DIY Forensics

A forensically sound preservation of hard drive data employs write-blocking to intercept changes and software that preserves every byte and deploys a cryptographic hash authentication to validate accuracy.

METHOD 2: WRITE BLOCKING

Computer forensics experts use devices called “write blockers” to thwart inadvertent alteration of digital evidence, but write blockers aren’t sold in stores and cost from $150-$1,300. Hardware write blocking is best if timetable and budget allow. Manufacturers include Tableau LLC, WiebeTech LLC and MyKey Technology Inc. Otherwise, software write blocking offers a no-cost, “right now” alternative.

To hinder data theft, Windows XP Service Pack 2 added support for software write blocking of USB storage devices. A minor tweak to the system registry disables the computer’s ability to write to certain devices via USB ports. To make (and reverse) the registry entry, you can download switch files and view instructions explaining how to manually edit the registry.

You’ll also need:

• Imaging Machine: A computer running Windows XP with Service Pack 2 and equipped with both USB 2.0 and IEEE 1394 (aka Firewire or i.Link) ports.
  
  
• Forensic Imaging Application: Though forensic software companies charge a pretty penny for their analysis tools, several make full-featured imaging tools freely available. Two fine Windows-compatible tools are Technology Pathway’s Pro-Discover Basic Edition and AccessData’s FTK Imager. I prefer FTK Imager for its simplicity and ability to create images in multiple formats, including the standard Encase E01 format.
  
  
• Target Drive: A new, shrink-wrapped external hard drive to hold the image. It should be larger in capacity than the drive being imaged and, if using software write blocking, choose a drive that connects by IEEE 1394 Firewire (as USB ports will be write blocked).
  
  
• [Software write blocking only] A USB bridge adapter cable or external USB 2.0 drive enclosure matching the evidence drive’s interface (i.e., Serial ATA or Parallel ATA). Though you’ll find drive enclosures at your local computer store, I favor cabling like the Vantec Thermal Technologies’ (www.vantecusa.com) CB-ISATAU2 adapter cable mentioned last month because they connect to 2.5″, 3.5″ and 5.25″ IDE and SATA drives and facilitate imaging without removing the drive.

IMAGING THE DRIVE: STEP-BY-STEP

1. It’s important to carefully document the acquisition process. Inspect the evidence machine and note its location, user(s), condition, manufacturer, model and serial number or service tag. Photograph the chassis, ports and peripherals.

2. Disconnect all power to the evidence machine, open its case and locate the hard drive(s). If more than one drive is present, you’ll need to image them all. Accessing a laptop drive can be tricky, so check the manufacturer’s Web site if you’re uncertain how to safely remove and handle the drive. Take a picture of the drive(s) and cabling. If you can’t read the labeling on the face of the drive or comfortably access its cabling, uninstall the drive by disconnecting its data and power cables and removing mounting screws on both sides of the drive or (particularly in Dell machines) by depressing a lever to release the drive carriage. Handle the drive carefully. Don’t squeeze or drop it, and avoid touching the circuit board or connector pins. If using a hardware write blocker, connect it to the evidence drive immediately and leave it in place until imaging is complete and authenticated.

3. Download and install FTK Imager on the imaging machine. If using software write blocking, initiate the registry tweak, reboot and, using a thumb drive or other USB storage device, test to be sure it’s working properly.

4. Connect the evidence drive to the imaging machine through the hardware write block device or, if using software write protection, through either the USB drive enclosure or via bridge cable connected to a software write blocked USB port. Above all, be sure the evidence drive connects only through a write blocked device or port.

5. If USB ports are software write blocked, connect the target drive via the IEEE 1394 port. Optionally, connect via USB port if using hardware write blocking.

6. Run FTK Imager, and in accordance with the instructions in the program’s help file for creating forensic images, select the write-protected evidence drive as the source physical drive, then specify the destination (target) drive, folder and filename for the image. I suggest incorporating the machine identifier or drive serial number in the filename, choosing “E01″ as the image type, accepting the default 650MB image fragment size and opting to compress the image and verify results.

Hash authentication: Creating a forensically sound compressed image of a sizable hard drive can take hours. FTK Imager will display its progress and estimate time to completion. When complete, the program will display and store a report including two calculated “digital fingerprints” (called MD5 and SHA1 hash values) which uniquely identify the acquired data. These hash values enable you to prove that the evidence and duplicate data are identical. Hash values also establish whether the data was altered after acquisition.

7. When the imaging process is done, label the target drive with the date, the names of the system user(s) and machine identifier. Include the model and serial number of the imaged drive.

8. With the evidence drive disconnected, reconnect power to the evidence machine and boot into the machine’s setup screen to note any discrepancy in the BIOS clock or calendar settings. Disconnect power again and reinstall the evidence drive, being careful to properly reconnect the drive’s power and data cables.

Whether you return the evidence machine to service or lock it up depends on the facts of the case and duties under the law. But once you’ve secured a forensically sound, authenticated image (along with your notes and photos), you’ve got a “perfect” duplicate of everything that existed on the machine at the time it was imaged and, going forward, the means to prove that the data preserved is complete and unaltered.

The safest way to forensically preserve digital evidence is to engage a qualified computer forensics expert because no one is better equipped to prevent problems or resolve them should they arise. But when there’s no budget for an expert, there’s still an affordable way to meet a duty to forensically preserve electronic evidence: do-it-yourself.

This article originally appeared in Law Technology News, a Recorder affiliate. Craig Ball, a member of the editorial advi-sory boards of both LTN and Recorder affiliate Law.com Legal Technology, is a trial lawyer and computer forensics/EDD special master based in Austin, Texas. You can contact the author at [email protected].

Practice Center articles inform readers on developments in substantive law, practice issues or law firm management. Contact Sheela Kamath with submissions or questions at [email protected] or www.callaw.com/submissions.