In the provision of search/seizure services to law enforcement agencies, there is often a need to provide an exact duplicate of a suspect's or victim's hard disk so that it can be analyzed in a controlled lab environment. In order to acquire data from the subject hard disk, the law enforcement or forensic agent will typically connect the subject hard disk to a law enforcement agency-owned host personal computer in order to effect the transfer of data from the hard disk to host computer. It is important to ensure that the computer used to acquire the subject hard disk data is capable of acquiring data without loss of integrity. An acquisition failure will render data unusable for investigational use. This also causes an equipment confidence problem and may surface legal and/or competency issues. The integrity of the data must be capable of withstanding a court challenge.
Past history of forensic hard disk acquisitions shows that there is a varying risk of errors occurring during the acquisition process due to a number of factors such as faulty/low quality cables/connections, equipment bandwidth limitations, and issues with the host computer components including hardware and software when operating under load in a dynamic state. These issues can easily manifest themselves as data errors and can potentially render acquired data questionable and unusable as evidence.
During the course of acquiring the data from a hard disk, a significant weak link in the data acquisition chain is the hard disk cable connecting the subject hard disk to the host equipment, electronic components and settings of the host personal computer. Hard disk ribbon cables serving as data acquisition pathways are physically delicate and are not always robust. Accordingly these can, over time, suffer from wear and tear and it is possible that undetectable errors can result during the transfer of data due to broken wires/intermittent connections. In this event, integrity of acquired data can be lost and the data considered unusable. If the integrity of data is lost, this loss may not be readily detectable unless an independent verification is conducted. Other weak links include substandard internal components such as main memory, user programmable settings and acquisition applications.
Cable testing equipment exists; however such equipment is intended for use by manufacturers and would be ineffective for forensic use as this only tests the cable from end to end. Such equipment is limited to cables and does not address integrity assessment for the total data acquisition pathway in a dynamic state.
A data integrity measurement test for acquiring hard disk data is necessary to provide a measure of confidence that computer equipment used for acquiring hard disk data (imaging) is not corrupting data. Data can be easily corrupted if any link in the data acquisition pathway is defective.
As hard disk acquisition is typically a long process (depending on technology and size), acquisition success/failure can be determined (with greater assurance) by an independent hash measurement following initial acquisition. The hash value of the subsequent measurement is compared to the hash value of the initial acquisition. Unfortunately, the extra time required for independent verification is not always available due to operational constraints.
Using current technology, forensic agents sometimes perform an acquisition check periodically to ensure proper operation of equipment. It is generally recommended that equipment serviceability be verified prior to use; however, there are time and environmental issues that may limit the effectiveness. For example, if an equipment check is performed prior to arriving at a search site, there are still risks involved as cables must be physically handled during transportation, equipment setup and connection to each hard disk. Also, when on site, this process is repeated for each hard disk acquired. Verifying an acquisition on site (prior to departure) imposes an additional time penalty as the verification must be done using independent method/equipment which effectively doubles the processing time per hard disk.
The current practice is to acquire data using data acquisition software, such as Encase™ or similar proprietary acquisition tools, and have the software tool perform a verification of received data versus data stored on the evidence file stored on the host computer. The problem here is that if the initially acquired data is inaccurate, this verification effectively compares corrupt data to itself. A higher level of confidence would be gained by independently verifying the hash value. However, this incurs a time penalty as well as requiring another verification tool.
To mitigate these problems, forensic agents are typically instructed to verify the serviceability of equipment prior to use. This consists of a time consuming procedure of acquiring a reference hard disk and verifying that the acquired data hash matches that of the known content of the reference hard disk. The current practice may not adequately mitigate the risk of the cable developing a fault when multiple onsite imaging is performed as, the cable will always be subjected to wear and tear each time it is used. In the absence of a solution, verifying the quality of an acquisition is more difficult and time consuming to perform, possibly being ignored in field use situations, introducing risk to an investigation.