Is wiping really necessary?
There are a lot of things that we do in our practice which, while not strictly necessary, are prudent, nonetheless.
One of these is starting with sterile drives for our work environment (not the OS).
The reason is simple, it is one less "issue" the opposition can raise in arguing against the admissibility of evidence or for spoliation or whatever.
While it is true that the integrity of forensic images can easily be verified the fact is that if I have to take that extra step to explain that to a judge or jury and be questioned about it, that is time and money out of the client's pocket.
In addition, and even more of a concern, is the fact that an expert's qualifications can be called into question if their methods vary from "standard operating practice" and as there is currently no single authority on this from the perspective of data forensics, there are a number of published guides, manuals, texts, etc., authored by acknowledged experts in the field which recommend this practice or that.
I once had someone ask whether I had photographed a laptop hard drive that I had removed for examination. I had not and neither the drive nor the laptop was ever out of my possession, however, I was using EnCase and in one of the Guidance software best practices guides there was a recommendation to photograph the evidence and opposing counsel was now making me read that to the jury. The obvious question to me was "You're using EnCase, why aren't you following their recommended best practices?"
I certainly don't mean this to sound like a lecture but part of what I view as my responsibility to my client is to not only look for weaknesses in their case but also in mine. Weaknesses in terms of the evidence are easy to spot but weaknesses (legitimate or otherwise) related to process are harder.
Put another way, if Harlan Carvey wrote in his book that drives should always be imaged with the interface pointing East, I'd do it for no other reason than the fact that it was in his book.
FWIW the ISFCE lists forensically sterile examination media as the first of its three essential requirements of a competent forensic examination (or at least they did a few years ago, I don't know if that position has changed.) Perhaps those who are CCE qualified need to take extra care not to land themselves in the kind of situations Sean's referring to?
Jamie
I've posted a question to the CCE mailing list about this and hope to have an answer soon.
The question about defending oneself in court concerning this practice, I believe that, should I be asked about such, I would be able to explain why it is redundant in most circumstances.
I'm not dismissing this outright as I believe that it is practical to acquire to a sterilised drive but not for completing a full analysis, but even in this there are issues.
I remain unconvinced by the argument but I'd be happy to change my mind should anyone provide a strong enough argument in favour.
This may well be a topic for a future podcast episode. Anyone want to volunteer for arguing the case 'for'?
Is the wording in the CCE proscriptive? I know that for example in IACIS, they require examiners to have a knowledge of drive sterilisation, i.e. drive sterilisation is a required competency, but this is different from proscribing that all drives must be wiped.
I would venture a cautious yes based on the distance learning material I have available which is now a few years old. However, that position may have been modified or become more nuanced in the intervening years. I expect when we hear back from someone on the CCE list we'll know for sure.
Jamie
The question about defending oneself in court concerning this practice, I believe that, should I be asked about such, I would be able to explain why it is redundant in most circumstances.
While most of what we do in the laboratory is technical the courtroom is, in part, theatre. The outcome boils down not only to who is correct, but who is better believed and, in some cases, who is better liked.
When things get to a jury, it is even more of an issue because juries often don't have the patience for long-winded technical discussions and tend to go with what "seems right". The whole public fallout over health care reform and the economic stimulus is a perfect example of facts versus sound bytes with sound bytes winning out.
Words like "sterilize" have connotative associations which are more visceral than their denotative meaning. Consider the following statement
"I always sterilize my disks before proceeding with a case so that there is no chance I will contaminate the data."
It is easy to say. It makes sense. People want their doctors to sterilize their instruments before using them for the same reason so why wouldn't you want to do this with a disk drive.
Can you explain why it is unnecessary? Probably, but not as succinctly and not in as few words and even if you could, your explanation would run contrary to what people believe about the real world; sterilization prevents contamination.
In addition to the "facts" there is the issue of cost versus benefit.
Q Were you incapable of sterlizing the disk?
A No.
Q Is it difficult?
A No.
Q Is it expensive?
A No.
Q Then why didn't you do it?
My general rule is the following
If the procedure has been recommended by at least one source which is regarded as authoritative
and
If the procedure has not been discredited or called into question by another, equally authoritative source
and
If the procedure represents minimal hardship in terms of time, effort or money
then do it and make it irrelevant to the proceedings.
Time spent questioning the appropriateness of and expert's process or methodology (when those questions could have been avoided), costs the client, both in terms of money and in terms of how that expert is regarded by the jury.
