Computer crimes--Investigation, Computer forensics
Computer Engineering | Computer Sciences | Electrical and Computer Engineering | Forensic Science and Technology
In this primary work we call for the importance of integrating security testing into the process of testing digital forensic tools. We postulate that digital forensic tools are increasing in features (such as network imaging), becoming networkable, and are being proposed as forensic cloud services. This raises the need for testing the security of these tools, especially since digital evidence integrity is of paramount importance. At the time of conducting this work, little to no published anti-forensic research had focused on attacks against the forensic tools/process.We used the TD3, a popular, validated, touch screen disk duplicator and hardware write blocker with networking capabilities and designed an attack that corrupted the integrity of the destination drive (drive with the duplicated evidence) without the user's knowledge. By also modifying and repackaging the firmware update, we illustrated that a potential adversary is capable of leveraging a phishing attack scenario in order to fake digital forensic practitioners into updating the device with a malicious operating system. The same attack scenario may also be practiced by a disgruntled insider. The results also raise the question of whether security standards should be drafted and adopted by digital forensic tool makers.
Creative Commons License
This work is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 4.0 License.
Meffert, Christopher S.; Baggili, Ibrahim; and Breitinger, Frank, "Deleting Collected Digital Evidence by Exploiting a Widely Adopted Hardware Write Blocker" (2016). Electrical & Computer Engineering and Computer Science Faculty Publications. 56.
Meffert, Christopher S., Ibrahim Baggili, and Frank Breitinger. "Deleting collected digital evidence by exploiting a widely adopted hardware write blocker." Digital Investigation 18 (2016): S87-S96.