Document Type

Article

Publication Date

8-2016

Subject: LCSH

Computer crimes--Investigation, Computer forensics

Disciplines

Computer Engineering | Electrical and Computer Engineering | Forensic Science and Technology

Abstract

In this primary work we call for the importance of integrating security testing into the process of testing digital forensic tools. We postulate that digital forensic tools are increasing in features (such as network imaging), becoming networkable, and are being proposed as forensic cloud services. This raises the need for testing the security of these tools, especially since digital evidence integrity is of paramount importance. At the time of conducting this work, little to no published anti-forensic research had focused on attacks against the forensic tools/process.We used the TD3, a popular, validated, touch screen disk duplicator and hardware write blocker with networking capabilities and designed an attack that corrupted the integrity of the destination drive (drive with the duplicated evidence) without the user's knowledge. By also modifying and repackaging the firmware update, we illustrated that a potential adversary is capable of leveraging a phishing attack scenario in order to fake digital forensic practitioners into updating the device with a malicious operating system. The same attack scenario may also be practiced by a disgruntled insider. The results also raise the question of whether security standards should be drafted and adopted by digital forensic tool makers.

Comments

Dr. Baggili was appointed to the University of New Haven's Elder Family Endowed Chair in 2015.

© 2016 The Author(s). Published by Elsevier Ltd. This is an open access article under the CC-BY-NC-ND license.

DOI

10.1016/j.diin.2016.04.004

Creative Commons License

Creative Commons Attribution-Noncommercial-No Derivative Works 4.0 License
This work is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 4.0 License.

Publisher Citation

Meffert, Christopher S., Ibrahim Baggili, and Frank Breitinger. "Deleting collected digital evidence by exploiting a widely adopted hardware write blocker." Digital Investigation 18 (2016): S87-S96.

 
 

To view the content in your browser, please download Adobe Reader or, alternately,
you may Download the file to your hard drive.

NOTE: The latest versions of Adobe Reader do not support viewing PDF files within Firefox on Mac OS and if you are using a modern (Intel) Mac, there is no official plugin for viewing PDF files within the browser window.