Forensic disk controller

Last updated

A portable Tableau write-blocker attached to a hard drive Portable forensic tableau.JPG
A portable Tableau write-blocker attached to a hard drive
Example of a portable disk imaging device Disk image tools.jpg
Example of a portable disk imaging device
A Tableau forensic write blocker Forensic tableau.JPG
A Tableau forensic write blocker
A Tableau forensic disk imager Forensic disk imager.jpg
A Tableau forensic disk imager

A forensic disk controller or hardware write-block device is a specialized type of computer hard disk controller made for the purpose of gaining read-only access to computer hard drives without the risk of damaging the drive's contents. The device is named forensic because its most common application is for use in investigations where a computer hard drive may contain evidence. Such a controller historically has been made in the form of a dongle that fits between a computer and an IDE or SCSI hard drive, but with the advent of USB and SATA, forensic disk controllers supporting these newer technologies have become widespread. Steve Bress and Mark Menz invented hard drive write blocking (US Patent 6,813,682). [1]

Contents

A device which is installed between a storage media under investigation and an investigator's computer is called a "bridge kit". The bridge kit has one connector for the storage media and another connector the investigator's computer. It allows the investigator to read, but not alter the device under investigation. [2]

The United States National Institute of Justice operates a Computer Forensics Tool Testing (CFTT) program which formally identifies the following top-level tool requirements:

A hardware write block (HWB) device shall not transmit a command to a protected storage device that modifies the data on the storage device.

An HWB device shall return the data requested by a read operation.

An HWB device shall return without modification any access-significant information requested from the drive.

Any error condition reported by the storage device to the HWB device shall be reported to the host. [3]

Description

Forensic disk controllers intercept write commands from the host operating system, preventing them from reaching the drive. Whenever the host bus architecture supports it the controller reports that the drive is read-only. The disk controller can either deny all writes to the disk and report them as failures, or use on-board memory to cache the writes for the duration of the session.

A disk controller that caches writes in memory presents the appearance to the operating system that the drive is writable, and uses the memory to ensure that the operating system sees changes to the individual disk sectors it attempted to overwrite. It does this by retrieving sectors from the disk if the operating system hasn't attempted to change them, and retrieving the changed version from memory for sectors that have been changed.

Uses

Forensic disk controllers are most commonly associated with the process of creating a disk image, or acquisition, during forensic analysis. Their use is to prevent inadvertent modification of evidence.

Using hardware to protect the hard drive from writes is very important for several reasons. First, many operating systems, including Windows, may write to any hard disk that is connected to the system. At the very least, Windows will update the access time for any file accessed, and may write things to the disk unexpectedly - such as creating hidden folders for the recycle bin or saved hardware configuration. Virus infections or malware on the system used for analysis may attempt to infect the disk being inspected. Additionally, the NTFS file system may attempt to commit or rollback unfinished transactions, and/or change flags on the volume to mark it as "in use". At the worst, undesired files may allocate and overwrite deleted space on the hard disk which may potentially destroy evidence in the form of previously deleted files.

Protecting an evidence drive from writes during investigation is also important to counter potential allegations that the contents of the drive were altered during the investigation. [4] Of course, this can be alleged anyway, but in the absence of technology to protect a drive from writes, there is no way for such an allegation to be refuted.

Related Research Articles

<span class="mw-page-title-main">Parallel ATA</span> Interface standard for the connection of storage devices

Parallel ATA (PATA), originally AT Attachment, also known as ATA or IDE is a standard interface designed for IBM PC-compatible computers. It was first developed by Western Digital and Compaq in 1986 for compatible hard drives and CD or DVD drives. The connection is used for storage devices such as hard disk drives, floppy disk drives, and optical disc drives in computers.

