Forensic disk controller
Encyclopedia
A forensic disk controller or hardware write-block device is a specialized type of computer hard disk controller made for the purpose of gaining read-only access to computer hard drives without the risk of damaging the drive's contents. The device is named forensic
because its most common application is for use in investigations where a computer hard drive may contain evidence. Such a controller historically has been made in the form of a dongle
that fits between a computer and an IDE or SCSI
hard drive, but with the advent of USB
and SATA
, forensic disk controllers supporting these newer technologies have become widespread.
The United States National Institute of Justice
operates a Computer Forensics Tool Testing (CFTT) program which formally identifies the following top-level tool requirements:
, preventing them from reaching the drive. Whenever the host bus architecture supports it the controller reports that the drive is read-only. The disk controller can either deny all writes to the disk and report them as failures, or use on-board memory to cache the writes for the duration of the session.
A disk controller that caches writes in memory presents the appearance to the operating system that the drive is writable, and uses the memory to ensure that the operating system sees changes to the individual disk sectors it attempted to overwrite. It does this by retrieving sectors from the disk if the operating system hasn't attempted to change them, and retrieving the changed version from memory for sectors that have been changed.
. Their use is to prevent inadvertent modification of evidence.
Using hardware to protect the hard drive from writes is very important for several reasons. First, many operating system
s, including Windows
, may write to any hard disk that is connected to the system. At the very least, Windows will update the access time
for any file accessed, and may write things to the disk unexpectedly - such as creating hidden folders for the recycle bin or saved hardware configuration. Virus
infections or malware
on the system used for analysis may attempt to infect the disk being inspected. Additionally, the NTFS
file system may attempt to commit or rollback unfinished transactions, and/or change flags on the volume to mark it as "in use". At the worst, undesired files may allocate and overwrite deleted space on the hard disk which may potentially destroy evidence in the form of previously deleted files.
Protecting an evidence drive from writes during investigation is also important to counter potential allegations that the contents of the drive were altered during the investigation. Of course, this can be alleged anyway, but in the absence of technology to protect a drive from writes, there is no way for such an allegation to be refuted.
Forensics
Forensic science is the application of a broad spectrum of sciences to answer questions of interest to a legal system. This may be in relation to a crime or a civil action...
because its most common application is for use in investigations where a computer hard drive may contain evidence. Such a controller historically has been made in the form of a dongle
Dongle
A software protection dongle is a small piece of hardware that plugs into an electrical connector on a computer and serves as an electronic "key" for a piece of software; the program will only run when the dongle is plugged in...
that fits between a computer and an IDE or SCSI
SCSI
Small Computer System Interface is a set of standards for physically connecting and transferring data between computers and peripheral devices. The SCSI standards define commands, protocols, and electrical and optical interfaces. SCSI is most commonly used for hard disks and tape drives, but it...
hard drive, but with the advent of USB
Universal Serial Bus
USB is an industry standard developed in the mid-1990s that defines the cables, connectors and protocols used in a bus for connection, communication and power supply between computers and electronic devices....
and SATA
Serial ATA
Serial ATA is a computer bus interface for connecting host bus adapters to mass storage devices such as hard disk drives and optical drives...
, forensic disk controllers supporting these newer technologies have become widespread.
The United States National Institute of Justice
National Institute of Justice
The National Institute of Justice is the research, development and evaluation agency of the United States Department of Justice. NIJ, along with the Bureau of Justice Statistics , Bureau of Justice Assistance , Office of Juvenile Justice and Delinquency Prevention , Office for Victims of Crime ,...
operates a Computer Forensics Tool Testing (CFTT) program which formally identifies the following top-level tool requirements:
- A hardware write block (HWB) device shall not transmit a command to a protected storage device that modifies the data on the storage device.
- An HWB device shall return the data requested by a read operation.
- An HWB device shall return without modification any access-significant information requested from the drive.
- Any error condition reported by the storage device to the HWB device shall be reported to the host.
Description
Forensic disk controllers intercept write commands from the host operating systemOperating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
, preventing them from reaching the drive. Whenever the host bus architecture supports it the controller reports that the drive is read-only. The disk controller can either deny all writes to the disk and report them as failures, or use on-board memory to cache the writes for the duration of the session.
A disk controller that caches writes in memory presents the appearance to the operating system that the drive is writable, and uses the memory to ensure that the operating system sees changes to the individual disk sectors it attempted to overwrite. It does this by retrieving sectors from the disk if the operating system hasn't attempted to change them, and retrieving the changed version from memory for sectors that have been changed.
Uses
Forensic disk controllers are most commonly associated with the process of creating a disk image, or acquisition, during forensic analysisDigital forensic process
The Digital forensic process is a recognised scientific and forensic process used in digital forensics investigations. Forensics researcher Eoghan Casey defines it as a number of steps from the original incident alert through to reporting of findings...
. Their use is to prevent inadvertent modification of evidence.
Using hardware to protect the hard drive from writes is very important for several reasons. First, many operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
s, including Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
, may write to any hard disk that is connected to the system. At the very least, Windows will update the access time
Access time
Access time is the time delay or latency between a request to an electronic system, and the access being completed or the requested data returned....
for any file accessed, and may write things to the disk unexpectedly - such as creating hidden folders for the recycle bin or saved hardware configuration. Virus
Computer virus
A computer virus is a computer program that can replicate itself and spread from one computer to another. The term "virus" is also commonly but erroneously used to refer to other types of malware, including but not limited to adware and spyware programs that do not have the reproductive ability...
infections or malware
Malware
Malware, short for malicious software, consists of programming that is designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, or gain unauthorized access to system resources, or that otherwise exhibits abusive behavior...
on the system used for analysis may attempt to infect the disk being inspected. Additionally, the NTFS
NTFS
NTFS is the standard file system of Windows NT, including its later versions Windows 2000, Windows XP, Windows Server 2003, Windows Server 2008, Windows Vista, and Windows 7....
file system may attempt to commit or rollback unfinished transactions, and/or change flags on the volume to mark it as "in use". At the worst, undesired files may allocate and overwrite deleted space on the hard disk which may potentially destroy evidence in the form of previously deleted files.
Protecting an evidence drive from writes during investigation is also important to counter potential allegations that the contents of the drive were altered during the investigation. Of course, this can be alleged anyway, but in the absence of technology to protect a drive from writes, there is no way for such an allegation to be refuted.