Leave No Trace

Previous page
Table of content
Next page

The Boy Scouts embrace a philosophy that protects our environment from the effects of hiking , camping, and other outdoor activities. It is called 'Leave No Trace,' and it affects most outdoor endeavors. The basic idea is that after engaging in an outdoor activity, there should be no trace that you were ever there. The reality is that most outdoor venues allow a more relaxed version, possibly called 'Leave Almost No Trace.'

In computer forensics, though, you must adhere to a strict 'Leave No Trace' policy. You must prove that none of your analysis efforts left any trace on the evidence media. In fact, you'll have to prove that you never modified the evidence in any way. Decide which approach you'll take before the investigation starts (or at least before the analysis of a particular piece of evidence starts).

Read-Only Image

One method to ensure no changes occur to media is through the use of read-only images. There are multiple ways to access media in read-only mode. One method is to mount the evidence volume in read-only mode. Although this is a safe option when performed properly, it is exceedingly difficult to convince a court that you used the correct options when mounting , or accessing, a volume.

Further, it is very easy to accidentally mount the volume using the wrong options and inadvertently write to the volume. This is a huge risk when working with the primary copy because writing anything to the primary copy makes the volume inadmissible.

If you decide to mount a suspect's volume in read-only mode, only mount the volume to make a full copy of the volume (or selected files). Be diligent in documenting and verifying the options you used. However, if another option exists (i.e., write-blocking devices), use it instead. You'll have an easier time convincing the court of the volume's integrity.

Software Write Blocker

One method of ensuring that no writes impact the mounted volume is through the use of a software write blocker . A software write blocker is a layer of software that lives between the operating system and the actual device driver for the disk. All disk access requests that use standard operating system calls are prevented from writing to the disk.

software write blocker

Software that lives between the operating system and disk driver and blocks any write requests.

Although this approach is generally quite safe, some software write blockers allow direct disk access in some cases. Be sure you do your homework and verify that the tool you use is secure in all cases. You also need to ensure that your tool of choice is updated to the latest version and keep track of the version you use for each investigation. If any vulnerability is detected in a version of the software you are using for an investigation, document its effect on your analysis.

Most vendors that produce computer forensics software and tools provide a software write blocker. Take a look at several tools and the utility they provide. Make sure their capabilities match your needs.

The last step in any media analysis is to run a checksum on the volume and compare it to the checksum run on the same volume prior to analysis. If the two do not match, the volume has changed. If this ever happens, there is clearly a problem with the software write blocker. (Checksums and hashes are discussed in Chapter 4, 'Common Tasks.')

Hardware Write Blocker

Another method of preventing writes to media is through the use of a hardware write blocker . Some courts view hardware write blockers as more secure than software write blockers because a physical connection blocks any other paths to the disk. The concept behind the hardware write blocker is the same as the software write blocker. Normal access to the device is supported, except all write requests are blocked.

hardware write blocker

A hardware device that is plugged in between the disk controller and the physical disk, and blocks any write requests.

Several vendors sell hardware write blockers, from inline cable devices to full subsystems that support multiple interfaces. As with software write blockers, do your homework to ensure the manufacturer's claims are validated . Any court will likely require that you provide independent proof that the device you chose to use performs as advertised.

start sidebar
Software and Hardware Write Blockers

The following are a few products that block disk writes. Take a look at all of them and evaluate their features to decide which one is right for your use.

Write Block Software Tools

  • PDBLOCK, by Digital Intelligence, Inc. ( www.digitalintel.com )

  • EnCase, by Guidance Software ( www.guidancesoftware.com )

    Write Block Hardware Devices

  • ACARD Write Block Kit, by ACARD Technology ( www.acard.com )

  • DriveLock and FastBloc, by Intelligent Computer Solutions ( www.ics-iq.com )

  • NoWrite, MyKey Technology, Inc. ( www.mykeytech.com )

  • UltraKit and UltraBlock, by Digital Intelligence, Inc. ( www.digitalintel.com )

  • FastBloc, Guidance Software ( www.guidancesoftware.com )

    Also look at the Computer Forensics Tool Testing (CFTT) Project website for further analysis of the tools listed previously (and more). You can visit the CFTT website at www.cftt.nist.gov .

end sidebar
 


Previous page
Table of content
Next page
Computer Forensics JumpStart
Computer Forensics JumpStart
ISBN: 0470931663
EAN: 2147483647
Year: 2004
Pages: 153
Authors: Michael G. Solomon, K Rudolph, Ed Tittel, Neil Broom, Diane Barrett
BUY ON AMAZON
Metrics and Models in Software Quality Engineering (2nd Edition)
Software Configuration Management
FileMaker Pro 8: The Missing Manual
Lotus Notes Developers Toolbox: Tips for Rapid and Successful Deployment
Microsoft VBScript Professional Projects
Microsoft Visual Basic .NET Programmers Cookbook (Pro-Developer)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy