Wikipedia

Forensic disk controller: Difference between revisions

Browse history interactively
← Previous edit
Content deleted Content added
VisualWikitext
m Changing short description from "Forensic Hardware Device Prevent Writing" to "Specialised hard disk controller for forensic usage"
 
(41 intermediate revisions by 21 users not shown)
Line 1:
{{Short description|Specialised hard disk controller for forensic usage}}
A '''forensic disk controller''' or '''hardware write-block device''' is a specialized type of computer [[hard disk controller]] made for the purpose of gaining read-only access to computer [[hard drive]]s without the risk of damaging the drive's contents. The device is named [[forensics|forensic]] because its most common application is for use in [[investigation]]s where a computer hard drive may contain evidence. Such a controller historically has been made in the form of a [[dongle]] that fits between a computer and an [[IDE]] or [[SCSI]] hard drive, but with the advent of [[Universal Serial Bus|USB]] and [[Serial ATA|SATA]], forensic disk controllers supporting these newer technologies have become widespread.
{{Use mdy dates|date=November 2022}}
[[File:Portable forensic tableau.JPG|thumb|right|220px|A portable Tableau write-blocker attached to a [[Hard disk drive|hard drive]]]]
[[File:Disk image tools.jpg|thumb|220px|right|Example of a portable disk imaging device]]
[[File:Forensic tableau.JPG|thumb|220px|right|A Tableau forensic write blocker]]
[[File:Forensic disk imager.jpg|thumb|220x220px|A Tableau forensic disk imager]]
A '''forensic disk controller''' or '''hardware write-block device''' is a specialized type of computer [[hard disk controller]] made for the purpose of gaining read-only access to computer [[hardHard disk drive|hard drives]]s without the risk of damaging the drive's contents. The device is named [[forensics|forensic]] because its most common application is for use in [[investigation]]sinvestigations where a computer hard drive may contain evidence. Such a controller historically has been made in the form of a [[dongle]] that fits between a computer and an [[Integrated Drive Electronics|IDE]] or [[SCSI]] hard drive, but with the advent of [[Universal Serial Bus|USB]] and [[Serial ATA|SATA]], forensic disk controllers supporting these newer technologies have become widespread. Steve Bress and Mark Menz invented hard drive write blocking (US Patent 6,813,682). <ref>{{Cite web|url=https://patents.google.com/patent/US6813682B2/en|title=Write protection for computer long-term memory devices}}</ref>
 
<!-- Bridge kit redirects here -->
Using hardware to protect the hard drive from writes is very important for several reasons. First, many [[operating system]]s, including [[Microsoft Windows|Windows]], may write to any hard disk that is connected to the system. At the very least, Windows will update the [[access time]] for any file accessed, and may write things to the disk unexpectedly - such as creating hidden folders for the [[recycle bin]] or saved hardware configuration. [[Computer virus|Virus]] infections or [[malware]] on the system used for analysis may attempt to infect the disk being inspected. Additionally, the [[NTFS]] file system may attempt to commit or rollback unfinished transactions, and/or change flags on the volume to mark it as "in use". At the worst, undesired files may allocate and overwrite deleted space on the hard disk which may potentially destroy evidence in the form of previously deleted files.
A device which is installed between a storage media under investigation and an investigator's computer is called a "'''bridge kit'''". The bridge kit has one connector for the storage media and another connector the investigator's computer. It allows the investigator to read, but not alter the device under investigation.<ref name="dhs">{{cite web |title=Test Results for Hardware Write Block Device: Tableau Forensic SATA/IDE Bridge T35u |date=October 2018 |publisher=[[United States Department of Homeland Security]] |url=https://www.dhs.gov/sites/default/files/publications/Test%20Report_NIST_HWB_Tableau%20Forensic%20SATA-IDE%20Bridge%20T35u_Firmware%20Version%20Sep%2015%202015%2011.19.41_October%202018.pdf |accessdate=February 23, 2021}}</ref>
 
The United States [[National Institute of Justice]] operates a Computer Forensics Tool Testing (CFTT) program which formally identifies<ref>http://www.cftt.nist.gov/HWB-ATP-19.pdf</ref> the following top-level tool requirements:
Protecting an evidence drive from writes during investigation is also important to counter potential allegations that the contents of the drive were altered during the investigation. Of course, this can be alleged anyway, but in the absence of technology to protect a drive from writes, there is no way for such an allegation to be refuted.
*''{{Quote|A hardware write block (HWB) device shall not transmit a command to a protected storage device that modifies the data on the storage device.''
 
*''An HWB device shall return the data requested by a read operation.''
Hardware write blocking was invented by Mark Menz and Steve Bress (US patent 6,813,682 and EU patent EP1,342,145)
 
*''An HWB device shall return without modification any access-significant information requested from the drive.''
The United States [[National Institute of Justice]] operates a Computer Forensics Tool Testing (CFTT) program which formally identifies<ref>http://www.cftt.nist.gov/HWB-ATP-19.pdf</ref> the following top-level tool requirements:
*''A hardware write block (HWB) device shall not transmit a command to a protected storage device that modifies the data on the storage device.''
*''An HWB device shall return the data requested by a read operation.''
*''An HWB device shall return without modification any access-significant information requested from the drive.''
*''Any error condition reported by the storage device to the HWB device shall be reported to the host.''
 
