How to Capture Every Packet and Why it Matters (by Chris Greer)
Hunting For Devices With ARPS And Wireshark (By Tony Fortunato)

Protecting the Data Evidence (by Casey Mullis)

If an item is to be used in the court of law in the United States, it has to be preserved to the best of your ability. If you want to use data evidence you have to protect it as if it were a murder scene or any other type of crime scene. Most do not understand the process or the amount of data that could potentially be located in a device.

This moves us into the question “How do I preserve data evidence to be used in a court of law?” The answer we are going to talk about is a “Hardware Write Blocker”. There are more types of write blockers but we are going to look at the hardware type at this time and to be more specific we will be looking at CRU, Inc write blockers. You can see some videos of their products here VIDEOS.

Wiebetech2

This write blocker is a great item for anyone in the computer forensic field. It has connections for USB devices, IDE Hard Drives, and SATA Hard Drives. There is a bay for the hard drives to sit in while being processed or imaged. Out the box this is a great tool for any computer forensic examiner to have at their disposal.

The Wiki Page about Write Blockers can be found here:

“Write blockers are devices that allow acquisition of information on a drive without creating the possibility of accidentally damaging the drive contents. They do this by allowing read commands to pass but by blocking write commands, hence their name.

There are two ways to build a write-blocker: the blocker can allow all commands to pass from the computer to the drive except for those that are on a particular list. Alternatively, the blocker can specifically block the write commands and let everything else through.

Write blockers may also include drive protection which will limit the speed of a drive attached to the blocker. Drives that run at higher speed work harder (the head moves back and forth more often due to read errors). This added protection could allow drives that cannot be read at high speed (UDMA modes) to be read at the slower modes (PIO).”

CRU, Inc devices do a great job at a low cost, based on others for purchase on the internet. We have tested and validated the internal CRU, Inc. write blocker pictured above. As well as the new Forensic Combodock V5, pictured below:

Combo

These devices insure that you do not alter the evidence by maintaining the data as read only access. We do suggest that each user of such devices validate it on regular bases. We suggest that you keep a log book of your validation check(s). While validating the tool you are also validating your forensic software.

CRU, Inc has done a great job and at an affordable rate for the average consumer. We have used many write blockers on the market and these by CRU, Inc are on the top of our list for recommendation for purchase and use.

 

Casey

Author - Emory Mullis has been in Law Enforcement for roughly 19 years including military and civilian law enforcement. He started learning about computers back when Gateway 266 MHz was the top of the line and cost about $2000.00.Right out the box, I was compelled to take my new found 266 apart. Why I have no idea other than pure curiosity. Once I had the computer out the box and on the floor in pieces, my wife walked in. Trust me people, this was not a good thing! Either way I got a good understanding at this point on how a computer is put together and / or the components inside. This was my starting point with computers and I still hear my wife in the back ground “It better work when you put it back together!” That was my humble beginnings as a Cyber Investigator. Now with many Cyber cases under my belt, I have learned that you must question, challenge and test almost daily to keep up with all the new tools, software, computers and cell phone formats to be able to forensically acquire evidence and it is a real challenge. I enjoy the challenge and look forward to learning more every day!

Tim is the Oldcommguy and Chief Technical Editor of Lovemytool.com and working as a volunteer for the Georgia POST helping to train Georgia's Law Enforcement community in sound techniques for recognition, protection and acquisition of lawful cyber evidence.

Comments