Gents,
As a newbie, I assumed that booting a system externally (with a non-Windows OS, like as Caine CF Linux) didn't change the register nor the logbooks of the targeted machine.
That is, as long as one doesn't change manually a file on the concerned hard disk (fi. by opening it). Therefore I supposed that a write-blocker wasn't always necessary - as long as you only explored the disk.
In the latest version of Caine Computer Forensics (V 2.5.1) you can mount any disk also in the read-only mode.
Is it correct to say that, in the read-only mode and under Linux or similar, a write-blocker becomes obsolete?
That to an extent is true, we now use Linux as an imaging tool (not a live cd version a full install) and image through USB 3 docks, no writeblocker.
There was a paper on how some live cd's changed data when the system contained a linux installtion as it mounted the swap partition. However this may have been fixed.
As with everything its best to test for yourself as you will be the one giving evidence in court.
As a newbie, I assumed that booting a system externally (with a non-Windows OS, like as Caine CF Linux) didn't change the register nor the logbooks of the targeted machine.
That is, as long as one doesn't change manually a file on the concerned hard disk (fi. by opening it). Therefore I supposed that a write-blocker wasn't always necessary - as long as you only explored the disk.
That doesn't follow. You can be fairly certain that there won't be any changes to registry or the log files … but you can't assume the file time stamps don't change. And what's worse, since you're not using the original file system (NTFS, I presume), you don't relly know how the particular implementation you're using now works. It may update even last access time stamps …
In the latest version of Caine Computer Forensics (V 2.5.1) you can mount any disk also in the read-only mode.
Is it correct to say that, in the read-only mode and under Linux or similar, a write-blocker becomes obsolete?
Provided that the read-only mode works as you think it does. Does it? Do you know or are you only hoping? It's just software, isn't it? So you can expect bugs. Furthermore, it's probably not software that was designed to provide a forensically clean environment – 'read-only' may only mean that it won't change anything a user will care about, but may very well clean off things that appeared irrelevant to the implementers.
(There was a validation study a few years back where one of the Unix file systems turned out not to be quite as read-only as was expected. I don't know what the status is on that one … but you might want to check it up.)
It may be easier to think of it in other terms can you justify your decision not to use a write blocker if push comes to shove? Or will the money spent on the investigation have been wasted?
Hi all,
Caine is safe because when you boot it doesn't mount anything. It mount in read only, noatime,etc. etc. only if you WANT to mount the host hard disk by the mounter applet or manually.
If you need only to make the image file of the disk you can use dd, dc3dd,dcfldd,AIR, Guymager, and you use /dev/sdX as source, not the mounted device.
That's all 😉
Nanni Bassetti
Caine project manager - http//
Nanni,
Thank you Sir!
As a newbie, I assumed that booting a system externally (with a non-Windows OS, like as Caine CF Linux) didn't change the register nor the logbooks of the targeted machine.
That is, as long as one doesn't change manually a file on the concerned hard disk (fi. by opening it). Therefore I supposed that a write-blocker wasn't always necessary - as long as you only explored the disk.
That doesn't follow. You can be fairly certain that there won't be any changes to registry or the log files … but you can't assume the file time stamps don't change. And what's worse, since you're not using the original file system (NTFS, I presume), you don't relly know how the particular implementation you're using now works. It may update even last access time stamps …
In the latest version of Caine Computer Forensics (V 2.5.1) you can mount any disk also in the read-only mode.
Is it correct to say that, in the read-only mode and under Linux or similar, a write-blocker becomes obsolete?
Provided that the read-only mode works as you think it does. Does it? Do you know or are you only hoping? It's just software, isn't it? So you can expect bugs. Furthermore, it's probably not software that was designed to provide a forensically clean environment – 'read-only' may only mean that it won't change anything a user will care about, but may very well clean off things that appeared irrelevant to the implementers.
(There was a validation study a few years back where one of the Unix file systems turned out not to be quite as read-only as was expected. I don't know what the status is on that one … but you might want to check it up.)
It may be easier to think of it in other terms can you justify your decision not to use a write blocker if push comes to shove? Or will the money spent on the investigation have been wasted?
You can always carefully test your theory without harm. A true professional never assume and never takes an answer from others no matter how senior a person is. He will test it and find out for himself to be true or false.
Here is how you test it. You make 2 copy of original evidence drive. The second copy you mound in read only mode and work with. Then you do a forensic copy of that second copy if the hash matches to the first copy of the original you will know that nothing has been changed and your theory has been proved. Now you can publish your finding as well as testify in court that this has been done and it is a sound method. No one in the court can argue a tested method done by you. They can certainly try but will loose. You will always prevail with sound methods.