Hello,
I was looking for different methods you have used for a case with zippped up files on a zip disk.
How did you view the zipped files on the zip disk without altering times?
Take care.
What type of zip disks do you have? I bought a zip 750 USB drive to acquire zip 100 disks. The zip 750 is not capable of writing to the zip 100 disks. There are other possibilities now as well. Digital Intelligence sells a write blocker that will block any USB attached to it.
Ya I like that about the zips, even pops up a nice message.
Personaly, that's exactly the kind of investigation I do using the XP SP2 write block registry key.
Although it's never been designed for forensics use, I tested it on various USB devices (up to USB HDDs) and the hash value never changed.
I use other means of protection for hard disks, but find this method very usefull for smart cards, USB keys and other USB mass storage equipment.
I must say, however, that computer forensics in France is far from being as developped as it is in US or UK. If I had the choice (and the money), I would probably get a hardware write blocker…
Walkabout,
I think you are doing fine. The main thing is that you tested and found that the registry key did indeed prevent writes.
Anyone want a free simple to use XP SP2 write block software?
Here you go- http//
Courtesy of yours truly 😉
Saves messing about with the registry key by hand. I've also tested the reg key method with ZIPs, USB Thumb Drives, Compact Flash cards and it works (no write what-so-ever, and MD5's intact).
Andy