The example of photographing the evidence that I referenced, above, was a real case heard in Federal Court. Similar questions arose Do you have a camera? (Of course, I wouldn't be a good investigator if I didn't). Is it expensive? (No, it is a digital camera and the images are stored electronically.)
Was there a problem that prevented you from taking a photograph? (No.) Then why didn't you?
I won the argument as to why the evidence had not been photographed by stating that there was nothing suspicious or unusual to make me want to keep a photographic record. But it wasn't that simple.
Q How can you say, with any certainty, that the drive had not been tampered with before you received the computer?
A There were no scratches and no distortions of the screw head to indicate that someone had previously removed the drive. When I removed the screws the blue threadlock appeared to be intact which is unlikely to be the case if the screws had been removed, previously.
Q But you don't have a photograph to corroborate this testimony, do you?
At the recess after my cross-examination was over, lead counsel for my client (who is an extremely experienced trial lawyer), came up to me and said
"From now on, photograph everything!"
You don't DoD wipe in Forensics. The proper method of forensic sterilisation of media is to completely overwrite the drive with a single known character, generally 0x00. The reason for using 0x00, is that you can then read the drive using a CRC32 or CRC64, and if the resultant hash is all zeros, your drive is sterile.
Just a warning to people reading this who may not be familiar with CRCs - most CRC's do not generate an all-zero output for the all-zero data case. Without going into the maths of how CRCs are calculated, the important fact in this regard is whether they start with a non-zero initialisation vector (IV). If the IV is non-zero, then the resulting hash of all-zero data will not be zero - In fact this is often done specifically to ensure that a correct length sequence of all-zero values can be determined, as well as to ensure that when protecting memory/file data, that a zero CRC protecting an all-zero set of data is not simply completely uninitialised memory/data.
The specific term "CRC32" is sometimes used to mean 'any' 32-bit CRC (as there are many), but is also used to refer to the specific 32-bit CRC used in PkZip as well as other applications. This has a non-zero IV, and as such does not produce a zero output for all-zero data. If you wish to perform an all zero check using a CRC, you would therefore need to ensure you are using a CRC designed with that in mind (which is uncommon for the reasons mentioned above); Typically a "checkZero(data,len)" function would also be lower computation.
Phil.
Just a warning to people reading this who may not be familiar with CRCs - most CRC's do not generate an all-zero output for the all-zero data case. Without going into the maths of how CRCs are calculated, the important fact in this regard is whether they start with a non-zero initialisation vector (IV). If the IV is non-zero, then the resulting hash of all-zero data will not be zero - In fact this is often done specifically to ensure that a correct length sequence of all-zero values can be determined, as well as to ensure that when protecting memory/file data, that a zero CRC protecting an all-zero set of data is not simply completely uninitialised memory/data.
Thanks for that Phil - very informative and useful. And thank you to all posters for the excellent discussion.
Most posters are agreeing that the target drive for an image should first be cleaned, albeit for varying reasons. To bring the subject back slightly to the original point in relation to the OS and program files on the machine used to analyse the image, I believe I have (maybe) heard three approaches thus far;
1. Do no 'cleaning' of the OS; rely on AV and the security of the original uncontaminated evidence being in secure storage if something goes wrong. (This is the 'maybe').
2. Re-load a ghost image of your OS and other program files after each job.
3. Use VMs, with forensic programs stored on the host for performance reasons. I must say that this option (as well described by David, thank you) appeals to me, although I'd need to better understand any overhead related to, say NSRL hash libraries, bespoke EnScripts and so on.
Are there any more thoughts on this aspect?
Thanks.
1. Do no 'cleaning' of the OS; rely on AV and the security of the original uncontaminated evidence being in secure storage if something goes wrong. (This is the 'maybe').
I guess my only comment on this would be to make sure you are working of a working copy of the evidence. In all places I have worked the original evidence files are stored seperately (sometimes securely offsite) and then we would use copies of the image files for the analysis. The theory being that if something goes wrong anywhere along the way - be it drive/os/whatever - you still have the original evidence to fall back on.
Although I agree what we need to do, I find this to be troubling in general.
Imagine, someone with sufficient marketing leverage but little technical knowhow in the subject makes a rash statement, or demanding a requirement.
Now a whole industry is required to comply by something off the wall, until sufficient experts reject the requirement.
I recall a "1 bit length virus" …
…
If the procedure has been recommended by at least one source which is regarded as authoritativeand
If the procedure has not been discredited or called into question by another, equally authoritative source
and
If the procedure represents minimal hardship in terms of time, effort or money
then do it and make it irrelevant to the proceedings.
…
"From now on, photograph everything!"