The hardware write block is placed between the cloning device (PC, laptop, or standalone hardware) and the source. The write block prevents data from being written to the original evidence drive.
#PRODISCOVER BASIC FORENSICS DOWNLOAD SOFTWARE#
A write block is a crucial piece of hardware or software that is used to preserve the original evidence during the cloning process. To safeguard the evidence, it is critical to have some type of write-blocking device in place before starting the process. It is then connected via cable to a cloning device of some kind or to another computer. Having the right size drive on hand will save a lot of time and aggravation.Īs the first step in the cloning process, the drive we want to clone (the source) is normally removed from the computer. While not always possible, knowing the size of the source in advance is quite helpful.
The destination drive must be at least as large (if not slightly larger) than the source drive. The drive being cloned is known as the source drive, and the drive being cloned to is called the destination drive. Typically, one hard drive is cloned to another forensically clean hard drive. Sammons, in Introduction to Information Security, 2014 Cloning Process I feel even more strongly about the validity of newer hash algorithms, including SHA-1, SHA-256, and SHA-512. I would feel very confident that a hash match between two files/images that are supposed to match would be proof that the two files/images are in fact an exact copy. The chances of an MD5 hash collision occurring during the comparison of a source drive and an improperly imaged drive would be unbelievably small. This is technically true however, the circumstances for collisions-two different files that generate the same MD5 hash-were specifically created to prove that collisions can occur. Some claim that a few of the hash algorithms (such as the Message Digest 5 hash algorithm) have been cracked. Image hashing allows the responder to mathematically prove that the data that exists on the source drive is exactly the same on the destination drive. Because imaging preserves the exact order of the bits from the original to the copy, hash functions are able to be run against the entire chunk of the source drive, which is then imaged and compared to the exact replica created on the destination drive. The point of imaging the data is that an exact replica of the data as it appears on the source drive is created on the destination drive-specifically, the exact order of the bits (the 1s and 0s) on the drive hence, the term bitstream copy. The regular copy function within the operating system will attempt to write the file according to its logical programming, meaning that the file being written to the drive could be spread across numerous clusters on the target drive. The process of imaging creates a bitstream copy-or an exact copy of the 1s and 0s-of the information being copied. It is important that the data on the suspect's hard drive be imaged to the destination drive/device rather than just copied. Notes from the Underground… Imaging versus Copying and Hashes Second, in instances where outside concerns prevent seizure of the physical media, such as PPA concerns, third-party data, and multiple users of the computer, the imaging of the hard drive provides another option for the on-scene investigators. First, as mentioned earlier, previews of the evidence can be performed on the imaged copy with less worry about the investigator inadvertently damaging information on the original hard drive. However, there are a number of good reasons to perform imaging on-scene for most computer crimes. Rarely do you hear of a drive being both imaged and previewed on-scene, although such a process may actually address a number of concerns about the use of preview software to review the information on a drive while on-scene-specifically, performing a preview of the evidence on the original drive.Īlthough the acquisition of an image of a drive on-scene may be fairly common among the more technically skilled, usually for corporate crimes, we find there is little use of this technique by less-skilled personnel for low-level crimes. In both of these cases, the analysis of the imaged drive usually occurs back at the laboratory.
Imaging an entire hard drive on-scene is fairly common among the more technically savvy digital crime scene responders-even more so for private sector investigators who often face cases where the hard drives need to be examined, but the business in question is not comfortable with letting the original drive out of its possession.
Dale Liu, in Cisco Router and Switch Forensics, 2009 Imaging Information On-Scene
0 kommentar(er)
