Today, a lawyer assited the final act of forensic copy of a few pc. mac and usb drive. He was not involved in the job. His collegue followed my work day by day.
I described him my job my materials writeblocker, adaptor etc. He asked me, how I can prove I used a writeblocker… I said I had a group of photo of the job, and I also said the his studio could send in the office his own computer forensic expert to examinate the job.
How someone can prove I used or not a writeblocker?
Hi
Assuming you've documented everything you've done, including what hardware and software you use, asking the opposition to prove that you didn't may be an effective strategy.
Meantime, there could be artefacts in Registry (search for the make/model) and either setupapi.log (XP) or setupapi.dev.log (W7) showing first time connected and last time registry keys updated. Appreciate this isn't proof of using the hardware/software for your particular job though. Depending on software you used, you could reconcile last update timestamps for registry keys for the software with the writeblocker. And there are free tools to show how many times your software has been run.
Also, the software you've been using may have created logs showing source media, write-blocker, target (destination) media - all with make/model/serial number if you're lucky (i.e. did the option exist, did you enable it, and if each new job overwrites the log file, did you save the previous job?)
All this would help, however I doubt that if you did use one, the opposition could prove you didn't. On balance, I would expect a neutral investigator to come down on your side.
HTH
How someone can prove I used or not a writeblocker?
This is interesting.
The use of a writeblocker is to make sure there are NO changes to the disk, i.e. it is a tool specifically devised to leave NO traces (or if you prefer NO contamination).
So, this extends to *any* other evidence and to *any* other commonly used method/tool/device/whatever used to prevent contamination of evidence, think of rubber gloves, evidence bags, cleanliness of environment and what not.
AFAIK, once you have followed an accepted or acceptable evidence handling protocol and you swear by it, the only way to prove that the "contamination protection device" (whatever it is) has not been used (or has been used improperly) is to prove that evidence has been contaminated.
jaclaz
Assuming you were using Windows on your imaging system
If you had not, time stamps would have been updated, a recycle bin may have been created, and possible other effects would have occurred had you just directly connected the drive to the system.
If all time stamps pre-date the seizure of the system (plus you have photos, if I recall), I think the burden becomes theirs to prove you didn't.
Devil's advocate here.
Lots of folk think we (Forensicators) can do just about anything we want to with technology. For example, randomly change all timestamps of all files on a hard drive within given dates (say, date of installation and the date when we did 'bad stuff')
How well do Windows timestamps stand up if that were alleged?
Just saying, is all. I agree with twjolson
Cheers
I think that it is more important to show how nothing has changed rather than "proving" what you used to accomplish this. Think about how you would "prove" you write protected a floppy, for instance. Other than your notes and any meta data comparison how do you " prove" you flipped the write protect tab? My point is the system artifacts that you could use to prove that something has not likely changed in Windows is not the same in *nix or OSX and so on. Don't get trapped in the thought process that the method used is more important than the result. This can lead to blindly trusting software or hardware to behave properly when they may not. That is why hashing the source before imaging and after is critical to proving nothing has been altered.
That is why hashing the source before imaging and after is critical to proving nothing has been altered
Good point. I s'pose we should be asking why the lawyer wants proof that you used the tools when really if you can show pre- and post- imaging hashes match then you're good to go.
Unless they allege tampering with hash files and metadata on hash files, but it could get silly..............
Good point. I s'pose we should be asking why the lawyer wants proof that you used the tools when really if you can show pre- and post- imaging hashes match then you're good to go.
That really is the heart of the matter. Who cares if you used a write blocker, so long as the evidence wasn't changed? Of course, the lack of change implies some sort of protection method. But still, if you didn't change the evidence, does it matter if you used a method of protection or not? It would still be forensically sound.
How someone can prove I used or not a writeblocker?
This is interesting.
The use of a writeblocker is to make sure there are NO changes to the disk, i.e. it is a tool specifically devised to leave NO traces (or if you prefer NO contamination).
jaclaz
That's what I said should be terrible if you can prove I used or not a writeblocker, that means contaminatios.
The lawyer is really young, and not experienced in forensics. He din't follow my job, but his collegue did it. I think he was the only one free today, to check the box.
I took photo of every connection, serial of drive and photo. I did the job with wiebetech writeblocker, the destination hard drive where new. For every image i had MD5 SHA1 and CRC32. Every day I send detailed documentation to his collegue. I did the job in a police station, I was controlled by a man everyday. He hadn't a gun on, but we were in a similar situation. We put seals on doors and materials. They were notified for every day of job, they could send someone to check my job!
Thank you for answers I will study it later.
That is why hashing the source before imaging and after is critical to proving nothing has been altered
Good point. I s'pose we should be asking why the lawyer wants proof that you used the tools when really if you can show pre- and post- imaging hashes match then you're good to go.
Unless they allege tampering with hash files and metadata on hash files, but it could get silly..............
Pre and post hashing is best practice, but it does not prove that the examiner never altered the original exhibit. I've had this discussion with dozens of CF people, and the answer is always the same if one were to change the system and didn't want to be detected, one would simply change it before hashing.
A hash simply proves that the IMAGE matches the drive state when you imaged, and so was imaged correctly, and the image has not been altered AFTER YOU MADE IT. It for example shows that your forensic tool didn't change the data while you were viewing it. It doesn't prove that the drive was never altered.
The lawyer is fishing for a deficiency in your process. This usually happens when there's no deficiency in your results. Hopefully you documented your process well enough to defend it.