Content deleted Content added
→Uses: another useful link |
VulcanSphere (talk | contribs) m Changing short description from "Forensic Hardware Device Prevent Writing" to "Specialised hard disk controller for forensic usage" |
||
| (29 intermediate revisions by 17 users not shown) | |||
Line 1:
{{Short description|Specialised hard disk controller for forensic usage}}
[[Image:Portable forensic tableau.JPG|thumb|right|220px|A portable Tableau write-blocker attached to a [[Hard Drive]]]]▼
{{Use mdy dates|date=November 2022}}
A '''forensic disk controller''' or '''hardware write-block device''' is a specialized type of computer [[hard disk controller]] made for the purpose of gaining read-only access to computer [[hard drive]]s without the risk of damaging the drive's contents. The device is named [[forensics|forensic]] because its most common application is for use in investigations where a computer hard drive may contain evidence. Such a controller historically has been made in the form of a [[dongle]] that fits between a computer and an [[Integrated Drive Electronics|IDE]] or [[SCSI]] hard drive, but with the advent of [[Universal Serial Bus|USB]] and [[Serial ATA|SATA]], forensic disk controllers supporting these newer technologies have become widespread.▼
▲[[
[[File:Disk image tools.jpg|thumb|220px|right|Example of a portable disk imaging device]]
[[File:Forensic tableau.JPG|thumb|220px|right|A Tableau forensic write blocker]]
[[File:Forensic disk imager.jpg|thumb|220x220px|A Tableau forensic disk imager]]
▲A '''forensic disk controller''' or '''hardware write-block device''' is a specialized type of computer [[hard disk controller]] made for the purpose of gaining read-only access to computer [[
<!-- Bridge kit redirects here -->
Using hardware to protect the hard drive from writes is very important for several reasons. First, many [[operating system]]s, including [[Microsoft Windows|Windows]], may write to any hard disk that is connected to the system. At the very least, Windows will update the [[access time]] for any file accessed, and may write things to the disk unexpectedly - such as creating hidden folders for the [[recycle bin]] or saved hardware configuration. [[Computer virus|Virus]] infections or [[malware]] on the system used for analysis may attempt to infect the disk being inspected. Additionally, the [[NTFS]] file system may attempt to commit or rollback unfinished transactions, and/or change flags on the volume to mark it as "in use". At the worst, undesired files may allocate and overwrite deleted space on the hard disk which may potentially destroy evidence in the form of previously deleted files.▼
A device which is installed between a storage media under investigation and an investigator's computer is called a "'''bridge kit'''". The bridge kit has one connector for the storage media and another connector the investigator's computer. It allows the investigator to read, but not alter the device under investigation.<ref name="dhs">{{cite web |title=Test Results for Hardware Write Block Device: Tableau Forensic SATA/IDE Bridge T35u |date=October 2018 |publisher=[[United States Department of Homeland Security]] |url=https://www.dhs.gov/sites/default/files/publications/Test%20Report_NIST_HWB_Tableau%20Forensic%20SATA-IDE%20Bridge%20T35u_Firmware%20Version%20Sep%2015%202015%2011.19.41_October%202018.pdf |accessdate=February 23, 2021}}</ref>
The United States [[National Institute of Justice]] operates a Computer Forensics Tool Testing (CFTT) program which formally identifies
Protecting an evidence drive from writes during investigation is also important to counter potential allegations that the contents of the drive were altered during the investigation. Of course, this can be alleged anyway, but in the absence of technology to protect a drive from writes, there is no way for such an allegation to be refuted.▼
▲The United States [[National Institute of Justice]] operates a Computer Forensics Tool Testing (CFTT) program which formally identifies<ref>http://www.cftt.nist.gov/HWB-ATP-19.pdf</ref> the following top-level tool requirements:
▲*''A hardware write block (HWB) device shall not transmit a command to a protected storage device that modifies the data on the storage device.''
Any error condition reported by the storage device to the HWB device shall be reported to the host.<ref>{{Cite book |url=https://www.nist.gov/system/files/documents/2017/04/28/CFTT-Booklet-Revised-02012012.pdf |title=Computer Forensics Tool Testing Handbook |publisher=[[National Institute of Standards and Technology]] |page=88 |date=2012-02-01 |access-date=2022-11-15}}</ref>}}
▲*''An HWB device shall return the data requested by a read operation.''
▲*''An HWB device shall return without modification any access-significant information requested from the drive.''
==Description==
A disk controller that caches writes in memory presents the appearance to the operating system that the drive is writable, and uses the memory to ensure that the operating system sees changes to the individual disk sectors it attempted to overwrite. It does this by retrieving sectors from the disk if the operating system hasn't attempted to change them, and retrieving the changed version from memory for sectors that have been changed
▲A disk controller that caches writes in memory presents the appearance to the operating system that the drive is writable, and uses the memory to ensure that the operating system sees changes to the individual disk sectors it attempted to overwrite. It does this by retrieving sectors from the disk if the operating system hasn't attempted to change them, and retrieving the changed version from memory for sectors that have been changed. This method is transparent to and compatible with all operating systems, and ensures that when the device is powered off, the disk remains unchanged and in its original state. Because the operating system's internal state persists only as long as the drive is mounted or powered on, assuming none of the writes were desired there is no adverse consequence to losing the data in the change buffer.
==Uses==
Forensic disk controllers are most commonly associated with the process of creating a [[Disk imaging#Hard drive imaging|disk image]], or acquisition, during [[digital forensic process|forensic analysis]]. Their use is to prevent inadvertent modification of evidence.
▲Using hardware to protect the hard drive from writes is very important for several reasons. First, many [[operating system]]s, including [[Microsoft Windows|Windows]], may write to any hard disk that is connected to the system. At the very least, Windows will update the [[access time]] for any file accessed, and may write things to the disk unexpectedly - such as creating hidden folders for the [[recycle bin]] or saved hardware configuration. [[Computer virus|Virus]] infections or [[malware]] on the system used for analysis may attempt to infect the disk being inspected. Additionally, the [[NTFS]] file system may attempt to commit or rollback unfinished transactions, and/or change flags on the volume to mark it as "in use". At the worst, undesired files may allocate and overwrite deleted space on the hard disk which may potentially destroy evidence in the form of previously deleted files.
▲Protecting an evidence drive from writes during investigation is also important to counter potential allegations that the contents of the drive were altered during the investigation.<ref>{{Cite book|chapter-url=https://www.jstor.org/stable/j.ctt5hh5mg.8|jstor=j.ctt5hh5mg.8|chapter=Forensic Acquisition of Data|last1=Clarke|first1=Nathan|title=Computer Forensics|year=2010|pages=26–33|publisher=IT Governance|isbn=9781849280396}}</ref> Of course, this can be alleged anyway, but in the absence of technology to protect a drive from writes, there is no way for such an allegation to be refuted.
==References==
{{Reflist}}
[[Category:Hard disk computer storage]]
[[Category:Digital forensics]]
| |||