Wednesday, 6 August 2008

Windows FE saves the day with a Dell Inspiron 530

Dell boxes (both laptop and desktop) seem to be more difficult to image every week. We had a Dell Inspiron 530 midi tower with a Seagate 320GB sata hard disk submitted to us. Our normal method of imaging this drive with a Tableau T35i write blocker and FTK Imager failed as the drive seemed to turn off after about ten minutes. An attempt with a Tableau T3u and FTK Imager also failed. Both Tableau write blockers had the latest firmware.

Next we tried to image the drive in situ by utilising a Helix 1.9a boot disc. Despite trying a variety of cheat codes we could not get the Helix disc to work.

So I decided to try out Windows FE in anger. Step one involved trying to identify the necessary drivers to build into the WinFE iso. I plumped for the relevant Intel Matrix Storage Manager sata driver for Vista which downloads as a self extracting zip file (R154092.exe) and loaded the two inf files into my WinFE iso. I also decided to add a chipset driver and downloaded the relevant Intel Chipset software Installation Utility. This also downloads a self extracting zip (R154069.exe) however when you run it as well as extracting a large number of drivers it also (on the Vista side my Macbook Pro at least) tried to begin an installation which I canceled. The chipset utility contains drivers for a large number of chipsets. The Inspiron 530 has an Intel G33 chipset so I loaded g33q35.inf into my WinFE iso.

With the drivers loaded I added my imaging tool. In my earlier Windows FE posting I alluded to FTK Imager not working. The author of the WinFE paper Troy Larson kindly advised me that one of his colleagues - Andrew Choy had been able to get FTK Imager to work. In addition to the dlls identified by Access Data as being required in the same folder as the FTK Imager.exe, a dll oledlg.dll from C:\Windows\system32\ needs to be added.

We added another sata drive onto a spare sata port within the Inspiron 530 and booted to the Windows FE boot disc. Some Dell boxes including this one provide a boot menu by holding down F12. After following the guide to using Diskpart in my earlier posting and assigning a drive letter to the additional sata collection drive we utilised FTK Imager to image the drive in record time. We imaged to Encase evidence files with maximum compression and the whole process completed including verification in less than four hours. Windows FE worked like a dream.