DRIVESPY is a forensic DOS shell. It is designed to emulate and extend the capabilities of DOS to meet forensic needs.
Personnel / Agencies
THIS PROGRAM IS A DOS APPLICATION THAT WILL NOT FUNCTION IN WINDOWS
Whenever appropriate, DRIVESPY will use familiar DOS commands (CD, DIR, etc) to navigate the system under investigation. When beneficial, DRIVESPY will extend the capabilities of the associated DOS commands, or add new commands as necessary. DRIVESPY provides a familiar DOS-like prompt during system navigation. (DRIVESPY does not use drive letters in the prompt, but rather a Drive/Part combination (i.e "D0P1:\WINDOWS\SYSTEM") to eliminate confusion in the event where the resident operating system has not assigned a drive letter to the drive being processed (i.e examining a FAT32 partition under DOS 6.22)).
SC Magazine's testing of Forensic Software identifies DRIVESPY as the ONLY product reviewed which found ALL the hidden information in their test suite. This included forensic software products costing almost 10 times as much as DRIVESPY!
Large Hard Drives (Greater than 8.4 Gb)
Floppy Disks and Removable media
Hard Drives without Partitions (removable media)
Hidden DOS Partitions (full functionality)
Non-DOS partitions (physically)
Long File Names (Fully Decoded and Listed)
File Creation (Win95/98), Modification (DOS), and Access Dates (Win95/98)
Erased files (With their companion Long File Name if one exists)
A built in Sector (and Cluster) Hex Viewer which can be used to examine DOS and Non-DOS partitions.
Configurable logging capabilities to document the investigation (keystroke-by-keystroke if desired).
The ability to create and restore compressed forensic images of drive partitions
Full Scripting Capabilities to Automate Processing Activities
DRIVESPY accesses physical drives using pure Int13 or Int13x calls. (Does not flip file access dates or involve operating system calls in any way. This also makes it possible to achieve full functionality (i.e. FAT32 processing) even when booted under older versions of DOS like 3.3!)
What DriveSpy Does
Record all activities to a log file (keystroke-by-keystroke if desired)
Enable and Disable logging of activities on demand
Display extensive architectural information for entire Hard Drives and individual Partitions
Examine DOS and Non-DOS partitions using a built in Sector (and Cluster) Hex Viewers
Create direct disk-to-disk forensic duplicates
Copy a range of sectors within, or between, drives
Process duplicate drives regardless of physical drive geometry or sector translation differences
Select files based on their name and extension
Select files based on their attributes
Recurse subdirectories during the selection of files
Select files of a specific type or group based on internal header information
Maintain custom file type header information and group information in a user extensible initialization file
Process or list files based on a specified sort order
List directory entry information for selected files including Long File Names and Creation (Win95/98), Modification (DOS), and Access(Win95/98) dates
Create a Database export file containing directory entry information for a selected partition (Including information specific to FAT-32, Win9X (creation and access dates), and erased file information)
Copy selected files to a designated work area (without tripping file access/modification dates)
Unerase selected files to a designated work area (without tripping file access/modification dates).
Search a drive, partition, or specified file(s) for one or more text strings or data sequences (without tripping file access/modification dates). Accuracy values can be individually specified for each string to find partial matches.
Collect all the Slack Space in an entire partition to a file (RAM Slack, Residual Slack, or Both)
Collect all the unallocated space in a partition to a file
Save and Restore one or more contiguous sectors to/from a file
Query the FAT of a partition to obtain individual cluster allocation information and follow cluster chains
Wipe an entire Drive, individual Partition, unallocated space, or slack space
Generate an MD5 hash of an entire Drive, individual Partition, or selected Files
Save and Restore compressed forensic images of a partition
Download DRIVESPY v1.70
Download DRIVESPY Help File (Required for v1.50+)
Download DRIVESPY Documentation for Additional Information (PDF)
Here is the current collection of file headers and file group definitions for inclusion in your DRIVESPY.INI file. (Be sure not to make any changes to the "License" section of the DRIVESPY.INI when merging this information into the file)
File Type and File Group Information for DRIVESPY.INI (Updated 05/21/00)