Introduction to Evidence Preservation
Evidence preservation ensures that digital evidence remains unchanged from the moment of collection through its presentation in court. A single bit changed in the evidence can raise questions about its integrity and potentially make it inadmissible. This part covers the techniques and tools used to preserve evidence forensically.
Never work on original evidence. Always create forensic copies and perform all analysis on the copies. The original must remain pristine for court presentation and verification.
Write-Blockers
Write-blockers are hardware or software tools that prevent any data from being written to storage media while allowing read access. They are the first line of defense against evidence modification.
Types of Write-Blockers
Hardware Write-Blockers
Physical devices that sit between the evidence drive and the forensic workstation. They intercept and block all write commands at the hardware level.
Software Write-Blockers
Operating system level tools that intercept write commands. Less reliable than hardware but useful when hardware blockers are unavailable.
| Aspect | Hardware Write-Blocker | Software Write-Blocker |
|---|---|---|
| Reliability | Very high - operates independently of OS | Moderate - can be bypassed by OS bugs |
| Court Acceptance | Widely accepted as standard | May require additional documentation |
| Cost | $200-$1000+ per unit | Free to low cost |
| Speed | May introduce slight latency | Minimal impact on speed |
| Interface Support | Specific to interface (SATA, USB, etc.) | Can work with any mounted drive |
Always use a hardware write-blocker when available. Test your write-blocker before each use by attempting to write to a test drive and verifying the write fails. Document the write-blocker used, including make, model, and serial number.
Forensic Imaging
Forensic imaging creates an exact, bit-for-bit copy of storage media. Unlike a regular file copy, a forensic image captures everything - including deleted files, slack space, unallocated space, and hidden areas.
Types of Forensic Images
Physical Image (Raw/dd)
Exact bit-for-bit copy of entire media. Maximum compatibility but large file sizes. Common formats: .dd, .raw, .001
Forensic Container (E01)
EnCase format with compression, built-in hashing, and metadata. Industry standard. Supports splitting into segments.
Logical Image
Copies only active files and folders. Faster but misses deleted data. Used when full physical access is not possible.
Imaging Process
Connect via Write-Blocker
Connect evidence media through hardware write-blocker to forensic workstation
Document Source Details
Record make, model, serial number, capacity, and condition of source media
Calculate Source Hash
Generate MD5 and SHA-256 hash of the source media before imaging
Create Forensic Image
Use forensic imaging software to create the image, with verification enabled
Verify Image Hash
Calculate hash of completed image and compare to source hash
Document Results
Record all hashes, timestamps, tool versions, and any errors encountered
# Example: Creating a forensic image with dc3dd (Linux) dc3dd if=/dev/sdb hofs=/evidence/case123.dd hash=md5 hash=sha256 log=/evidence/case123.log # Example: Creating an E01 image with ewfacquire ewfacquire /dev/sdb -t /evidence/case123 -f encase6 -c best -m fixed -S 4G # Output includes verification hashes MD5 hash: d41d8cd98f00b204e9800998ecf8427e SHA-256 hash: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Cryptographic Hashing
Cryptographic hashes create a unique "fingerprint" of data. Any change to the data, even a single bit, produces a completely different hash. This property makes hashing essential for proving evidence integrity.
Common Hash Algorithms
| Algorithm | Output Size | Security Status | Forensic Use |
|---|---|---|---|
| MD5 | 128 bits (32 hex chars) | Cryptographically broken | Still used for speed; always pair with SHA |
| SHA-1 | 160 bits (40 hex chars) | Deprecated | Legacy use; being phased out |
| SHA-256 | 256 bits (64 hex chars) | Secure | Current standard for forensics |
| SHA-512 | 512 bits (128 hex chars) | Secure | Extra security when needed |
Hash Demonstration
Same text, different hashes - showing the "avalanche effect"
SHA-256: 7f83b1657ff1fc53b92dc18148a1d65dfc2d4b1fa3d677284addd200126d9069
SHA-256: 3b5a8c2d4e6f8a0b1c3d5e7f9a2b4c6d8e0f1a3b5c7d9e1f2a4b6c8d0e2f4a6b
A single character change produces completely different hashes!
While MD5 is cryptographically broken (collision attacks are possible), it remains useful in forensics when paired with SHA-256. The combination of both algorithms provides backward compatibility and strong integrity verification. Never rely on MD5 alone.
Verification and Documentation
Creating a forensic image is only half the battle. Proper verification and documentation are essential to prove the image accurately represents the original evidence.
Verification Steps
- Pre-acquisition hash: Hash the source media before imaging begins
- Acquisition verification: Most tools verify during acquisition
- Post-acquisition hash: Hash the completed image
- Hash comparison: Confirm pre and post hashes match
- Re-verification: Hash the image again before analysis
Documentation Requirements
- Source media details (make, model, serial, capacity)
- Destination media details
- Write-blocker used (make, model, serial)
- Imaging software and version
- Start and end timestamps
- All hash values (source and image)
- Any errors or anomalies encountered
- Name of examiner performing imaging
Best Practices Summary
Always Use Write-Blockers
Hardware write-blockers are preferred. Test before use and document in your notes.
Use Multiple Hashes
Always calculate both MD5 and SHA-256. Document both in your report.
Create Multiple Copies
Make at least two forensic copies - one for analysis, one as backup.
Document Everything
Record all steps, tools, times, and results. Your notes may be examined in court.
Practical Exercise 3.1
Hash Verification Practice
Task: Use the Hash Calculator tool provided in the course to practice hash verification.
- Create a simple text file with some content
- Calculate the MD5 and SHA-256 hashes of the file
- Make a copy of the file
- Verify the copy has the same hash values
- Modify a single character in the copy
- Recalculate hashes and observe the difference
Tool Link: Hash Calculator Tool
🎯 Key Takeaways
- Write-blockers prevent any modification to original evidence during examination
- Forensic imaging creates exact bit-for-bit copies including deleted data and slack space
- Always use both MD5 and SHA-256 hashes for evidence integrity verification
- Hash values must match before and after imaging to prove integrity
- Documentation of the entire preservation process is essential for court admissibility
Finished studying this part?