I've imaged a drive using a logicube, then connected to the forensics computer via a hardware write-blocker and acquired into EnCase. I've done this many times before, but i've come across one drive that had a different MD5 hash in EnCase from the Logicube report. ?
I want to test my write-blocker, and want some ideas on how to do this.
There's the obvious one
- Create hash of drive
- Try to write to the drive
- Create second hash and compare
Is there any other methods that I should use to test my write blocker further?
thanks
-washingyourhands
Overkill, but you could do worse than
http//
-)
Thanks Azrael, that was interesting reading and gave me some ideas.
Definitely overkill for what I want to do, but I guess the standard has to be able to be applied by people who look after national security secrets.
The sort of people who don't want the launch codes for nukes being accidentally overwritten, or other important secrets such as who killed JFK, or where Elvis is currently living P
-P
You left out the Aliens ! Or is your Avatar a clue that "the truth is out there" …
😉
I did mention Elvis didn't I? D
BTW, it looks like the write blocker in question has read errors. At least it wasn't writing to the disk.
Step #1 – Prepare the media
a) Attach the storage media you will be testing with to your forensic workstation in write-enabled mode.
b) Wipe the media - validate that this has been sucsessful.
c) Format the media with a file format of your choosing.
d) Copy an amount of data to the media.
e) Delete a selection of this data from the media.
f) On the desktop of your forensic workstation create 3 folders. Call these Step-1, Step-2 and Step-5.
g) Image the media into the Step-1 folder and note the MD5 hash.
Step #2 – Testing the media
a) Remove and then replace the testing media into your forensic workstation.
b) Copy some data to the media.
c) Deleted a selection of this data from the media.
d) Image the media into the Step-2 folder and note the MD5 hash.
e) Validate that this hash value is different to that produced in Step #1.
Step #3 – Activate the write blocking device
a) Remove the media from your forensic workstation.
b) Attach and/or activate the write protection device.
c) Follow any specific activation procedures for the specific blocker.
Step #4 – Test the write blocking device
a) Insert the media into your forensic workstation.
b) Attempt to copy files onto the media.
c) Attempt to delete files from the media.
d) Attempt to format the media.
Step #5 – Check for any changes to the media
a) Image the media into the Step-5 folder and note the MD5 hash.
b) Validate that this MD5 hash is the same as the MD5 hash from Step #2.
c) Format the media with a file format of your choosing.
File system ? 😉
Looks great, I would add an "Attempt to edit a file" as well just for completeness in Step 4, and "Repeat steps 1 to 5 more than once" just so that there is more faith that it isn't an intermittent error.
Otherwise excellent step by step instructions.
Locating a small 1.8 inch hd with a capacity of a few gig from a disk based mp3 player will shorten the test time as well. Especially if testing the equipment will be a periodic event.
Locating a small 1.8 inch hd with a capacity of a few gig from a disk based mp3 player will shorten the test time as well. Especially if testing the equipment will be a periodic event.
Mark Menz gave me the suggestion of using any hard drive and setting the HPA so that the user sectors are around 1GB. It makes testing things like this much quicker.
I like your step by step. Very complete - good job.
Your write blocker test is very thorough - thanks for posting it. I tried it out but there are a couple of things that have confused me and I'm hoping someone can help me out. I used Encase to image the drive and to calculate an acquisition hash once it had acquired the drive. I also used another MD5 hash calculator to calculate the hash value of the image, however this value is completely different than the value Encase calculates - which is confusing me. Using the Encase acquistion hash values the second image and the write-blocked image are identical but using the external MD5 calculator they are different. Am I doing something wrong?