Home > Articles > Hardware

This chapter is from the book

This chapter is from the book

Practical Guide to Computer Forensics Investigations, APractical Guide to Computer Forensics Investigations, A

Learn More Buy

This chapter is from the book

This chapter is from the book

Practical Guide to Computer Forensics Investigations, APractical Guide to Computer Forensics Investigations, A

Learn More Buy

Cloning a PATA or SATA Hard Disk

There are two processes used by computer forensics examiners for making a bit-for-bit copy of a hard drive:

  • A disk clone is an exact copy of a hard drive and can be used as a backup for a hard drive because it is bootable just like the original.
  • A disk image is a file or a group of files that contain bit-for-bit copies of a hard drive but cannot be used for booting a computer or other operations.

The image files can also be different because they can be compressed, unlike a disk clone, which is not compressed. When cloning, the bit-for-bit copy is transferred to a second hard drive that is of equal size or larger than the source drive. Another difference is that specialized software, like EnCase, X-Ways, or FTK, is needed to view the contents of the image files. In general, image-viewing software is read-only, and files cannot be added. Nevertheless, some applications allow image files to be edited; WinHex, which is produced by X-Ways Forensics, is one such example.

Cloning Devices

The process of cloning a hard drive is a faster process than imaging a hard drive. The time difference between the two processes is substantial. Therefore, when a computer forensics examiner is working undercover or perhaps needs to obtain a copy of a hard drive and leave the computer with the custodian, then cloning the drive is more practical. On average, successfully cloning a SATA drive takes less than an hour. Of course, the time to clone depends on the size of the source hard drive and the cloning equipment being used.

One forensic cloning device used in investigation is the Disk Jockey PRO Forensic Edition (see Figure 3.9). The device is write-protected and allows the user to copy directly from a SATA or IDE hard disk drive to another SATA or IDE hard disk drive.

FIGURE 3.9

FIGURE 3.9 Disk Jockey PRO Forensic Edition

Before the investigation, all harvest disk drives must be sanitized. The Disk Jockey PRO has a function that performs a Department of Defense (DoD) seven-pass secure erase. When a new hard drive is removed from the packaging, it should be securely erased because an attorney might question a forensic investigator on this. Other devices, like the WipeMASSter Hard Disk Sanitizer from Intelligent Computer Solutions, are used solely to securely erase hard disk drives.

Before embarking on an investigation, it is also helpful to identify the specifications of the suspect’s machine (the make and model), where possible. This enables the investigator to research the computer that they will be working on and learn how to remove the hard drive. This might sound like common sense, but removing a hard drive from a Dell Inspiron 6400 laptop for cloning is very different from removing the drive from a Dell Latitude D430. The equipment required to clone each of these hard drives is also very different. A Dell Inspiron 6400 is relatively easy to remove, and then you can connect a SATA data cable and a SATA power cable. For a Dell Latitude D430 (or D420) laptop, the battery must be removed; then a thin cable must be removed from the hard drive and a rubber casing around the drive also must be removed. A special ZIF cable, ZIF adapter, and IDE interface cable are necessary to connect the 1.8-inch SATA hard drive to the Disk Jockey PRO, as in Figure 3.10. If possible, also try to predetermine the target computer’s operating system.

FIGURE 3.10

FIGURE 3.10 Cloning a hard disk drive with Disk Jockey PRO Forensic Edition

A simple Internet search for “removing the hard drive dell 430” will result in helpful documentation (including pictures) that Dell has made available online. In fact, Dell maintains a web page for most of its computer models that details hard disk drive removal. For other computers, manufacturers provide similar documentation. Removing the hard drive from the most recent iMac is a very involved process that requires some unique tools. Apple provides comprehensive instructions on the removal of hard drives from iMacs. YouTube.com also has numerous helpful videos to help the investigator.

The Disk Jockey has both a “Disk Copy” and a “Disk Copy (HPA)” cloning function. An investigator should first attempt to use the Disk Copy (HPA) clone function. This function makes a copy of the disk that includes the Host Protected Area (HPA). The Host Protected Area (HPA) is a region on a hard disk that often contains code associated with the BIOS for booting and recovery purposes. Manufacturers use the HPA to assist in the recovery process and replace the need for a recovery CD. An investigator should try to make a copy of this area because criminals have been known to hide incriminating evidence in this region of the disk. Sometimes the Disk Jockey PRO is unable to recognize and copy the HPA. When an error message appears on the Disk Jockey PRO’s LCD display, the investigator must then use the Disk Copy function instead of Disk Copy (HPA).

Let’s Get Practical!: Standard Operating Procedures for Operating the Disk Jockey PRO

Preparation

  1. Connect the new hard drive to the right side of the Disk Jockey labeled Destination Disk.

  2. Press the Power/Start button. With DATA ERASE DoD selected, press the Power/Start button. Record this action, with date and time, in your investigator notes.

    This process could take 2 hours, depending on the size of the hard drive that you need to sanitize.

The Investigation

In a real investigation, you would have paperwork to fill out at this point, including a Chain of Custody form. See Chapter 6, “Documenting the Investigation,” for a copy of this form.

  1. Remove the hard disk drive from the suspect’s computer. Take a photograph of the suspect’s computer, the computer’s serial number, and the hard drive, while ensuring that you capture the serial number of the hard drive in the photograph.

  2. With the hard disk drive removed, turn on the suspect’s computer and then press F2 or F4 to enter the BIOS (some computers require a different function key or key combination). Then enter the BIOS information into the Computer Worksheet. The most important information to record is the computer’s system time. You should then record the actual time (perhaps from a cellular telephone with the accurate current time).

