Digital evidence can be cited as evidence in nearly every crime category. Forensic investigators need to be absolutely certain that the data they obtain as evidence has not been altered in any way during the capture, analysis, and control. Attorneys, judges and jurors need to feel confident that the information presented in a computer crime case is legitimate. How can an investigator ensure for certain that his or her evidence is accepted in court?
According to the National Institute of Standards and Technology (NIST), the investigator follows a set of procedures designed to prevent the execution of any program that might modify the disk contents. These procedures involve a layered defense against any modifications to the source disk using the following strategies:
- Where possible, set a hardware jumper to make the disk read only.
- Use an operating system and other software that are trusted not to write to the disk unless given explicit instructions.
- Use a hard disk write block tool to intercept any inadvertent disk writes.
The first bullet point speaks of jumpers, but there may be times when the suspect drive’s jumper settings are not easily accessible. Further, not all drives have the ability to use jumpers.
The second two bullet points refer to software and hardware write blockers.
What are write blockers?
A write blocker is any tool that permits read-only access to data storage devices without compromising the integrity of the data. A write blocker, when used properly, can guarantee the protection of the data chain of custody. NIST‘s general write blocking requirements hold that:
- The tool shall not allow a protected drive to be changed.
- The tool shall not prevent obtaining any information from or about any drive.
- The tool shall not prevent any operations to a drive that is not protected.
Software versus hardware write blockers
Software and hardware write blockers do the same job. They prevent writes to storage devices. The main difference between the two types is that software write blockers are installed on a forensic computer workstation, whereas hardware write blockers have write blocking software installed on a controller chip inside a portable physical device.
As determined by NIST’s Software Write Block specifications, a software write block tool operates by monitoring and filtering drive I/O commands sent from an application or OS through a given access interface.
Programs running in the DOS environment can, in addition to direct access via the drive controller, use two other interfaces: DOS service interface (interrupt 0x21) or BIOS service interface (interrupt 0x13).
The primary purpose of a hardware write blocker is to intercept and prevent (or ‘block’) any modifying command operation from ever reaching the storage device. Some of its functions include monitoring and filtering any activity that is transmitted or received between its interface connections to the computer and the storage device.
Hardware write blockers provide built in interfaces to a number of storage devices, and can connect to other types of storage with adapters. Hardware devices that write block also provide visual indication of function through LEDs and switches. This makes them easy to use and makes functionality clear to users.
Through its WiebeTech line of digital investigation products, CRU offers a wide variety of hardware write-blocking solutions.
- The Media WriteBlocker is highly portable, with compact lightweight design. It provides easy, write-blocked access to a variety of flash media, including SD and CF cards.
- The DriveDock family of products provides fast write-blocked access to suspect drives. The LCD and menu system make it convenient to view drive information, error/warning messages, or remove HPA/DCOs.
- The Ditto Forensic FieldStation is ideal for remote data analysis and capture and it replaces the need for a laptop or other host machine during data acquisition.
To see more information about these products, you can start by choosing a product from the entire WiebeTech product line.