So, you’ve just been handed a hard drive from your boss who gives instructions to find all the vital information on a storage device. You are immedietly excited for your first solo assignment, until you look down at the hard drive and think: “Now what do I do?” Do you plug it in to your computer and start to investigate? Do you use one of the tools that you find in the lab to interrogate the hard drive? Let’s discuss the options available that may come inhandy if you ever find yourself stuck in this position.
If you are given a hard drive to investigate, it probably would not be in your best interest to directly connect the device to the workstation. If the data for investigation reaches court, the information presented in a computer crime case must be legitimate. To make sure the data is not altered, investigators can use a write blocker. Connecting a drive to a computer without a write blocker will usually change the data, resulting in unintentional alterations to the data.
What are write blockers? These tools permit read-only access to storage devices without altering the data. A write blocker can be thought of as a meeting point for the computer and the data storage device. The data storage device is connected to the write blocker, and the write blocker connects to the computer.
So now that we are certain our data cannot be altered with the use of a write blocker, we can investigate the original hard drive, right?! WRONG! We must continue to follow the golden rule of forensics – never modify original data. If possible, a forensic image of the original data should be created using third-party software. A write blocker can also be used to create a clone of the original evidence. Creating a forensic image itself is a highly-detailed process, and if not done correctly it can increase the chances of altering the data.
Using a stand-alone imaging device greatly decreases the chances of altering data. An imaging device contains read-only access without the risk of damaging the drive’s contents. An imaging device differs from a write-blocker in that it creates a forensic image for you. This might be a good alternative to using a write blocker, especially if you are not an expert at the process of creating an image. Using an imaging device, the speed of image creation, as well as verifying hash values, is typically faster when compared to the multiple steps in creating the image using a third-party software.
Which do we use when?
So, this is all critical information to start your first solo assignment. We started with a blank stare at a hard drive, to learning about different devices that can adequately help you perform your investigation. Now, which one is better to use? Well that will depend on you! Evidentially, if used correctly, each device will give you results that will not alter original data. Determining which one would be better depends on what the investigation consists of.
Some write blockers have both a read-only mode and a write mode. With a write blocker, the user has more control of the data. For example, if you would like to edit a hex value in the data to get different results (using the working copy of course), a write blocker gives you this ability. Whereas an imaging device creates the image for you, so it is not as user accessible.
Although an imaging device lacks an edit mode, there are features that a write blocker does not have. For example, an imaging device can directly connect to the server. There would not be any extra cables or a computer necessary to write-block and image a drive. If an image needed to be made at an outside location, a computer would not have to be present at the scene to create an image. The imaging device can be connected to the evidentiary media storage and will create an image right to the server. An imaging device also has the user-friendly interface of basically pressing a button to create an image to investigate.
Whether using a write blocker or an imaging device, remember the golden rule of forensics: don’t alter the original evidence, and happy investigating!