I am writing a forensic disk processing utility in which I cannot write to the disk at any cost. What is the best way to ensure that I am not writing to a hard drive when I am accesing all of its files? I have made sure that all of my streams are FileAccess.Read, but I was hoping for some some better methods.
acezrwild817 0 Light Poster
Lord Soth 4 Posting Whiz in Training
Hi,
For forensic disk access you can't trust to the file system or the OS file/disk APIs (WIN32). MFT for NTFS and the FAT for FAT32 file systems may be corrupt or tempered. Sectors might be marked as bad even though they aren't, unpartitioned space may be storing hidden/deleted info and still even the simple file querying or access would change the time stamps of the files.
You should access directly to device using FILE_IO_.. commands and IRP requests, this way you won't write anything accidently too.
Loren Soth
Be a part of the DaniWeb community
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.