Blog: Category - Write Blockers

Solid State Drives (SSD) Forensics continue as the top story this week. Two University researchers published shocking research that indicates that the firmware in SSDs can destroy forensic evidence as part of it's everyday functionality. Details in MUST Reads (upgrading this week from "Good Reads"). Apple made big news with the launch of new tablet (this week) and new laptop offerings (last week). We bring you news of forensic tools for the Mac. Plus, industrial espionage featuring Chinese spies paying American employees to steal intellectual property. And, do you have naked passwords?

Tools:

• MacQuisition 2.53 from BlackBag Technologies, is a forensic acquisition tool for legacy and new Mac hardware. The new version now supports Intel i5 and i7 processing architecture, enabling it to work with the latest Mac laptops and desktops. This update also offers dual boot options for working with new Intel powered Macs as well as legacy PowerPC Macs.

Can a Mac hard drive be easily removed for imaging with a forensic hardware imager?

It is really a matter of personal opinion, Mac's are an engineering marvel just ask anyone that has had to remove a hard drive from a Mac for forensic imaging and then try to put it back together properly. Depending on the model of the desktop with a set of Torx screw drivers, scissor clamp and tweezers (Figure 1) in hand, it could be as simple as removing a few screws to open the case to gain access to the hard drive. However some of the desktops require removing the glass panel with a heavy duty suction cup (Figure 2) then removing the LCD assembly before access can be had to the hard drive.

Figure 1

I like Windows. There... I said it. I understand that this statement will probably come with the requisite beatings, but I honestly enjoy using Windows on a day to day basis more than other operating systems and am willing to take whatever flack comes my way over it (and yes, my team at work loves to give me grief for it). But, I do recognize that out of the box Windows systems are not the most forensically sound environment - they love to automount drives, index files, and basically try to make your life easy. Normally this is a good thing, however, many of the things that Windows does for yourconveniencecan at best be an annoyance to your forensics workflow and at worst actually alter your evidence calling into question its integrity. Write blockers will prevent the accidental alteration of data, but sometimes you won't have a write blocker handy or you won't have a specific write blocker for the type of media that you need to image, so it is best to keep your system in a

This "007" edition of Case Leads (20100708) features Russian spies, a mini-write blocker that would make Q proud, an experiment in social networking, Live CDs for Windows and Linux and an online journal on small digital device forensics.

If you have an interesting item you think should be included in the Digital Forensics Case Leads posts, you can send it to caseleads@sans.org.

News:

• Russian spies used a mixture of high tech, low tech and old tech http://www.wired.com/dangerroom/2010/06/alleged-spies-hid-secret-messages-on-public-websites/ The techniques ranged from drive-by (ad-hoc) Wi-Fi, steganography, and burst transmissions.


• Thomas Ryan decided to do a little

This week big news from Guidance Software, maker of Encase. The U.S. Secret Service will now add more data to the Verizon Breach Report. Microsoft release Office 2010 and several new/updated tools and virtual pit bulls are now protected.

Tools:

• Guidance Software releases "WinAcq", a command line acquisition tool in EnCase v6.16


• SSDeep 2.5 released, for those wanting to do fuzzy hashing check it out.


• Andreas Schuster has released a new version of his Evtx Parser.

• Lessons from Data Recovery Part 1, Forensic 4cast, Lee discovers a few tidbits of information that Data