Greetings all,
I was asked to conduct an investigation on a couple of PCs, and was wondering, given the circumstances (below), whether it was appropriate to conduct an analysis on the drive itself, viewing the drives mounted through a write blocker on the USB port? Would it be enough to say that I had mounted the drives in this way in order to prevent any alterations?
Circumstances
1) This is not a criminal investigation (employee misconduct), and will not become one under any circumstances (someone had already 'viewed' the drive before I was asked to take a look, and do a more thorough exam, thereby bringing into question the overall integrity)
2) I was told that this other 'someone' had already provided the employee's representation images of the drives
3) This employee has already stipulated to the presence of the data that have been asked to examine (but, what it comes down to is 'Did he faked it?')
4) Time and resources are short right now, and I would rather not take up any more of either than is necessary
So, that being said, while imaging the drive is a 'Best practice' I was wondering about the necessity of doing it under ALL circumstances?
Christine
P.S. Anyone going to the Cybercrime Summit?
I think it is perfectly acceptable to examine a drive in this manner, provided you have verified that the device works as indicated. The simplest way to do this is to attach a test drive with a known hash value, try and write to the drive by several means, then re-hash the drive to confirm that the device was indeed write blocked. There are however a couple of problems that immediately come to mind.
One is whether or not you can perform a thorough examination by that method. Explorer obviously was not intended as a forensic application. As you stated you need to go past merely proving the presence of certain data, and prove intent. That will be a bit tougher. If I'm reading you right it seems you really don't have anything else available. I think you'd be far better off with something such as Winhex, or perhaps a comperable linux application (if you are versed in it). This way you can really get into all areas of the drive. These things can always be challenged, and having been involved in both criminal and civil cases, I can say the civil matters are often challenged much more vigorously. I guess that says something about what we value (money vs. freedom)! If I were to challenge you knowing that you were using Explorer I'd just ask you if it was possible to examine all the data on the drive. The only answer is no.
Second problem is the risk of the drive failing during analysis. Every drive will have one catastrophic failure in it's lifespan. I wouldn't want that happening while I was working on it.
I think you answered the question yourself when you said you knew what was the "best practice". And yes, we always need to follow the best practices. I think it would be appropriate to do a preview such as this to determine if a full analysis is necessary. It sounds like you are past that point.
Good luck, and I really would recommend a full analysis. You just never know where these things can end up.
We quite often preview with EnCase for "quick look" requests.
Or you could always use FTK Imager, which would be better than using Explorer.
I agree with gmarshall139. There is always a chance of a hardware issue / failure if your are working on the original hard drive / evidence.
I recommend grabbing a forensic image and doing analysis in FTK imager. FTK imager will let you examine unallocated space, recycle bin, obtain protected files etc. while still giving the luxury to simulate windows explorer.
Good Luck !