ZeroView(tm) Sector 0 Viewer

The ZeroView program contained on this disk is set to auto-run upon insertion into the CD drive of a suspect system.  It will load into memory "read-only" and execute a low level disk sector read of the 0 Sector of the suspect system disk and display the contents on the system monitor.  

By checking the contents beginning at offset 3, you can determine if the suspect system is employing a full disk encryption program.  A signature relating to the program such as SAFEBOOT or PGPGUARD will be shown beginning at offset 3.  If there is no recognizable signature beginning at offset 3, it is likely that full disk encryption software is not being utilized on the suspect system and you can continue with your normal seizure process.

If it appears that a full disk encryption program is being utilized on the suspect system, or if you are in doubt, please contact a computer forensic expert to discuss how to proceed prior to completing the seizure of the system.  It may be possible to image the un-encrypted contents of the disk by utilizing a network enabled computer forensic tool such at ProDiscover Investigator or ProDiscover Incident Response.

If ZeroView does not automatically launch when the CD is inserted into the suspect system, you may launch it by opening Explore and navigating to the CD drive, then double-clicking on zeroview.exe file.  Alternatively, if you know the drive id letter of the CD drive, you can click on the "Start" icon in the lower left corner of the screen, select the run menu, then type "<drive id letter> :/zeroview.exe" to start ZeroView.

ZeroView is freeware provided by Technology Pathways and may be copied and distributed free of charge.  ZeroView may not be altered or modified.  If you have any questions about ZeroView, please contact us at www.techpathways.com or call us at 619-435-0906.
