Granted. I agree completely on the point about protecting confidential information. I am, on the other hand, not in complete agreement with the other point.
If someone created software that could manipulate the data contained inside an evidence file I doubt that it would have a significant impact on investigations. How often are DD images taken? These can easily be manipulated to show any number of things but we still use them.
The reality is that responsible and honest forensic investigators keep good records of all evidence regardless of how its acquired. If the EWF file format (which is detailed in length elsewhere) is cracked and made writable will it void all of our evidence? Sorry, but I don't see it.
I think that, regardless of the format of the image, there is unlikely to be a concrete way of storing evidence so that it can not be manipulated in some way.
If someone created software that could manipulate the data contained inside an evidence file I doubt that it would have a significant impact on investigations. How often are DD images taken? These can easily be manipulated to show any number of things but we still use them.
My opinion applies equally to any image, dd or otherwise. The logic is this
I have an image which I can verify using an MD5 or other hash algorithm as being forensically identical to the source. I now edit that file. The new hash will be different but, more to the point, it won't tell me in what way the file is different. Thus, if my purpose is to redact information prior to submitting it to the other side, they have no way to verify what I did. If I were opposing counsel, I'd tell you that I want my own image of the source, not some redacted image.
More to the point, where do you stop? Suppose my purpose is to remove client attorney privileged information. Sure, I can zero out the file and fragments using a hex editor (and charge my clients a fortune for the hours of work to accurately verify each fragment has been zeroed), but what about unallocated space? Do I search it and zero it out as well? But how do I do that and verify that I have all of the privileged information and none of the remaining evidence? I'd challenge anyone to prove that this is possible without spending an insane amount of time and money.
The orginal question was whether it was possible to edit an image file for the purposes of removing certain content.
My point is that it may be possible, but it is practically the worst way imaginable to do it and I would fight any attempt by the other side to propose that as a forensically sound method.
You either have to acknowledge that it is practically not possible to completely remove sensitive information while leaving all the other evidence intact, in which case you either propose a court appointed special master, or both sides agree to a privilege clause that allows either side to oppose production of the fruit of forensic discovery if it contains privileged information, or you use a commercial approach to file deletion and wiping which includes unallocated space and risks the destruction of evidence.
In either case, using a hex editor on a image file is like using a shotgun for target practice. You'll probably hit the target in some places and miss in others, and what does that buy you in terms of your objective?
I wasn't saying that it was my method of choice, far from it. I was simply saying that a) there are reasons to specifiy certain files that are not to be investigated and b) that it is possible.
My original post was made simply to show that blanket statements such as "it can't be done" a probably a little impetuous.
My original post was made simply to show that blanket statements such as "it can't be done" a probably a little impetuous.
Very Impetuous - it is relative straight forward to update the data in segment, modify the segment CRC and then recalculate the whole file hash.
I may add this to RevEnge as a proof of concept….
Incidentally our practice since we started working with Encase about 9 years ago has been to write the hash down - much harder to tamper with a hash when the orginal has been submitted on paper as part of your evidence.
Paul,
Yes, please - do add this to RevEnge.
I believe not only would this be another interesting feature of RevEnge, but would also drive sales of it 😉
J/K 'bout the sale … but I would like to see it included!
Cheers!
farmerdude
http//
http//
FTK2 allows you to create a user which can only see particular information, i.e.
You create a Tab called Email, prepare the tab accordingly, and then when the review logs on to look at the case, all they can see is that tab. and not all the other files within the E01 / DD image.
Any help?
Apparently the person(s) responsible for 'libewf' are working on a way to write to and edit EWF (EnCase) files. Don't know how practical this would be, but worth looking at nonetheless.
No longer working on. The current libewf version has a functional Read and Write mode. E.g. mount_ewf.py allows you to mount a set of EWF files in rw mode. This is mainly intended to mount file systems that are unable to mount read only. Libewf does not store its changes in the E01 file but in d01 files (called delta file). The delta files are designed to contain small amount of changes, i.e. for recovered partition tables, etc.
However possible, it is impractical to store changes directly in the E01 files due to compression. Older beta version of libewf allowed changing the E01 files directly.
No need to create dd files and hexedit them. Manipulating an E01 file with libewf is very easy. A proof of concept is ewfalter (only provided in the source package) If an altered image file is created the ewftools will provide for a new MD5 when exported to a new image. So writing down the original MD5 is could be useful practice.
Basically there is no format you cannot change. In theory you can even make changes and have the same MD5, unsure about the practical side of this on images. Some studies were able to calculate MD5 collisions in little time.
Signing the evidence could be good practice. The Advanced Forensic Format (AFF) is one format which supports this. However this means the person who is able to sign the file is able to change it.
Jumps in - hi Joachim! - jumps out…
Very Impetuous - it is relative straight forward to update the data in segment, modify the segment CRC and then recalculate the whole file hash.
Again, it misses the point. If you want to remove sensitive information from an image, using a hex editor to edit the E01 file is a waste of time and/or your client's money.
I may add this to RevEnge as a proof of concept….
I think we'd all concede the concept that it can be done. You can pay the postal service to deliver your milk but it isn't, necessarily, the best way to get milk on your table.
Incidentally our practice since we started working with Encase about 9 years ago has been to write the hash down - much harder to tamper with a hash when the orginal has been submitted on paper as part of your evidence.
Here I am agreed. I don't believe in allowing our tools to automate what is simply good record keeping/evidence management.
Jumps in - hi Joachim! - jumps out…
far off topic but, he Jamie. , How are things ? everything OK? I'll continue on private message. Not to disturb this discussion too much.