Professional Documents
Culture Documents
A Study of Forensic Imaging in The Absence of Writ
A Study of Forensic Imaging in The Absence of Writ
net/publication/313886626
CITATIONS READS
4 708
2 authors, including:
Gary Kessler
Embry-Riddle Aeronautical University
17 PUBLICATIONS 107 CITATIONS
SEE PROFILE
All content following this page was uploaded by Gary Kessler on 11 December 2017.
2014
Gregory H. Carlton
California State Polytechnic University
Recommended Citation
Kessler, Gary C. and Carlton, Gregory H. (2014) "A Study of Forensic Imaging in the Absence of Write-Blockers," Journal of Digital
Forensics, Security and Law: Vol. 9 : No. 3 , Article 4.
DOI: https://doi.org/10.15394/jdfsl.2014.1187
Available at: http://commons.erau.edu/jdfsl/vol9/iss3/4
This Article is brought to you for free and open access by the Journals at
Scholarly Commons. It has been accepted for inclusion in Journal of Digital
Forensics, Security and Law by an authorized administrator of Scholarly
Commons. For more information, please contact commons@erau.edu.
(c)ADFSL
A Study of Forensic Imaging in the Absence of… JDFSL V9N3
This work is licensed under a Creative Commons Attribution 4.0 International License.
ABSTRACT
Best practices in digital forensics demand the use of write-blockers when creating forensic
images of digital media, and this has been a core tenet of computer forensics training for
decades. The practice is so ingrained that the integrity of images created without a write-blocker
are immediately suspect. This paper describes a research framework that compares forensic
images acquired with and without utilizing write-blockers in order to understand the extent of
the differences, if any, in the resultant forensic copies. We specifically address whether
differences are superficial or evidentiary, and we discuss the impact of admitting evidence
acquired without write blocking. The experiments compare the changes made to a hard drive
and flash drive when imaged and examined with a Windows-based forensics workstation.
Keywords: Digital forensics, computer forensics, write-blocking, forensic image, forensic data
acquisition
is imaged without a write-blocker, should such behind the requirement to use write blockers
evidence be discarded by an examiner or and the assertion of their necessity. The
investigator, ignored by counsel, or challenged testing framework is presented below in
by the opposing party on the presumption section 2. In section 3 of this paper, we
that the image no longer represents the discuss the results of our examination
original media? If such a generalized objection comparing images acquired with write-
were raised, how should a judge know whether blockers to those acquired without write-
to sustain or overrule the objection, and how blockers. Lastly, in section 4, we offer our
should the party offering such evidence argue conclusions.
for the evidence's inclusion?
2. TESTING
These questions are not entirely
hypothetical. The current Scientific Working
FRAMEWORK
Group on Digital Evidence (SWGDE) Best
2.1 Test Philosophy
Practices for Computer Forensics document is
clear that write-blockers should be used Write blockers are used in digital forensic
"when possible" (SWGDE, 2013, p. 7) imaging based upon the hypothesis that
without mention of the negative impacts of changes will occur to the source media if write
not using blockers. The Federal Rules of blockers are not employed. For testing
Evidence (FRE) specifically allow duplicates purposes, the null hypothesis is that no
to be admitted as evidence to the same extent changes will occur to the source media if a
as the original unless legitimate questions can write blocker is not used. The authors
be raised as to the veracity of the copy (FRE, designed a test framework in an attempt to
2013). Does the lack of a write-blocker test the null hypothesis, or to measure the
undermine the veracity of a copy so as to amount of changes, if any, made to digital
make it ineffective as evidence? media during the process of making a
The National Institute of Standards and forensically correct copy (i.e., a bit-stream
Technology (NIST) has detailed specifications image). The framework was necessary in order
on how to test hardware and software write- to ensure that the experiments are repeatable
blockers to validate their proper operation and reproducible. In this context, repeatable
(NIST, 2003, 2004, 2005). They do not, means that we can get the same result over
however, describe the impact when write- and over, and reproducible means that other
blockers are not employed. Thus, lack of write researchers can get the same results following
blocking remains a somewhat ambiguous our framework. Or, in the words of NIST
state. (2001):
In U.S. v. Labuda (2012), the only case we ... repeatability is defined as the
found where write blockers were specifically ability to get the same test results on
cited as an issue, a police forensic examiner the same testing environment (same
examined a cell phone's memory card without computer, disk, mode of operation,
making an image. While the defense expert etc.). Reproducibility is defined as the
challenged the police examiner's lack of ability to get the same test results on
process by directly examining the card, the a different testing environment
evidence was nevertheless allowed. But the (different PC, hard disk, operator,
write-blocker was not a central point of the etc.). (p. 7)
case and, therefore, this case does not appear The universe of possible testing
to sufficiently answer the questions above. environments is actually quite huge. As Lyle
The study described in this paper includes (2012) observes, there are many choices of
experiments to test the scientific foundation (Figure 1):
• Digital media storage technology (e.g., and hardware (e.g., Forensic Duplicator,
traditional spinning disk or flash/solid- Forensic Imager, Hardcopy, Shadow)
state devices)
• Analysis software (e.g., Autopsy/TSK,
• File system type (e.g., FAT12/16/32, EnCase, FTK, ProDiscover, X-Ways
NTFS, HFS/HFS+, ext2/ext3/ext4, Forensics)
EXFAT, etc.) The non-exhaustive list above represents a
• Interface between digital media and subset of the variables and the options
forensic workstation (e.g., Firewire, IDE, available, but even these represent more than
SATA, SCSI, USB) 5,000 configurations. Given the size of the test
universe, we selected a small subset of media
• Forensic workstation operating system and designed a testing framework as a
(e.g., Windows, Mac OS X, Unix, Linux) demonstration of possible further work.