<span class="mw-page-title-main">Hard disk drive</span> Data storage device

A hard disk drive (HDD), hard disk, hard drive, or fixed disk is an electro-mechanical data storage device that stores and retrieves digital data using magnetic storage with one or more rigid rapidly rotating platters coated with magnetic material. The platters are paired with magnetic heads, usually arranged on a moving actuator arm, which read and write data to the platter surfaces. Data is accessed in a random-access manner, meaning that individual blocks of data can be stored and retrieved in any order. HDDs are a type of non-volatile storage, retaining stored data when powered off. Modern HDDs are typically in the form of a small rectangular box.

<span class="mw-page-title-main">SCSI</span> Set of computer and peripheral connection standards

Small Computer System Interface is a set of standards for physically connecting and transferring data between computers and peripheral devices. The SCSI standards define commands, protocols, electrical, optical and logical interfaces. The SCSI standard defines command sets for specific peripheral device types; the presence of "unknown" as one of these types means that in theory it can be used as an interface to almost any device, but the standard is highly pragmatic and addressed toward commercial requirements. The initial Parallel SCSI was most commonly used for hard disk drives and tape drives, but it can connect a wide range of other devices, including scanners and CD drives, although not all controllers can handle all devices.

RAID is a data storage virtualization technology that combines multiple physical disk drive components into one or more logical units for the purposes of data redundancy, performance improvement, or both. This is in contrast to the previous concept of highly reliable mainframe disk drives referred to as "single large expensive disk" (SLED).

A RAM drive is a block of random-access memory that a computer's software is treating as if the memory were a disk drive. It is sometimes referred to as a virtual RAM drive or software RAM drive to distinguish it from a hardware RAM drive that uses separate hardware containing RAM, which is a type of battery-backed solid-state drive.

<span class="mw-page-title-main">Disk controller</span>

The disk controller is the controller circuit which enables the CPU to communicate with a hard disk, floppy disk or other kind of disk drive. It also provides an interface between the disk drive and the bus connecting it to the rest of the system.

<span class="mw-page-title-main">CompactFlash</span> Memory card format

CompactFlash (CF) is a flash memory mass storage device used mainly in portable electronic devices. The format was specified and the devices were first manufactured by SanDisk in 1994.

Disk formatting is the process of preparing a data storage device such as a hard disk drive, solid-state drive, floppy disk, memory card or USB flash drive for initial use. In some cases, the formatting operation may also create one or more new file systems. The first part of the formatting process that performs basic medium preparation is often referred to as "low-level formatting". Partitioning is the common term for the second part of the process, dividing the device into several sub-devices and, in some cases, writing information to the device allowing an operating system to be booted from it. The third part of the process, usually termed "high-level formatting" most often refers to the process of generating a new file system. In some operating systems all or parts of these three processes can be combined or repeated at different levels and the term "format" is understood to mean an operation in which a new disk medium is fully prepared to store files. Some formatting utilities allow distinguishing between a quick format, which does not erase all existing data and a long option that does erase all existing data.

<span class="mw-page-title-main">USB flash drive</span> Data storage device

A USB flash drive is a data storage device that includes flash memory with an integrated USB interface. It is typically removable, rewritable and much smaller than an optical disc. Most weigh less than 30 g (1 oz). Since first appearing on the market in late 2000, as with virtually all other computer memory devices, storage capacities have risen while prices have dropped. As of March 2016, flash drives with anywhere from 8 to 256 gigabytes (GB) were frequently sold, while 512 GB and 1 terabyte (TB) units were less frequent. As of 2018, 2 TB flash drives were the largest available in terms of storage capacity. Some allow up to 100,000 write/erase cycles, depending on the exact type of memory chip used, and are thought to physically last between 10 and 100 years under normal circumstances.

<span class="mw-page-title-main">SpinRite</span>

SpinRite is a computer program for scanning magnetic data storage devices such as hard disks, recovering data from them and refreshing their surfaces. The first version was released in 1987 by Steve Gibson. The current version, 6.0, was released in 2004.

