Pre and post hashing is best practice, but it does not prove that the examiner never altered the original exhibit.
sebastianorossi, the above is a good point. The same can be said with mobile phone examination as it can examining HDDs. The time frame when the examiner takes an exhibit out of the evidence container but prior to actually running processes to acquire data. There is a huge time frame of opportunity for alteration/change/contamination.
Moreover, using a write-blocker doesn't prove the computer wasn't altered due to examination at a scene or post seizure, prior to when you came into contact with the device and conducted an examination. Have look at this discussion http//www.forensicfocus.com/Forums/viewtopic/t=6060/postdays=0/postorder=asc/start=0/ relating to events of examination at scene and post seizure.
Then decide what 'exactly' you think you are being asked to corroborate?
a) that the data is accurate (against which time period in the chain of custody - from one hand to another)?
or
b) that your examination methodology has not added to any (previous) alteration/change/contamination?
or
c) you used a write blocker connected to the target device (if it is the latter, then see below)?
If I have correctly understood from what you have said, you do actually have your proof of evidence that you used a write blocker on at least two occasions. The first is your witness who was the first lawyer who was with you. This means the second lawyer who raised the point about 'proof of use' must now subpoena the first lawyer to give evidence. Also, your second witness is infact the second lawyer (the one did the asking about 'proof of use') as he can testify to seeing you use a write blocker. Voilà! This means you will now have to talk with the Police to make sure both lawyers are subpoenaed before the court to give evidence.
So don't worry, lawyers don't lie.
I did the job with wiebetech writeblocker, the destination hard drive where new.
Though this fact won't make a difference from a technical standpoint (as you are doing a forensic sound dd-like copy sector by sector), it is IMHO a "weak point".
The fact that it is new does not necessarily imply it is "empty" or "wiped", nor that it "works properly".
Thanks to the incredible amount of b**lsh*t about "magnetic retention", mythical data recoveries and what not there are (IMHO completely wrong BTW) popular beliefs that "*something* from the previous write" may *somehow* alter the "newly written" contents.
As well someone might argue that since the disk is new then it has not been tested thoroughfully and thus it may have a peculiar malfunction that alters a date or a byte or a sector every 2/3*Pi^2 Mb….
As other members already posted, you have the hash
if the hash has been calculated through a validated tool, and the hash of the image is the same, NO matter HOW EXACTLY (using a writeblocker, using *any* OS, etc.) you imaged the disk, it is a "forensic sound" image.
Additionally, the exact type and extent of the (hypothetical) contamination should be taken into account.
Let's imagine that for *any* reason you went completely mad, and notwithstanding the fact that you have handy a writeblocker and a validated forensic OS and related tools, you decide to take the image of a disk with a *normal* NT based system.
What could happen (at the most and in the worse case)
- Disk signature is written/re-written
- a pagefile.sys is written to the disk (overwriting some "marked as available" sectors and thus removing the possibility - maybe - to recover some deleted data
- somehow CHKDSK is triggered and a few lost clusters/whatever are saved/some data is "fixed" at filesystem level
Could this create from thin air (examples)
- a 1 GB movie of CP?
- an email in the Outlook Express deleted folder identical to the (say) ransom request one that you are looking for?
- an alteration to the data and dates/time about connected USB devices?
I would say NO.
So, paradoxically, in many cases it should be the prosecution that should make sure that a proper procedure is used, rather than the defendant's lawyers, in the sense that an improper procedure may make some existing data go "poof", but cannot actually "create" a meaningful artifact.
jaclaz
If you used Encase it will show if a write block was used.
As other members already posted, you have the hash
if the hash has been calculated through a validated tool, and the hash of the image is the same, NO matter HOW EXACTLY (using a writeblocker, using *any* OS, etc.) you imaged the disk, it is a "forensic sound" image.
True jaclaz it should be enough, but when sebastianorossi has already pointed that out to the lawyer about hashes and the question has still been posed regarding traceability, then the lawyer is throwing the examiner onto the back foot to defend his corner. Either the lawyer was wetting his finger and sticking it in the air to see which way the wind was blowing to detemine how good a witness the examiner is going to be or is possiby asking a question based upon
- being a rookie and just not understanding about hashes?
- is not comfortable with the explanation from the examiner because of previous opposition/knowledge about a matter?
- maybe uncomfortable because the lawyer is aware that he is potentially a witness, might need to give evidence and be subjected to cross-examination?
This is the point of my previous post. Either the examiner spends days and nights trying to preempt what might be the fall out of not giving an exact answer or solution or alternatively revisit the question that was asked. The question asked by the lawyer was to put it in simple terms - "Can you prove you used a writer blocker?" The answer is "Yes I can. You and your colleague are my 'witnesses of fact' when you were both there [at] the examination in the examination suite on separate occasions and you both saw me using the write blocker as it was pointed out when both of you asked me to explain what procedure/process was applied to extact and harvest data from……………"
sebastianorossi, you have witnesses and you should use them. The lawyer is not going to lie about not knowing you used write blocker.
If you used Encase it will show if a write block was used.
