Discussion reply

Digital Forensics

Discuss in detail why you need to use a write blocker (either hardware or software) in your examinations, whether for a criminal case or a corporate case.

“Hardware write blockers, software developed to create forensic images used to read or copy the evidence data. Although there are countless applications developed for data duplication, data acquisition, and backing up data, nearly all forensic analyst will use applications specifically developed for creating forensic images. Most commercial vendors of forensic suites, in addition to open-sourced software developers, also provide applications to create forensic images applications. Forensic imaging applications are naturally used in conjunction with a write protection device. Most of these same forensic imaging applications can also be used on a live machine when necessary. Once a computer has been booted to the forensic operating system, an image of the computer hard drive can be created and saved onto an attached external hard drive. Forensic boot media provides write protection of the evidence hard drive(s) through software configurations.

In order to use a forensic boot media, the BIOS of the suspect computer system is first modified by the examiner to boot the forensic media rather than boot the hard drive in the computer. This method of booting an evidence computer carries a risk of inadvertently booting the suspect system causing modification of files on the evidence drive if precautions are not taken to control the booting process. Failing to control the booting process runs the risk of booting your evidence to its operating system, changing thousands of files on the hard drive.”

The hardware write blocker that is similar to the valve of one way. It allows read commands to pass through but block write commands to prevent information from being modified. The purpose of the write blocker is to keep information secure by preventing original information from being modified or destroyed during analysis. The test results must be considered reproducible or repeatable as electronic evidence. The analysis of any seized evidence should occur under forensically sound conditions for it to be admissible in a court of law. During testimony, an officer has to specifically state what write blockers were used as well as how the original evidence was preserved. Integrity is key when presenting evidence as there should not be a show of doubt that the evidence has been tainted.

Please explain the steps you would take, from receipt of the evidence until testimony, including the reasons why you would take each step. For example, what would you check for when you sign for the drive on the chain of custody document?

Some of the steps I would take from receipt of evidence until testimony would consist;

Taking a record of each item collected as evidence. This would help in keeping and storing all the details necessary about items that would later be used in the testimony and the admissibility of the evidence.

I would also ensure that a take a record of the detailed information about the person who collected the evidence inclusive of the date and the time that it was collected. This would be imperative at ensuring that the evidence remains valid and in case of anything, the person who collected can be contacted to provide more clarity during the testimony time.

I would write the description of the evidence in the documentation. The description would be significant at showing what type of evidence it is, the processes followed in its collection, and also to prove that it was not contaminated hence it can be accepted as valid evidence.

In relation to the forensic evidence, the steps I would take would follow;

I would make sure that I check the chain of Custody record for any irregularities. This would involve ensuring that everything in the evidence is in order, with no missing marks or unaccounted for time.

Secondly, I would as well ensure that, prior to making the hard plate drive (HDD), I properly check for the indications of altering. I would do this in order to just be sure that, the evidence is not altered because if it is altered or tampered with and its found out, such can render it inadmissible neither would it be believed for being used as evidence.

I would prepare documentation of the collecting and gathering process of the evidence right from the receipt of the HDD. This would be one factor that would help substantiate how genuine the collection of the evidence was and its use regarding how the documentation involved an effective process followed in collecting and gathering the evidence.

Identify the steps you would take from the receipt of evidence until testimony

Some of the steps I would take from receipt of evidence until testimony would consist;

Taking record of each item collected as evidence. This would help in keeping and storing all the details necessary about items that would later be used in the testimony and the admissibility of the evidence.

I would also ensure that a take a record of the detailed information about the person who collected the evidence inclusive of the date and the time that it was collected. This would be imperative at ensuring that the evidence remains valid and in case of anything, the person who collected can be contacted to provide more clarity during the testimony time.

I would write the description of the evidence in the documentation. The description would be significant at showing what type of evidence it is, the processes followed in its collection, and also to prove that it was not contaminated hence it can be accepted as valid evidence.

In relation to the forensic evidence, the steps I would take would follow;

I would make sure that I check the chain of Custody record for any irregularities. This would involve ensuring that everything in the evidence is in order, with no missing marks or unaccounted for time.

Secondly, I would as well ensure that, prior to making the hard plate drive (HDD), I properly check for the indications of altering. I would do this in order to just be sure that, the evidence is not altered because if it is altered or tampered with and its found out, such can render it inadmissible neither would it be believed for being used as evidence.

I would prepare documentation of the collecting and gathering process of the evidence right from the receipt of the HDD. This would be one factor that would help substantiate how genuine the collection of the evidence was and its use regarding how the documentation involved an effective process followed in collecting and gathering the evidence.

https://www.sciencedirect.com/topics/computer-science/hardware-write-blocker#:~:text=Evidence%20hard%20drives%20are%20connected,USB%20cable%20to%20a%20computer.&text=Along%20with%20the%20hardware%20write,or%20copy%20the%20evidence%20data.