Any error condition reported by the storage device to the HWB device shall be reported to the host.<ref>{{Cite book |url=https://www.nist.gov/system/files/documents/2017/04/28/CFTT-Booklet-Revised-02012012.pdf |title=Computer Forensics Tool Testing Handbook |publisher=[[National Institute of Standards and Technology]] |page=88 |date=2012-02-01 |access-date=2022-11-15}}</ref>}}
==How it works==
All forensic disk controllers work by capturing commands from the host [[operating system]] that request the drive to overwrite sectors, and preventing them from reaching the drive. Whenever the host bus architecture supports it, the forensic disk controller reports to the host operating system that the drive is read-only.
 
==Description==
A forensic disk controller works in one of two ways. The disk controller can either deny all writes to the disk and report them as failures, or use on-board memory to cache the writes for the duration of the session.
All forensicForensic disk controllers work byintercept capturingwrite commands from the host [[operating system]] that request the drive to overwrite sectors, and preventing them from reaching the drive. Whenever the host [[Bus (computing)|bus]] architecture supports it, the forensiccontroller reports that the drive is read-only. The disk controller reportscan either deny all writes to the hostdisk operatingand systemreport thatthem theas drivefailures, isor readuse on-onlyboard memory to cache the writes for the duration of the session.
 
A disk controller that denies allcaches writes willin likelymemory notpresents bethe toleratedappearance byto anthe operating system that assumesthe thatdrive allis hardwritable, disksand canuses bethe writtenmemory to. ensure Althoughthat the controlleroperating couldsystem reportsees changes to the writesindividual asdisk successful,sectors subsequentit readsattempted willto returnoverwrite. the originalIt data,does whichthis willby beretrieving unexpectedsectors byfrom the operatingdisk systemif andthe whichoperating willsystem causehasn't itattempted to malfunctionchange duethem, toand retrieving the internalchanged inconsistencyversion betweenfrom thememory operatingfor systemsectors andthat the drive'shave actualbeen statechanged.
 
==Uses==
A disk controller that caches writes in memory presents the appearance to the operating system that the drive is writable, and uses the memory to ensure that the operating system sees changes to the individual disk sectors it attempted to overwrite. It does this by retrieving sectors from the disk if the operating system hasn't attempted to change them, and retrieving the changed version from memory for sectors that have been changed. This method is transparent to and compatible with all operating systems, and ensures that when the device is powered off, the disk remains unchanged and in its original state. Because the operating system's internal state persists only as long as the drive is mounted or powered on, assuming none of the writes were desired there is no adverse consequence to losing the data in the change buffer.
Forensic disk controllers are most commonly associated with the process of creating a [[Disk imaging#Hard drive imaging|disk image]], or acquisition, during [[digital forensic process|forensic analysis]]. Their use is to prevent inadvertent modification of evidence.
 
Using hardware to protect the hard drive from writes is very important for several reasons. First, many [[operating system]]s, including [[Microsoft Windows|Windows]], may write to any hard disk that is connected to the system. At the very least, Windows will update the [[access time]] for any file accessed, and may write things to the disk unexpectedly - such as creating hidden folders for the [[recycle bin]] or saved hardware configuration. [[Computer virus|Virus]] infections or [[malware]] on the system used for analysis may attempt to infect the disk being inspected. Additionally, the [[NTFS]] file system may attempt to commit or rollback unfinished transactions, and/or change flags on the volume to mark it as "in use". At the worst, undesired files may allocate and overwrite deleted space on the hard disk which may potentially destroy evidence in the form of previously deleted files.
The most typical way a forensic disk controller is used is to create an image file of a hard drive. In this scenario, an entire hard drive image is copied into a single regular file - for example, a 250GB hard drive becomes a 250GB regular file (before considering the possibility of compression). Imaging is likely done on an operating system such as Linux, which is natively tolerant of read-only hard disks - something Windows does not handle well. Once the entire drive has been converted to a regular file, the physical drive itself is locked away or returned to the suspect, and then the image file can be examined independently on any platform (including Windows) using a hex editor or a utility specifically designed for navigating file systems encapsulated within disk image files (e.g. ''WinHex'' or ''DiskExplorer'').
 
Protecting an evidence drive from writes during investigation is also important to counter potential allegations that the contents of the drive were altered during the investigation.<ref>{{Cite book|chapter-url=https://www.jstor.org/stable/j.ctt5hh5mg.8|jstor=j.ctt5hh5mg.8|chapter=Forensic Acquisition of Data|last1=Clarke|first1=Nathan|title=Computer Forensics|year=2010|pages=26–33|publisher=IT Governance|isbn=9781849280396}}</ref> Of course, this can be alleged anyway, but in the absence of technology to protect a drive from writes, there is no way for such an allegation to be refuted.
 
==References==
{{Reflist}}
 
[[Category:RotatingHard discdisk computer storage media]]
{{Compu-hardware-stub}}
[[Category:ComputerDigital forensics]]
{{Forensics-stub}}
 
[[Category:Rotating disc computer storage media]]
[[Category:Computer forensics]]
 
[[it:Write blocker]]
one easier of doing forensics is having a bootable usb dongle (probably with some flavor of linux) and then mount the harddisk as readonly of the suspected machine, and do the necessary forensics, this method is quite common nowadays.
Retrieved from "https://en.wikipedia.org/wiki/Forensic_disk_controller"