• Write-blocker type (e.g., the variety of However, our media subset represents two of
software and hardware products) the most commonly used devices at the time
of our study (i.e., a SATA hard disk and a
• Imaging software (e.g., dcfldd, dd, USB flash drive).
EnCase, FTK Imager, X-Ways Forensics)
CurrentControlSet Table 1
\Control\StorageDevicePolicies\WriteProtect. HDD Image Hash Values
Setting this Registry key's value to 0x0 allows HDD Image 0 (hardware write-blocker)
writing to the USB port and a value of 0x1 MD5 F8BE2078382A68ADC792B734FFB480CD
disables writing. After making any change to
SHA-1 23812B61A41E01F61AF0DA048B80AD25F1D4C8BA
the Registry key's value, the system was
rebooted and the appropriate functionality HDD Image 1 (software write-blocker)
verified. MD5 F8BE2078382A68ADC792B734FFB480CD
SHA-1 23812B61A41E01F61AF0DA048B80AD25F1D4C8BA
3. TESTS AND RESULTS
HDD Image 2 (no write-blocker)
3.1 Imaging and Hashes MD5 CF4539F0E98E67F368E5EB1D3119EB03
Table 3
Test Universe and Result Summary
Hard Disk Drive Flash Drive
Device
SATA USB
Interface
File System NTFS FAT32
Workstation
Windows 7
OS
Forensic
Encase
Software
Image 0 Image 1 Image 2 Image 0 Image 1 Image 2
Connection SATA Bridge to USB USB Bridge to USB USB port
Write-block Hardware Software None Hardware Software None
Hash (MD5) F8BE...80CD CF45...EB03 1571...5EE0
As noted earlier in this paper, there are so The intent of this study is not to suggest
many choices and options in the test that the use of write-blockers is unnecessary
parameters that our study cannot be used to but rather to test the assertion that the
draw overly generalized conclusions (Lyle, absence of effective write blocking causes
2012). The test cases do, however, provide a insurmountable challenges to the veracity -
framework for further research. and value - of digital evidence. While our test
results show that some changes are made to
4. CONCLUSION digital media when write-blocking is not
This study examined two imaging scenarios employed (or, presumably, when a write-
testing the results of imaging without a write blocker fails), they also show that the original
blocker. In one case, no changes occurred to evidence is not tainted beyond use and,
evidentiary media; in the second case, only certainly, no additional content has been
minimal changes were made but not to user added to the medium. Thus, the results
files where probative information - both suggest, if a party objects to the introduction
incriminating and exculpatory - is likely to be of a forensic image solely because of the lack
found. Since the study looked at only two out of write-blocking, the burden of proof is on
of thousands of possible scenarios, additional, the objector to show how the value of the
deeper studies with other devices and evidence has been diminished.
configurations are certainly in order so that a This study is intended to help inform the
better understanding can be gained about the dialogue about what is and is not best
broad impact of inoperable or failed write- practices in digital forensics. There are many
blockers. cases when write-blocking cannot be
It is also interesting to address the effectively used when analyzing or examining
concept of repeatability in conducting forensic digital media - such as is sometimes the case
data acquisitions in the absence of write- with mobile devices, or when collecting
blockers. While two forensic images acquired volatile data or random access memory
from the same original media without use of a (RAM) - and practitioners need to understand
write-blocker will likely yield different hash the true impact of the absence of write
values (i.e., digital signatures), this difference blocking so that we can better defend our
alone does not preclude a scientifically processes and examinations.
repeatable finding. Even with the different
media hash values and differences in system
ACKNOWLEDGEMENTS
attributes (such as last accessed date), The authors would like to thank a senior
repeatable findings remain intact for the project team of undergraduate students from
content of stored files, file slack, the Cal Poly Pomona - Willen Lui, David Hughes,
overwhelming majority of unallocated space, Joseph Mickelson, and Gurpreet Dhillon - for
and unused space. In fact, the individual hash their work on this project. We would also like
values of stored files remain identical when to thank external reviewers for their valuable
the images are compared. Therefore, a forensic comments.
examiner may present evidence of data
contained within a stored file or the file slack REFERENCES
associated with the file, and another forensic Carlton, G.H. (2007). A Protocol for the
examiner will be able to duplicate these Forensic Data Acquisition of Personal
findings even if both examiners created images Computer Workstations. UMI 3251043.
from the original media without using write- Ann Arbor, MI, ProQuest.
blockers. The important lesson to learn is that
differences in media hash values do not, by Federal Rules of Evidence (FRE). (2013,
themselves, imply contamination of data. December 1). The Committee of the
Judiciary, House of Representatives.