Once a write blocker is used on a drive it cannot be undone (I believe), and this is normally one of the first steps in an examination.
So basically any computer or drive that is examined is ruined prior to being returned to the owner
I'm not sure I understand your question here - how does a write-blocker in any way cause a drive to be "ruined"? The entire point of a write-blocker is to preserve the data integrity as much as possible. If you are destroying a HDD then your processes are, uh, extremely questionable.
'Ruined' as far as the drive can no longer be used in anything other than a Read Only fashion
If they are tried and found guilty then whether their deives are returned typically depends on the type of crime; for fraud then they can be kept by the police as part of the proceeds of crime act, I believe.
Chris,
What experience do you have of this?
While I do not work in LE I have collaborated, and having seen some policies in a number of forces on seized property they are all very clear on one thing - with digital data devices such as phones and computers they will not return them to anyone other than the original owner to comply with data protection, if the owner doesn't call for those items within a set period they will be destroyed. Other items of property will go to the police auction, such as cars if they remain uncalled for. But anything that could have contained personal data will either be returned to original owner or destroyed - this is to protect them from any data protection breaches claims.
I'd be very interested if they have a different policy when proceeds of crime is concerned for selling such devices in order to realise property.
Once a write blocker is used on a drive it cannot be undone (I believe), and this is normally one of the first steps in an examination.
So basically any computer or drive that is examined is ruined prior to being returned to the owner
I'm not sure I understand your question here - how does a write-blocker in any way cause a drive to be "ruined"? The entire point of a write-blocker is to preserve the data integrity as much as possible. If you are destroying a HDD then your processes are, uh, extremely questionable.
'Ruined' as far as the drive can no longer be used in anything other than a Read Only fashion
That's not how any write blocker I've ever encountered works. They simply block writes to the drive on either the physical or logical (OS) level for the time that the drive is connected via the write blocker. I guess you maybe *could* block writes to a drive by desoldering something on the controller board, thus rendering it read-only until it was resoldered or a new controller board was attached. Nobody does this as far as I am aware…
'Ruined' as far as the drive can no longer be used in anything other than a Read Only fashion
So, according to you when you connect a write blocker to a hard disk magically the "read only property" migrates from the write blocker to the device? 😯
It doesn't work like that.
A write blocker is nothing but a "filter", interposed between the computer and the device, your computer OS may send write commands to the device but the write blocker filters them and they never arrive to the device.
As soon as you remove the filter between the device and computer and connect them directly of course you can write to it alright.
jaclaz
In very special cases physical dismantle is needed to extract or preserve the relevant data as is, without allowing regular power-on of the device. Think of a case where the hard disk's spin-up/spin-down counter is a proof, or when you need any other current S.M.A.R.T. data, which would be modified if you power on the hard drive.
But this has to do nothing with write blockers or the return of the seized devices )
Think of a case where the hard disk's spin-up/spin-down counter is a proof, or when you need any other current S.M.A.R.T. data, which would be modified if you power on the hard drive.
I am thinking (and thinking hard), but cannot imagine any possible case where spin-up/spin-down counter, let alone S.M.A.R.T., may be useful, let alone *needed*. ?
jaclaz
Think of a case where the hard disk's spin-up/spin-down counter is a proof, or when you need any other current S.M.A.R.T. data, which would be modified if you power on the hard drive.
I am thinking (and thinking hard), but cannot imagine any possible case where spin-up/spin-down counter, let alone S.M.A.R.T., may be useful, let alone *needed*. ?
jaclaz
5 year old well used computer with a hard drive in it that you cannot otherwise establish the age of. Owner swears blind it's the original hard drive, never been changed.
I know, highly unlikely…
5 year old well used computer with a hard drive in it that you cannot otherwise establish the age of. Owner swears blind it's the original hard drive, never been changed.
I know, highly unlikely…
BUT the label on the hdd has been removed …
And still spin-up/spin-down don't seem to me so relevant (again let-alone S.M.A.R.T.)
I mean
1) power on the disk
2) check spin-on counter
3) subtract 1
4) …
5) profit
wink
jaclaz
Think of a case where the hard disk's spin-up/spin-down counter is a proof, or when you need any other current S.M.A.R.T. data, which would be modified if you power on the hard drive.
I am thinking (and thinking hard), but cannot imagine any possible case where spin-up/spin-down counter, let alone S.M.A.R.T., may be useful, let alone *needed*. ?
jaclaz
Don't burn your brain cells thinking for nothing )
This year I did analysis related to a civil case, where a customer sued a retailer for selling him an used (pricey) notebook as new. The spin-up/spin-down counter showed clearly that the hard disk drive mounted inside was used before.
This year I did analysis related to a civil case, where a customer sued a retailer for selling him an used (pricey) notebook as new. The spin-up/spin-down counter showed clearly that the hard disk drive mounted inside was used before.
Sure, and the spin-up time counter was at 1357.
Your client had undoubtedly powered it on n times (say 32 or 33 times) in the two weeks he had it.
What difference would have been if you actually powered it on and read 1358?
Come on …. )
And of course I would be curious how exactly you extracted the information from the disk drive and which specific disk drive make/model it was (as AFAIK most drives have service areas containing SMART data on the platters and not on chip ? )
jaclaz