Was curious how everyone is presenting that their destination media (ie. a HDD or USB drive where your image is to be placed) is sterile?
I, personally, use a single-pass all zero method to wipe the drive and then I validate it using an 8-bit checksum. If the result is "00" then the drive is sterile.
Plainly put, what would be the best method to present this in a case report? Is it good enough to simply state that you completed this process or would you take a screen capture of the checksum result?
Is anyone using any other method to validate that your destination media is sterile? If so I'd like to hear some other perspectives.
Why does the destination/storage drive need to be sterile?
Why does the destination/storage drive need to be sterile?
To prevent cross contamination
What are you putting on the drive that you are concerned about contaminating? Are you doing a logical copy or something to the drive?
If you are putting an evidence container like a DD or E01 on the drive how would it become contaminated?
I'm not worried about contamination per-se. I have made it a habit of bringing sterile media into the field and using the sterile media to dump my images on to. I was taught that it was a best practice to use sterile media and most certs I've taken have looked for this to be done.
My question relates to how you present the process in a case report.
My point, which appears to be seconded by BitHead, is that media sterilization is a holdover from the early days of digital forensics and has no relevance to the storage of forensic images.
My point, which appears to be seconded by BitHead, is that media sterilization is a holdover from the early days of digital forensics and has no relevance to the storage of forensic images.
I agree completely with what both of you are saying. I can easily hash match an image to its original and say that it hasn't changed. But would you bring a drive into the field with deleted CP in unallocated and dump an image to it? For me it boils down to this - if an attorney ever asked (and it happens often) if there was any other data on the drive I dumped the image to in the field; with a sterilized drive I could say "no there wasn't".
I clearly see the argument and the benefits, when I was getting my Masters (recently) and during most of the major certs I've taken, sterilization was expected and a habit I've gotten into.
Unfortunately, we have all been taught these bad habits which waste precious time and don't serve any real purpose in the end. My point is that forensic images are verified via one or more mathematical algorithms. If you stick to that in court, it doesn't matter what was previously stored upon the drive. Let's take, for example, the numerous agencies which store forensic images upon large servers. Has there been, or is there currently, CP stored on those same servers? Are these servers then wiped before any new data is added?
Sometimes we are our own worst enemies when we, as forensic professionals, try to make things more complicated than they really are.
How would you have a drive in the field with CP on it (even if its in unallocated)
A time when it would be very useful is if you have your image and you dump the contents to a drive in an indexed folder, and then copy files from the index folder to the drive you brought with you. Then there could be a small chance of like files being there overwrite (yes or no) type situations, etc. I've seen it before.
My point, which appears to be seconded by BitHead, is that media sterilization is a holdover from the early days of digital forensics and has no relevance to the storage of forensic images.
I agree completely with what both of you are saying. I can easily hash match an image to its original and say that it hasn't changed. But would you bring a drive into the field with deleted CP in unallocated and dump an image to it? For me it boils down to this - if an attorney ever asked (and it happens often) if there was any other data on the drive I dumped the image to in the field; with a sterilized drive I could say "no there wasn't".
I clearly see the argument and the benefits, when I was getting my Masters (recently) and during most of the major certs I've taken, sterilization was expected and a habit I've gotten into.
In the world of containers (ie. DD, E01, etc.) simply hashing the image file will verify it for you. What got me onto this topic and the subsequent post is that while doing my graduate course study (2009-2011) I was taught to always sterilize destination media. Most industry certifications look for use of sterilized media (
My question was simply what is the best way to present the fact that the destination drive was sterile prior to creating an image to it using FTK Imager in a forensic report.
What I do is the following
- All media (new or old) is wiped and verified.
- Once verified the data port (IDE, SATA, USB, etc.) has a label put over it that says "Verified Sterile" with the data and initials of the individual who wiped the drive.
- In the field, when a drive is needed, the tape is removed and an 8-bit checksum is conducted
- If the 8-bit checksum results are "00" then the drive is verified sterile and used as destination media. A screen shot is taken of the results.
- FTK Imager is used to create a forensic image to the destination media
- Chain of Custody is established, the destination drive is photographed and the original and destination media are entered into evidence.
I typically like to state that the drive was wiped using a single pass zero method and then verified sterile prior to use and include the screen shot of the 8-bit checksum in my report.