Dear All,
I'm new to Computer Forensic and I'm studing the forensic tecnique of disks acquisition.
I also build a forensic workstation, on which I installed the Linux distribution Caine 2.0.
In order to minimize my investments in terms of hardware may I avoid to buy any hardware write blocker and leverage on the characteristics of "read only mount" of Caine distribution?
Are there any drawback in this use?
May this use be challenged during trials and/or by the attorneys?
Thanks in advance
Best Regards,
Andrea Liguoro
Hardware blocker does not require any setting up. Thus it is certain to work 100% of the time.
Software has to be configured to the drive - is there a possible period when write protection will not be configured?
I once tried a PC software USB write blocker, and this blocked all of the USB ports which is not what I wanted.
As Michael says, hardware write blocking is less resource intensive (I am NOT saying "preferable"), because short of reversing the interface cabling and applying power to the wrong pins (PATA drives), you can hardly go wrong (assuming that the hardware write blocking has been implemented, correctly, and for that I recommend articles by Mark Menz).
But it is possible in many OSes (not all) to mount devices in a read-only setting, though I NEVER trust the distributor's statements to this effect and always test each new distro before I use it, forensically.
The software process does require more thorough documentation.
In addition, there is no prima facia "crime" in failing to write block. Nearly everyone who has ever done Apple Mac forensics has accidentally booted a system that they intended to collect, forensically.
What you need to be able to do is demonstrate that whatever the artefacts created by your examination, they were not sufficient to totally obscure the evidentiary value of the media. Granted, that takes more work and more of your client's money, but sometimes it is unavoidable.
Bottom line. I would not discredit the findings of a digital forensicator SOLELY on the grounds that the media was not write blocked. Nor would I question his/her credentials SOLELY on this point, without understanding the other factors involved.
I think the big danger is the operating system writing a file to the disk and possibly destroying some of the otherwise unallocated space. On start up, files do get written to disks, often small, but also maybe virus protection ones.
The worst that could happen with an unprotected disk is that the Defrag routine is automatically run (eg Norton) that will corrupt the unallocated space. Data may be lost, but relistically nothing 'nasty' will be added. However, I would not like to defend that point.
You really only need write blocking when accessing original evidence, such as creating a forensic image. You can use any operating system to access the images without needing a write blocker.
Besides CAINE, there are several other Linux distros suitable for forensic use (DEFT, SPADA, etc…) plus there a bootable Windows environment (WinFE). If you have a floppy drive, you can boot to a forensic boot floppy to create an image, all of these not requiring a physical write blocker and all are acceptable in court proceedings.
And no matter what you do, everything is usually challenged, even if you did it right.
In order to minimize my investments in terms of hardware may I avoid to buy any hardware write blocker and leverage on the characteristics of "read only mount" of Caine distribution?
Are there any drawback in this use?
If you do image acquisition, my advice would be to get a hardware write blocker and do the imaging through that device, even if you have a (what is claimed to be) forensically sound software blocker or live CD.
Software has its problems, it can fail and accidentally may alter the source media, and the drawback with hardware is that it only blocks what it is told to block.
See
"Disk Drive I/O Commands and Write Blocking"
Advances in Digital Forensics III
http//
When i image, i use hardware and software in a combo, that should make most people with any doubts keep their opinion to themselves.
Hardware blocker does not require any setting up. Thus it is certain to work 100% of the time.
As far as write blocking but general functionality not always the case. I have had hardware write blockers not see drives and the other general quirks of hardware compatibility. Also, RAID configs are more common in OS and data drives on SoHo hardware it is good to have both as software boot disks handle them quite well.
Why would you have an either or scenario? Why not both? If you are going to be practicing in the field have a diverse tool set. I am not saying buy everything but know what is out there so you can have the proper gear. Trust me at 1am on-site you don't want to be saying "Ugh, I wish I had X"