Thursday, August 13, 2009

Lessons Learned: Test Your Forensic Tools

Creative Commons attribution licensed image courtesy AlexWitherspoon

A recent call for a forensic drive copy which had to be done in a limited timeframe prompted a co-worker to dig out his USB to IDE/SATA bridge. Since we were asked to provide some time estimates, and to brush up on our imaging process, he ran a couple of tests on drives we keep for just those purposes. A quick boot of Helix on one of our laptops and he was ready to image the drive.

As you would expect, he dd'ed the drives, and then checked MD5 sums. For the first test on a small partition, the MD5 sums matched. For the second, larger partition, the MD5 sums didn't. That's not normal - and not something we frequently see. Testing showed that this appeared to be repeatable.

A repeat, with another USB bridge device returned a correct MD5 sum. If we had used the first bridge device for our image, we might have found out that our image wasn't provably correct hours after we began.

The moral of the story? Test any device you use for forensic imaging before you have to face a real event. It will help you provide realistic time estimates, allows you to test your process, and might just save your day.

As for the device? The manufacturer is sending a newer model - apparently this isn't an unknown issue.

No comments: