Connecting a USB de...
 
Notifications
Clear all

Connecting a USB device without a write-blocker

13 Posts
5 Users
0 Likes
820 Views
(@bumpkin)
Posts: 6
Active Member
Topic starter
 

Does connecting a USB device (that is evidence in a criminal case) to a computer without using a write-blocker invalidate the drive as evidence?

Assuming that the computer in question was a normal desktop computer and the computer "recognized the flash drive."

 
Posted : 12/05/2010 3:05 am
ehuber
(@ehuber)
Posts: 91
Trusted Member
 

Does connecting a USB device (that is evidence in a criminal case) to a computer without using a write-blocker invalidate the drive as evidence?

Assuming that the computer in question was a normal desktop computer and the computer "recognized the flash drive."

The short answer is that it doesn't invalidate the evidence that is found on USB device.

The longer answer is if you have a digital forensic examiner not following industry best practices and applicable legal standards regarding the handling of evidence, it can cause problems from a legal standpoint. Sometimes you have to make exceptions to standard procedures and that's when you need to be really good at documentation so that you can explain why you had deviate from the norm.

That is why it's important for digital forensic examiners to understand the law as it pertains to their profession. You can get some very good training in this area from institutions like SANS. Legal issues, for example, are a big portion of the SANS SEC508 class.

 
Posted : 12/05/2010 3:57 am
bshavers
(@bshavers)
Posts: 210
Estimable Member
 

Probably wouldn't invalidate it, but can cause some other issues to come up, most difficult would be the cross examination regarding the reason to plug in an unprotected drive.

Evidence has 'weight' in the courtroom, partially based on its veracity and pertinence to the case. If the chain of custody, as an example, is broken, the weight (value of the evidence) slides down the scale of veracity…

You could always plug in a USB device without a write blocker in a forensic OS, such as a Linux (Helix, etc…) or Windows FE. There are software write blockers, but I say expect something to happen (that you don't want to happen) when you use software write blockers.

 
Posted : 12/05/2010 4:09 am
(@bumpkin)
Posts: 6
Active Member
Topic starter
 

The short answer is that it doesn't invalidate the evidence that is found on USB device.

Do you know of any legal precedences that show that? Or any that have resulted in the drive being suppressed? Just off the top of your head or something–I don't expect you to know any in-depth case law haha

 
Posted : 12/05/2010 8:21 am
(@bumpkin)
Posts: 6
Active Member
Topic starter
 

Probably wouldn't invalidate it, but can cause some other issues to come up, most difficult would be the cross examination regarding the reason to plug in an unprotected drive.

Any examples of "some other issues to come up"?
Would there be any strength to an attorney arguing that it is the LE's job to preserve the evidence? Would plugging the drive in be analogous to a traditional forensic examiner touching the murder weapon without wearing gloves?
Are some (certain) files changed just by the drive being accessed?

 
Posted : 12/05/2010 8:25 am
bshavers
(@bshavers)
Posts: 210
Estimable Member
 

The first thing that you'll deal with is during cross examination, where you would be asked, "what is the commonly accepted practice when attaching evidence drives to a computer?" and then the follow up question of why you didn't follow commonly accepted practices. It won't really matter if anything changed on the drive, but your credibility and the strategy of casting doubt will be the focus.

If an evidence drive was plugged in, and you have an image that was made prior, you will have saved half the problem of the argument of altered evidence (your image will be your original unaltered evidence) but you'll still get hammered on the stand. If no image was made and the original evidence plugged into a machine without write protection, then your report should state what happened. Quickly warn the prosecutor so she can prepare…

On evidence being suppressed, it happens. Its a key defense strategy (no evidence = no case). Any weakness in evidence will be attacked, its just the way it is.

 
Posted : 12/05/2010 9:42 am
(@bumpkin)
Posts: 6
Active Member
Topic starter
 

If an evidence drive was plugged in, and you have an image that was made prior,

Unfortunately no image was made of the drive prior to it being connected.

What files could be altered by connecting it to the computer?

 
Posted : 16/05/2010 9:34 am
bshavers
(@bshavers)
Posts: 210
Estimable Member
 

Create an image of that external drive, restore it to a same make/model external drive, connect it to a computer and see what changes you get, if any. With the image, if you know when you plugged in the original evidence, you should be able to see if any time stamps were altered on any files.

 
Posted : 16/05/2010 11:31 am
(@bithead)
Posts: 1206
Noble Member
 

Unfortunately no image was made of the drive prior to it being connected.

What files could be altered by connecting it to the computer?

What OS is running on the computer that the suspect drive was connected to without the write blocker?

 
Posted : 16/05/2010 7:49 pm
(@bumpkin)
Posts: 6
Active Member
Topic starter
 

Ah yes that is a very good idea! Thanks.

Ok here's another quick question for you… What AccessData's Forensic Toolkit? How does it stack up to others?

Thanks for all your help so far.

 
Posted : 16/05/2010 7:54 pm
Page 1 / 2
Share: