digital evidence pr...
 
Notifications
Clear all

digital evidence preservation

3 Posts
2 Users
0 Reactions
540 Views
(@theredmoose)
Active Member
Joined: 14 years ago
Posts: 17
Topic starter  

How many images/copies of one drive are typically created and stored?

Image Types
——————————-
Hard Disk - raw data , one might argue this is not an "image"
First Image - the first or original image, first image created from a piece of evidence, typically saved to an external USB
Second Image - copied to a examiner machine and MD5 hash verified

Evidence Preservation
——————————-
I am currently saving 4 different copies of a single drive

> Hard Disk - tagged and put in safe
> First Copy- deleted from external hard drive to make room for the next acquisition after second copy hash has been verified
> Second Copy- untouched copy, of image, md5 hash matches first copy,
> Third Copy - working image, tools are run against this image

Questions
——————————-
Is the third copy overkill?

Do you ever have to worry about forensic tools altering an image?

Would you want to keep the First Copy because it is the original 'copy'?

It can depend on the case but what is considered the most common practise?


   
Quote
jaclaz
(@jaclaz)
Illustrious Member
Joined: 18 years ago
Posts: 5133
 

Evidence Preservation
——————————-
I am currently saving 4 different copies of a single drive

> Hard Disk - tagged and put in safe
> First Copy- deleted from external hard drive to make room for the next acquisition after second copy hash has been verified
> Second Copy- untouched copy, of image, md5 hash matches first copy,
> Third Copy - working image, tools are run against this image

Not really.
You have for a short period of time an original and three copies of it, soon later you have at the most an original + 2 copies of which one, the "working copy", may be altered accidentally.

Questions
——————————-
Is the third copy overkill?

IMHO, no, maybe it is prudent, but not overkill.
Particularly you have to consider that besides the nice feature of modern hard disks to suddenly die on you, you have control ONLY on the quality of hardware you use, and can do nothing about the "original", you don't know if it is a "good "disk, if it got (say) severe shocks when seized or before, etc., and when you make an image of a disk you are effectively "stressing" BOTH the "source" and "target", you are going to keep them powered and spinning like mad for a long stretch of time , it is not common, but is IMHO not so rare to be not taken into consideration that you might have only one chance to image the "original".

Do you ever have to worry about forensic tools altering an image?

Yes, you have to be constantly worried about image alteration, do not limit the possibilities to the actual forensic tools, a hardware or OS issue of *some* kind can always happen.

Would you want to keep the First Copy because it is the original 'copy'?

No.
A copy is a copy, an EXACT copy, as long as the MD5 is validated, they are indistinguishable (and no, the probability of a MD5 collision is so low that it shouldn't be considered a real world issue).

It can depend on the case but what is considered the most common practise?

Cannot say, your proposed one seems to me like fine.

jaclaz


   
ReplyQuote
(@theredmoose)
Active Member
Joined: 14 years ago
Posts: 17
Topic starter  

Thanks for your detailed answer. The "a copy is a copy as long as the MD5 hash matches" is a good point. Otherwise your cost in hard drive space would be really high. The other point to consider that I didn't mention is that you shouldn't have the untouched copy and the working copy on the same drive.


   
ReplyQuote
Share: