Subscribe to receive more articles like this: Print/digital | Webfeed (RSS)

By: John J. Barbara  
Issue: Dec. 2006/Jan. 2007

This column concludes the discussion of some (again, emphasis on some) software tools and hardware devices that are available for examiner use. As stated in both previous columns, all software tools and hardware devices must undergo some sort of performance verification/validation testing in the examiner’s laboratory PRIOR to using them for forensic analysis. Disclaimer: any software or hardware product mentioned in this and future columns should not to be considered as an endorsement of that product by Forensic Magazine or by the author.

IMAGING/ANALYSIS TOOLS AND HARDWARE DEVICES (continued):

1. FastBloc
(http://www.guidancesoftware.com/lawenforcement/ef_fastblocfe.asp)
The latest version of FastBlock is the FastBloc2 Lab Edition which incorporates a high-speed FireWire 800 (400 compatible) interface. Write blocking is accomplished via WiebeTech write-block firmware. FastBloc2 Lab Edition comes equipped with a PCI FireWire800 card and 3.5" external IDE cables. Since the FireWire card must be installed in a computer, FastBloc2 Lab Edition is not considered as a standalone portable solution. However, it is a plug and play device and no drivers are necessary with its use in operating systems that support IEEE 1394. EnCase will recognize the presence of FastBloc2 Lab Edition and document its use in its reports.

2. FireFly
(http://www.digitalintelligence.com/products/firefly/)
FireFly is available in both IDE and SATA versions and supports both FireWire 1394a (400 Mb/s) and 1394b (800 Mb/s). An interesting feature is that FireFly can be selectively configured for either Read-Only or Read-Write functionality. By default, FireFly is shipped as a Read-Only (write blocking) device. Also FireFly can provide diagnostic information which includes both Read/Write activity indication and Write Protect indication. It is compatible with all operating systems that support IEEE 1394 and have a FireWire compliant card and appropriate drivers.

3. IsoBuster
(http://www.isobuster.com/).
This highly specialized data recovery tool is used for examining CDs and DVDs. Since it is a standalone tool, it does not require any installed drivers. IsoBuster supports all CD and DVD common file formats and file systems and can interpret many different CD image files. The tool can readily view and access data on CDs or DVDs from both open and closed sessions, thereby displaying data which may not be readily accessible using other forensic software tools or a computers operating system. Among its many other features, IsoBuster can be used to find lost data that was placed on a CD using a UDF drag and drop application. Individual and site licenses are available. ä

4. PDBLOCK
(http://www.digitalintelligence.com/software/disoftware/pdblock/) PDBLOCK (Physical Drive BLOCKer) is a standalone software utility designed to prevent unexpected writes to a physical disk drive. This is accomplished by handling both the standard Interrupt 13 and the Interrupt 13 Extensions. Digital Intelligence also offers a "lite" version of PDBLOCK called PDB_LITE which can be provided free of charge to law enforcement agencies. This version effectively traps all hard disk writes that use the newer Interrupt 13 extensions.

5. PDWIPE
(http://www.digitalintelligence.com/software/disoftware/pdwipe/) PDWIPE is a command line tool that works with any hard drive which is accessible via Interrupt 13 or Interrupt 13 Extensions. Wiping can be done using random patterns or by specifying a specific character. Multiple hard drives can be systematically wiped from a system using a single program operation and, if selected, a report of wiping activity can be generated. Since this is a command line tool, confirmation of an operation is necessary prior to the command being initiated. One of the features is to automatically verify the first and last sectors on the hard drive.

6. SMART
(http://www.asrdata.com/tools/)
Widely used by both the business community and law enforcement, this Linux based software utility includes an interface that is user friendly. SMART can acquire data from workstations, servers, and digital devices and clone it to any number of images and devices simultaneously. Authentication of the data is performed using CRC32, MD5SUM, and SHA1 algorithms. SMART supports/recognizes many file systems such as VFAT, NTFS, ext2, ext3, Reiser, HFS, HFS+, XFS, JFS, ISO9660, BeFS, and others. Functionality includes recovering deleted files and interpreting file system meta-data. Searches, including simple terms and UTF-8 encoding, can be easily and quickly conducted. The product is available at a reduced price for law enforcement.

7. WipeMASSter
(http://www.ics-iq.com/)
WipeMASSter is a standalone hardware device that can simultaneously erase and sanitize up to nine hard drives. With an additional add-on option, erased/sanitized hard drives can be formatted. Erasing/sanitizing speeds up to and exceeding 3GB/minute are common. WipeMASSter works with all types of hard drives, including laptop hard drives. However, for some hard drives, it may be necessary to purchase optional adapters. Different sizes/types/models of hard drives can be erased/sanitized during the same operation. Erasing/sanitizing is programmable from one pass to as many as necessary to meet the Department of Defense standard.

Although this column and the previous two columns focused upon certain imaging/analysis tools and hardware devices, many others are currently available. New ones are constantly being developed and marketed to the digital forensic community. It is always incumbent upon the examiner to thoroughly research the available tools and devices and decide which ones to use for forensic analysis. It cannot be overemphasized that all software tools and/or hardware devices must undergo some sort of performance verification/validation testing in the examiner’s laboratory PRIOR to using them for forensic analysis. The next column will begin a discussion of quality assurance measures in the Digital Forensics laboratory.

The previous columns in this series can be found at www.forensicmag.com.I welcome your comments and questions. Contact the Digital Insider at: digitalinsider@forensicmag.com

John J. Barbara is a Crime Laboratory Analyst Supervisor with the Florida Department of Law Enforcement (FDLE) in Tampa, FL. An ASCLD/LAB inspector since 1993, John has conducted inspections in several forensic disciplines including Digital Evidence. John is the General Editor for the “Handbook of Digital & Multimedia Evidence” to be published by Humana Press in 2007.