±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 4 Overall: 36595
New Yesterday: 5 Visitors: 114

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Reliability of an external enclosure hardware write blocker

Discussion of forensic workstations, write blockers, bridges, adapters, disk duplicators, storage etc. Strictly no advertising of commercial products, please.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2 
  

Suai
Newbie
 

Re: Reliability of an external enclosure hardware write bloc

Post Posted: Feb 13, 20 11:18

Thanks again jaclaz, always quick on the responses.

I was refering to most known live forensic OS (eg. DEFT, CAINE), as I understand they don't mount any drive by default or at least mount them RO. Just curious as to wheather it makes a difference if they are connected to the machine through SATA or external USB ports both when booting and at connection time.  
 
  

jaclaz
Senior Member
 

Re: Reliability of an external enclosure hardware write bloc

Post Posted: Feb 13, 20 19:28

- Suai
Thanks again jaclaz, always quick on the responses.

I was refering to most known live forensic OS (eg. DEFT, CAINE), as I understand they don't mount any drive by default or at least mount them RO. Just curious as to wheather it makes a difference if they are connected to the machine through SATA or external USB ports both when booting and at connection time.


I wouldn't be so sure about "most known" being "the same" (let alone being actually validated).

Connecting a drive to a computer before booting is not a good idea, you would be dealing with whatever firmware the computer has (BIOS or UEFI) way before the "most known live forensics distro" of choice comes into action, the firmware (because you set it "incorrectly" or "by itself") may decide to attempt booting from the evidence disk instead.

Personally I wouldn't even trust any of the "most known" distros and use either a very minimal (and built/validated by myself) PE booting with disks offline or the Passmark's OSFclone to ONLY make an image out of the evidence disk.

And even OSFclone has some possible quirks (in really edge and not at all common cases, still ...).

Once you have a clone or an image, the worst that it can happen is that the tool you are using alters it, and you can always make a new clone or image, if this happens on the original evidence file you'll have a looong day finding out what happened and providing justifications for it or proving that the changes had no practical consequences (and it will probably also be a loong day in court).

I mean, should the tool accidentally (to remain in the cited OSFclone example) alter last mount time, last write time, mount count and a byte at location 0x0178 within the superblock of some ext2/3/4 volumes, the hash won't match anymore, but no real harm is done according to how I (and jhup) see the matter, see:
www.forensicfocus.com/...p=6573207/
but that doesn't mean that the counterpart in a trial won't use this hash mismatch to grill you on the stand and attempt to invalidate each and every one of your (BTW perfectly valid) findings.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

thefuf
Senior Member
 

Re: Reliability of an external enclosure hardware write bloc

Post Posted: Feb 13, 20 20:40

alter last mount time, last write time, mount count and a byte at location 0x0178 within the superblock of some ext2/3/4 volumes


Don't forget that the words quoted are true for a simplified case only. The vendor won't tell you that "any metadata block could be altered on a real-world system and if data journaling is enabled, data of any file can be replaced too, all of this just depends on data logged in the journal". So, the problem is that a journal is replayed, not just several bytes getting modified (this is only true for a simple case, as stated before).  

Last edited by thefuf on Feb 13, 20 20:53; edited 1 time in total
 
  

thefuf
Senior Member
 

Re: Reliability of an external enclosure hardware write bloc

Post Posted: Feb 13, 20 20:51

but that doesn't mean that the counterpart in a trial won't use this hash mismatch to grill you on the stand and attempt to invalidate each and every one of your (BTW perfectly valid) findings


I remember a similar discussion here, it happened five or six years ago. A person suggested a simple solution: the use of a hardware write blocker. And now it was demonstrated that even a hardware-based solution can write through a write-blocked port on its own (issue a write command without a corresponding command from a host).  
 
  

jaclaz
Senior Member
 

Re: Reliability of an external enclosure hardware write bloc

Post Posted: Feb 14, 20 10:17

- thefuf

Don't forget that the words quoted are true for a simplified case only.


Yep, and I am still wondering how/why in the meantime you and the Author of the OSFClone didn't manage to come out (together) with an agreed upon/tested/validated solution to that issue.

ONLY to give some background to Suai about the specific matter:
www.forensicfocus.com/...c/t=12056/

www.forensicfocus.com/...c/t=16195/

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 

Page 2 of 2
Page Previous  1, 2