Data remanence is the residual representation of digital data that remains even after attempts have been made to remove or erase the data. This residue may result from data being left intact by a nominal file deletion operation, by reformatting of storage media that does not remove data previously written to the media, or through physical properties of the storage media that allow previously written data to be recovered. Data remanence may make inadvertent disclosure of sensitive information possible should the storage media be released into an uncontrolled environment.

The Gutmann method is an algorithm for securely erasing the contents of computer hard disk drives, such as files. Devised by Peter Gutmann and Colin Plumb and presented in the paper Secure Deletion of Data from Magnetic and Solid-State Memory in July 1996, it involved writing a series of 35 patterns over the region to be erased.

In computing, data recovery is a process of salvaging deleted, inaccessible, lost, corrupted, damaged, or formatted data from secondary storage, removable media or files, when the data stored in them cannot be accessed in a usual way. The data is most often salvaged from storage media such as internal or external hard disk drives (HDDs), solid-state drives (SSDs), USB flash drives, magnetic tapes, CDs, DVDs, RAID subsystems, and other electronic devices. Recovery may be required due to physical damage to the storage devices or logical damage to the file system that prevents it from being mounted by the host operating system (OS).

<span class="mw-page-title-main">Solid-state drive</span> Data storage device

A solid-state drive (SSD) is a solid-state storage device that uses integrated circuit assemblies to store data persistently, typically using flash memory, and functioning as secondary storage in the hierarchy of computer storage. It is also sometimes called a semiconductor storage device, a solid-state device or a solid-state disk, even though SSDs lack the physical spinning disks and movable read–write heads used in hard disk drives (HDDs) and floppy disks. SSD also has rich internal parallelism for data processing.

<span class="mw-page-title-main">Disk buffer</span>

In computer storage, disk buffer is the embedded memory in a hard disk drive (HDD) or solid state drive (SSD) acting as a buffer between the rest of the computer and the physical hard disk platter or flash memory that is used for storage. Modern hard disk drives come with 8 to 256 MiB of such memory, and solid-state drives come with up to 4 GB of cache memory.

Hardware-based full disk encryption (FDE) is available from many hard disk drive (HDD/SSD) vendors, including: ClevX, Hitachi, Integral Memory, iStorage Limited, Micron, Seagate Technology, Samsung, Toshiba, Viasat UK, Western Digital. The symmetric encryption key is maintained independently from the computer's CPU, thus allowing the complete data store to be encrypted and removing computer memory as a potential attack vector.

Data erasure is a software-based method of overwriting the data that aims to completely destroy all electronic data residing on a hard disk drive or other digital media by using zeros and ones to overwrite data onto all sectors of the device in an irreversible process. By overwriting the data on the storage device, the data is rendered irrecoverable and achieves data sanitization.

shred is a command on Unix-like operating systems that can be used to securely delete files and devices so that it is extremely difficult to recover them, even with specialized hardware and technology; assuming it's even possible to recover the file at all. It is a part of GNU Core Utilities.

A trim command allows an operating system to inform a solid-state drive (SSD) which blocks of data are no longer considered to be 'in use' and therefore can be erased internally.

<span class="mw-page-title-main">Mobile device forensics</span> Mobile Digital Forensics

Mobile device forensics is a branch of digital forensics relating to recovery of digital evidence or data from a mobile device under forensically sound conditions. The phrase mobile device usually refers to mobile phones; however, it can also relate to any digital device that has both internal memory and communication ability, including PDA devices, GPS devices and tablet computers.

References

  1. "Write protection for computer long-term memory devices".
  2. "Test Results for Hardware Write Block Device: Tableau Forensic SATA/IDE Bridge T35u" (PDF). United States Department of Homeland Security. October 2018. Retrieved February 23, 2021.
  3. Computer Forensics Tool Testing Handbook (PDF). National Institute of Standards and Technology. February 1, 2012. p. 88. Retrieved November 15, 2022.
  4. Clarke, Nathan (2010). "Forensic Acquisition of Data". Computer Forensics. IT Governance. pp. 26–33. ISBN   9781849280396. JSTOR   j.ctt5hh5mg.8.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.