PURPOSE OPERATION OPTIONS COMMAND LINES RELATED PROGRAMS
When booting a computer from a floppy disk with DOS 6.22 or later there is a chance of altering the hard drive if compression programs like DRVSPACE, DBLSPACE or STACKER are present on the hard disk. WIN9X also may try to access certain files on the C: drive.
In forensic processing the alteration of data on seized disks is unwanted.
In order to keep DRVSPACE, DBLSPACE or STACKER from altering the hard disk the user must change the boot files (IO.SYS, IBMBIO.COM, etc.) so that the operating system doesn’t call the compression software or alter the DRVSPACE.BIN or DBLSPACE.BIN files.
To do this manually the user must use a hex editor program and remove from the operating system files all references to DRVSPACE or DBLSPACE.BIN. This is time consuming, and error prone.
The user should also consider altereing all the calls to any program or file on the C: drive to the A: drive. This will eliminate any chance that modification of files on the C: will take place, and if the boot disk is properly set up, the call to the A: drive will fail and not initiate any programs which may also change the C: drive.
MOD_COM takes this teadious task and automatically alters all appropriate .COM, .SYS, and COMMAND.COM files it finds on the floppy disk A: to eliminate all references to the .BIN files and changes all C: references to A:.
The suspect computer can then be booted with a secure boot disk without altering data on the hard drive.
The program searches the A: drive for all occurances of the following files: IO.SYS, MSDOS.SYS, IBMBIO.COM, IBMDOS.COM, COMMAND.COM.
When it finds any of the files it does an internal string search for DRVSPACE and DBLSPACE.
When it finds either string, it changes the extension of the file from BIN to BNN thus removing the reference to DRVSPACE.BIN, etc.
It also searches those same files for the C:\ string. When it finds one, it changes it to A:\ to reflect a different drive.
If the operating system can’t find the .BNN file it doesn’t attempt to mount the drive or alter the hard drive.
If the user knows in advance which file needs to be altered, that single file name can be placed on the command line as an argument.
MOD_COM will look to both the A: and B: drive for a disk in the drive and modify all system files it finds. If you do not wish for it to modify ALL files, then use the option which allows specific file selection.
During this removal process the program shows the name of the file it is working on, and prints to the screen the location in the file which is being altered. Redirection of this output will maintain a record of what was altered, and can easily be replaced later by the user using a binary file editor.
After the files have been modified, depending on how the program was run, mod_com will also check the A: drive for the actual drvspace.bin and dblspace.bin files. If it finds them, it prompts the user for removal. The removal of these files is suggested for two reasons. First it frees up a substantial amount of space which can be used for other purposes, and second it eliminates completely the chance that a compressed drive will be inadvertantly mounted during bootup.
Lastly, it shows the user the traditional Starting Windows 9X text string and asks if you want it modified to something more identifiable as a forensic boot disk. If the user answers in the affirmative, it changes the text to what the user specifies.
COMMAND LINE:
mod_com
mod_com -?
mod_com system_file_name(s) system_file_2 etc.
-? Obtain a help screen.
system_file_name although not technically an option. If the program detects the name of a system file(s) in this location, it will process only that file. More than one system file can be added, just separate the names with spaces. If the program is run with this command line then the drvspace and dblsapce files are not searched for or removed. That must be done manually.
Sample command lines:
C:> mod_com (this is best default) C:> mod_com io.sys C:> mod_com ibmbio.com command.com C:> mod_com command.com C:> mod_com ibmdos.com
Norton: Diskeditor to modify system files
top