Did you mean EnCase's "will show" its own write blocker FastBloc® SE (Software Edition) Module or show whether an independent write blocker had been used 'wiebetech writeblocker'?
The question asked by the lawyer was to put it in simple terms - "Can you prove you used a writer blocker?" The answer is "Yes I can. You and your colleague are my 'witnesses of fact' when you were both there [at] the examination in the examination suite on separate occasions and you both saw me using the write blocker as it was pointed out when both of you asked me to explain what procedure/process was applied to extact and harvest data from……………"
(devil's advocate wink )
Well, then the adverse could call as witness a famous prestidigitator and let him pubicly demonstrate how it is perfectly possible to image a disk without the write blocker and make the whole audience believe it was used.
Then, if I were the (hostile) lawyer/witness I would testimony that
I was present while the procedure that the forensic examiner called "imaging" has been carried.
The forensics examiner appeared to be using some cables and a box that he defined as a "write blocker" to connect the suspect's hard disk to another hard disk.
Then he went on explaining that he was "imaging" the disk, adding that he was using a "write blocker".
This won't prove that a write blocker has been used, only that the forensic examiner affirmed that he was using it.
Back EXACTLY to square #1, no direct proof of use.
jaclaz
He asked me, how I can prove I used a writeblocker…
jaclaz I am not disagreeing with the solutions you are putting forward.
I merely pointing out that the lawyer asked (after knowing all the work this examiner had performed) quite specifically had sebastianorossi used a write blocker? And, yes, he had and the witness knew that as a fact.
If the lawyer wanted evidence that the write blocker was actually switched on and working when sebastianorossi conducted data acquisition supported by some form of generated report, then that is an entirely different matter. It is often the case examiners are left to import interpretation as to what the lawyer might have meant, sending the examiner scurrying here, there and everywhere looking for imagined required evidence or endeavouring to remove potential, but imagined, slights against the examiner's work. For instance, the first lawyer didn't raise this issue, but the second lawyer did. Why? Bear in mind, of course, sebastianorossi had explained about hash values and taken photos in addition to the lawyers having being present and explained what the purpose of the equipment being used.
http//
http//
This also means that the use of so-called write blockers and other methods of isolating the drive from write activity offer no protection.
I have experienced before when checking with the lawyer what s/he wants to know from their question what is it they want their question to reveal? Rarely do they understand exactly what they want to know or ask. Merely they want to reduce or remove a possible line of enquiry from the other side by demonstrating relevant equipment was used.
He asked me, how I can prove I used a writeblocker…
jaclaz I am not disagreeing with the solutions you are putting forward.
I merely pointing out that the lawyer asked (after knowing all the work this examiner had performed) quite specifically had sebastianorossi used a write blocker? And, yes, he had and the witness knew that as a fact.
That's good, since I am not disagreeing with yours as well D , only specifying (yes, I am picky) that a witness report does not "prove" something, it only represents a (hopefully true and in good faith) report of what has been perceived by the witness.
It is the forensic examiner (and only him/her) that can testify whether he/she used a write blocker (properly), all the other people around - expecially if not specifically technically trained - can only testify something along the lines of my previous post, i.e. that they have seen the forensic examiner connect the hard disks to a box and some cables.
So, no real "proof" IMHO, even excluding the hypothesis of the forensic examiner being also a prestidigitator.
Still on this latter hypothesis, in theory - and for all the people present might know - the box could have contained (say) a SSD or other data storage and INSTEAD of transferring from disk A to disk B, it could have written it's contents to both disks A and B …. 😯
A subsequent examination of the "original" and of the image would give the same hash, then the image would appear to be forensically sound, and you would have a few witnesses swearing that you used a write blocker….
As I see it, it is all about the honesty of the forensic examiner that actually made the image.
You either trust him/her on their word when they say they created a forensic sound image and they explain to you the procedure that was used or you have no "proof".
BTW and OT, besides SSD's, I guess there will be some issues wiht these too
http//
http//
while, back to SSD's, some new models may do much worse than "garbage collect"
http//
though nothing really "new" roll
http//
jaclaz
then the lawyer is throwing the examiner onto the back foot to defend his corner. Either the lawyer was wetting his finger and sticking it in the air to see which way the wind was blowing to detemine how good a witness the examiner is going to be or is possiby asking a question based upon
Actually, I am not so sure in what is happening. I worked for police. The five lawyers could assist every day the job, and send their expert. I materials where always keeped in the police station, not in my office. The first day, they send one lawyer to assit the opening of the job. He said he would be informed about the job, and to be present the last day when whe put seal on the forensic copy. I used always writeblocker, write report, has images, took picures of screenshot, and pictures of the drive connected to my wiebetch. When I did the job, i was assited by police, but they really undertsand anytihing about job. They where there, but they did their job.
For lawyer job problems, or maybe strategy, he can't be present the last day. They send another lawyer, that asked me how I an prove the use of the blocker. We were not in the court… I said the if you can prove the use, means you altered the datas. Then I explained him CRC32, MD5 and SHA1, that are unique datas. He studyed maths at school, so seems he understood.