    See Chapter 6 for a copy of the Computer Worksheet form.

  3. Connect the suspect’s hard drive on the left side of the Disk Jockey where you see the words Source Disk.

  4. Connect your new sanitized hard drive (harvest drive) on the right where you see the words Destination Disk. Take a photograph of the harvest drive. Compare your screen with Figure 3.11.

    FIGURE 3.11

    FIGURE 3.11 Configuration of hard drives connected to the Disk Jockey PRO

  5. Press the Power/Start button. Turn the Mode button clockwise until DISK COPY (HPA) displays, and then press the Power/Start button; compare your screen with Figure 3.12. Record this action, with date and time, in your investigator notes.

    If an error message displays, redo Step 6, but this time select DISK COPY and then press the Power/Start button.

    FIGURE 3.12

    FIGURE 3.12 Disk copy process initialized

  6. When the cloning process is completed, the Disk Jockey PRO automatically shuts down. You should then record the date and time the disk copy process ended in your investigator notes.
  7. Connect your harvest drive to a forensic write-blocker, which then should be connected to the USB port on your laptop. Then access the harvest drive to verify that you successfully created a copy of the suspect’s hard drive.

Alternative Copy Devices

The ImageMASSter Solo IV Forensic is a much more expensive device than the Disk Jockey PRO, but it has the ability to image two devices simultaneously. The investigator can select either a Linux DD file or an E01 image file.

Solid State Drives

A solid state drive (SSD; see Figure 3.13) is a nonvolatile storage device found in computers. Unlike on a hard drive, files on a solid state drive are stored on memory chips in a stationary layout of transistors, not on metal platters. In other words, a solid state drive has no moving parts—no read/write heads or spinning disks. Most solid state drives are flash memory NAND devices. It is important to know about these drives because they are growing in importance; they can be found in Chromebooks, the MacBook Air, and numerous personal computers today.

FIGURE 3.13

FIGURE 3.13 Solid state drive

In a single-level cell (SLC) NAND flash, each cell in the SSD has 1 bit. In a multilevel cell NAND flash, each cell has two or more bits. An MLC has higher density but generally requires more voltage than an SLC.

There are more than 60 SSD manufacturers, while there are very few hard disk drive manufacturers. There are numerous controller manufacturers who have different manufacturing requirements for SSD manufacturers. Therefore, this complicates the life of a computer forensics investigator, i.e. an SSD from one manufacturer can have different controllers with varying firmware. The proprietary firmware associated with the controller affects garbage collections, caching, wear-leveling, encryption, compression, bad block detection, and more.

Consider some examples of SSD controller manufacturers:

  • Marvell
  • Hyperstone
  • SandForce
  • Indilix
  • Phison
  • STEC
  • Fusion-io
  • Intel
  • Samsung

In many ways solid state drives are a more efficient alternative to hard disk drives, given their more efficient use of power; faster retrieval and storage of files; and greater resistance to environmental factors, including heat and vibration. Nevertheless, solid state drives suffer from ware-leveling. Ware-leveling is the process by which over time areas of a storage medium become unusable.

From a file storage perspective, solid state drives are very different from hard disk drives, and they do not use the traditional 512-byte storage sectors.

In terms of computer forensics, recovering deleted files on a solid state drive is more challenging as a result of the garbage collection process. Garbage collection is a memory-management process that removes unused files to make more memory available. Garbage collection is rather unpredictable with solid state drives and is particularly uncontrollable. Changes to files stored on a solid state drive can occur without warning, regardless of the best efforts of a computer forensics examiner. Garbage collection and other automated functions associated with an SSD mean that once a hash is forensically created for a hard drive, then when a hash is generated again on the same drive, the two hashes are unlikely to match, which is different with a HDD.

Unlike a hard disk drive, with an SSD, data must be erased before a write can occur; writes are completed in large blocks with high latency. Another difference is that the operating system does not keep track of the physical location of files; a file translation layer (FTL) is responsible for this. The File Translation Layer (FTL) maps a logical block address to a physical block address. TRIM is an operating system function that informs a solid state drive which blocks are no longer in use, which allows for high write performance. TRIM runs immediately after the Recycle Bin is emptied.

Random Access Memory (RAM)

Random Access Memory (RAM; see Figure 3.14) is volatile memory that is used for processes currently running on a computer. Its volatile nature comes from the fact that, when a computer is powered off, the contents of RAM are generally erased. However, if a system is powered on, RAM can provide a forensics examiner with a treasure trove of information, which can include Internet searches, websites visited, and possibly even passwords.

FIGURE 3.14

FIGURE 3.14 RAM chip

Redundant Array of Independent Disks (RAID)

A Redundant Array of Independent (or Inexpensive) Disks is commonly referred to with the acronym RAID. A RAID, is where two or more disks are used in conjunction with one another to provide increased performance and reliability through redundancy (see Figure 3.15). In the case of a RAID, reliability refers to fault tolerance, which means that if one component in a system, like a hard disk drive, fails, then the system will continue to operate. This kind of reliability is worth the investment for many critical systems in an organization. More recently, organizations have installed RAIDs to increase storage. Although RAID contains multiple hard disks, the operating system views the RAID as one logical disk with the use of hardware controllers.

FIGURE 3.15

FIGURE 3.15 RAID

From a computer forensics perspective, it is important to know that a computer may have multiple hard drives connected to it, all of which have evidentiary value. It is also important for an investigator to note the order in which each drive was added to the RAID and which drive adapter is connected to which drive (it can be confusing).

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020