Forensic Disk Controller
   HOME

TheInfoList



Click Here for Items Related To - Forensic Disk Controller
OR:
Forensic Disk Controller on:   [Wikipedia]   [Google]   [Amazon]

A forensic disk controller or hardware write-block device is a specialized type of computer
hard disk controller {{unreferenced, date=May 2010 The disk controller is the controller circuit which enables the CPU to communicate with a hard disk, floppy disk or other kind of disk drive. It also provides an interface between the disk drive and the bus conne ...
made for the purpose of gaining read-only access to computer
hard drives A hard disk drive (HDD), hard disk, hard drive, or fixed disk is an electro-mechanical data storage device that stores and retrieves digital data using magnetic storage with one or more rigid rapidly rotating platters coated with magne ...
without the risk of damaging the drive's contents. The device is named
forensic Forensic science, also known as criminalistics, is the application of science to Criminal law, criminal and Civil law (legal system), civil laws, mainly—on the criminal side—during criminal investigation, as governed by the legal standard ...
because its most common application is for use in investigations where a computer hard drive may contain evidence. Such a controller historically has been made in the form of a
dongle A dongle is a small piece of computer hardware that connects to a port on another device to provide it with additional functionality, or enable a pass-through to such a device that adds functionality. In computing, the term was initially synonym ...
that fits between a computer and an IDE or
SCSI Small Computer System Interface (SCSI, ) is a set of standards for physically connecting and transferring data between computers and peripheral devices. The SCSI standards define commands, protocols, electrical, optical and logical interface ...
hard drive, but with the advent of
USB Universal Serial Bus (USB) is an industry standard that establishes specifications for cables, connectors and protocols for connection, communication and power supply (interfacing) between computers, peripherals and other computers. A broad ...
and
SATA SATA (Serial AT Attachment) is a computer bus interface that connects host bus adapters to mass storage devices such as hard disk drives, optical drives, and solid-state drives. Serial ATA succeeded the earlier Parallel ATA (PATA) standard to ...
, forensic disk controllers supporting these newer technologies have become widespread. Steve Bress and Mark Menz invented hard drive write blocking (US Patent 6,813,682). A device which is installed between a storage media under investigation and an investigator's computer is called a "bridge kit". The bridge kit has one connector for the storage media and another connector the investigator's computer. It allows the investigator to read, but not alter the device under investigation. The United States
National Institute of Justice The National Institute of Justice (NIJ) is the research, development and evaluation agency of the United States Department of Justice. NIJ, along with the Bureau of Justice Statistics (BJS), Bureau of Justice Assistance (BJA), Office of Juvenil ...
operates a Computer Forensics Tool Testing (CFTT) program which formally identifies the following top-level tool requirements:


Description

Forensic disk controllers intercept write commands from the host
operating system An operating system (OS) is system software that manages computer hardware, software resources, and provides common services for computer programs. Time-sharing operating systems schedule tasks for efficient use of the system and may also in ...
, preventing them from reaching the drive. Whenever the host
bus A bus (contracted from omnibus, with variants multibus, motorbus, autobus, etc.) is a road vehicle that carries significantly more passengers than an average car or van. It is most commonly used in public transport, but is also in use for cha ...
architecture supports it the controller reports that the drive is read-only. The disk controller can either deny all writes to the disk and report them as failures, or use on-board memory to cache the writes for the duration of the session. A disk controller that caches writes in memory presents the appearance to the operating system that the drive is writable, and uses the memory to ensure that the operating system sees changes to the individual disk sectors it attempted to overwrite. It does this by retrieving sectors from the disk if the operating system hasn't attempted to change them, and retrieving the changed version from memory for sectors that have been changed.


Uses

Forensic disk controllers are most commonly associated with the process of creating a
disk image A disk image, in computing, is a computer file containing the contents and structure of a disk volume or of an entire data storage device, such as a hard disk drive, tape drive, floppy disk, optical disc, or USB flash drive. A disk image is us ...
, or acquisition, during
forensic analysis Forensic science, also known as criminalistics, is the application of science to criminal and civil laws, mainly—on the criminal side—during criminal investigation, as governed by the legal standards of admissible evidence and criminal p ...
. Their use is to prevent inadvertent modification of evidence. Using hardware to protect the hard drive from writes is very important for several reasons. First, many
operating system An operating system (OS) is system software that manages computer hardware, software resources, and provides common services for computer programs. Time-sharing operating systems schedule tasks for efficient use of the system and may also in ...
s, including
Windows Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for serv ...
, may write to any hard disk that is connected to the system. At the very least, Windows will update the
access time Access time is the time delay or latency between a request to an electronic system, and the access being completed or the requested data returned * In a computer, it is the time interval between the instant at which an instruction control uni ...
for any file accessed, and may write things to the disk unexpectedly - such as creating hidden folders for the recycle bin or saved hardware configuration.
Virus A virus is a submicroscopic infectious agent that replicates only inside the living cells of an organism. Viruses infect all life forms, from animals and plants to microorganisms, including bacteria and archaea. Since Dmitri Ivanovsky's 1 ...
infections or
malware Malware (a portmanteau for ''malicious software'') is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, depri ...
on the system used for analysis may attempt to infect the disk being inspected. Additionally, the
NTFS New Technology File System (NTFS) is a proprietary journaling file system developed by Microsoft. Starting with Windows NT 3.1, it is the default file system of the Windows NT family. It superseded File Allocation Table (FAT) as the preferred fil ...
file system may attempt to commit or rollback unfinished transactions, and/or change flags on the volume to mark it as "in use". At the worst, undesired files may allocate and overwrite deleted space on the hard disk which may potentially destroy evidence in the form of previously deleted files. Protecting an evidence drive from writes during investigation is also important to counter potential allegations that the contents of the drive were altered during the investigation. Of course, this can be alleged anyway, but in the absence of technology to protect a drive from writes, there is no way for such an allegation to be refuted.


References

{{Reflist Hard disk computer storage Digital forensics