging tool. In fact, until approximately October 2001, AccessData's Forensic ToolKit, or FTK, shipped with SnapBack.


We finished with the SafeBack duplication of the suspect's laptop drive. However, in the suspect's desk drawer, we also found two more hard drives, one of which was a 2.5-inch 1.3GB laptop drive. We'll use SnapBack to acquire the forensic image of this drive, and we'll refer to this evidence as Tag3.

SnapBack has several modules that accomplish different tasks. Here, we'll use snapback.exe, which uses a SCSI tape drive to store the forensic image.

Once we have the source drive connected to our forensic workstation, we boot from our control DOS floppy disk, which has the required SCSI drivers to recognize our tape drive and the SnapBack program files.

To determine which drives were detected, we can once again run fdisk with the status option:

A:\>fdisk /STATUS
Image from book

This shows our storage drive as disk 1, and the suspect's 1.3GB laptop drive we found in the desk drawer as disk 2.

Now we need to write block the hard disks. In this case, since we are going to write the image to tape, we can use the default setting of PDBLOCK, which blocks write attempts to all local hard drives:


PDBlock Version 2.00: (P)hysical (D)isk Write (BLOCK)er
Copyright 1999, 2000 DIGITAL INTELLIGENCE, INC -

Usage: "PDBLOCK {drives} {/nomsg} {/nobell} {/fail}" to (re)configure

Where: drives:   NONE, ALL, or list of hard drives to protect (0-3)
                 i.e. "PDBLOCK 0", "PDBLOCK 013", "PDBLOCK 123", etc
                 (Default is ALL if not specified)
       /nomsg:    Do not display message when write is blocked
       /nobell:  Do not ring bell when write is blocked
       /fail:     Return write failure code to calling program
                 (Default is to fake successful write to calling program)

"PDBLOCK" with no options (once loaded) will display help and current config


Now we start SnapBack.


From the main window, we see that SnapBack recognized our Exabyte SCSI tape drive. We want to select Backup to begin the forensic imaging process.

Image from book

On the Backup menu, select option 1, Backup Selected Drives/Partitions.

The Backup Edit List displays the hard drives the system recognized. The second drive, the 1382MB hard drive, is the suspect's laptop drive. Press ENTER to toggle backup to Yes, and press F2 to start the backup.

Image from book

SnapBack assumes that there may be data on the tape and warns you that this backup operation will destroy all of the data currently on the tape. Select Yes and press ENTER to continue.

Now SnapBack will begin actually storing the forensic image on the tape, and the status window will show the total backup size, amount completed, and transfer speeds.

Image from book

SnapBack displays a dialog box when the operation has completed successfully. Now you have an opportunity to view the logfile. Select Yes to view it.

Once you have finished reviewing the logfile, you will be prompted to erase it. You should, of course, always keep the logfile, so select No and press ENTER. The file SNAPBACK.LOG will be saved wherever you started snapback.exe from (in this case, it will be on the boot floppy disk).

Select Quit from the main window to exit the SnapBack program. The SnapBack logfile looks like this:

A:\>type snapback.log

03/16/2002  18:56
03/16/2002 18:56 EXABYTE EXB-89008E00012FV41b
03/16/2002  18:56
03/16/2002  18:56   Method ......... ASPI
03/16/2002  18:56   Drive .......... 0
03/16/2002  18:56   Block Size ..... 32,768
03/16/2002  18:56   HW Compression . Enabled

03/16/2002  18:56
03/16/2002 18:57  Backing Up Fdisk Drive    Int13x   1382 MB
03/16/2002 19:05  Successful Backing Up Fdisk Drive   Int13x   1382 MB
03/16/2002 19:05  Average Transfer speed : 2973 KB/S
03/16/2002 19:08 The backup operation has
03/16/2002 19:08  successfully completed.
03/16/2002  19:08
03/16/2002 19:08 Total drives/partitions : 1 Total Megabytes : 1382
03/16/2002  19:08
03/16/2002 19:08 SnapBack completed successfully with 0 error(s).



Notice that we were not able to add case-specific comments. Be sure to label the tape with the pertinent information and save the logfile. You now have a SnapBack forensic image of Tag3 on tape for future processing. Remember that AccessData's Forensic ToolKit (Chapter 23) will load SnapBack image files.

Previous Section
Next Section

 Python   SQL   Java   php   Perl 
 game development   web development   internet   *nix   graphics   hardware 
 telecommunications   C++ 
 Flash   Active Directory   Windows