All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 4 posts ] 
Author Message
 Post subject: Cloning Software Legal Forensics Question
PostPosted: July 22nd, 2019, 18:37 
Offline

Joined: January 29th, 2012, 1:43
Posts: 625
Location: United States
As the author of HDDSuperClone, my software has been mentioned for forensic cloning/imaging. It has even been asked that I add checksum capability, which I have no intention of doing. So what are the laws for forensic cloning software, most specifically in the USA, but also other countries? If someone knows what they are doing (knows how to zero the destination drive, and proficiently use cloning software), can they use my software to clone or image a drive without it being a legal issue in court? I will never support my software for forensic use, but I can’t say it couldn’t be used with the right knowledge. I would just like to know how I should answer to questions regarding using it for forensic cloning.

_________________
http://www.sdcomputingservice.com
Home of HDDSuperClone and HDDSuperTool


Top
 Profile  
 
 Post subject: Re: Cloning Software Legal Forensics Question
PostPosted: July 22nd, 2019, 19:20 
Offline
User avatar

Joined: February 9th, 2009, 16:13
Posts: 2215
Location: Ontario, Canada
As far as I know, the checksum can be calculated after the image is complete using various open source apps. The key for the forensic side of things is to ensure that there is absolutely no way of writing the source drive. Personally, I'd never trust a software solution without some sort of hardware write blocker.

_________________
Luke
RAID Data Recovery


Top
 Profile  
 
 Post subject: Re: Cloning Software Legal Forensics Question
PostPosted: July 23rd, 2019, 4:28 
Offline

Joined: May 13th, 2019, 7:50
Posts: 12
Location: Nederland
"As far as I know, the checksum can be calculated after the image is complete using various open source apps"

Yes, it's more in the procedures and documenting a case I guess. Get hash for media that was taken into evidence or whatever you call that > clone it > get hash for clone > hash clone should match original media.

There is no way to ensure by any cloning software that some bright soul edited the original disk prior to creating the first hash. So, all the hash can prove is that media is unchanged since you imaged it. To do this the hashing does not have to be part of the cloning software per se.

If your software is closed source then leaving the hashing to some open source tool may even be a better idea, not?


Top
 Profile  
 
 Post subject: Re: Cloning Software Legal Forensics Question
PostPosted: August 1st, 2019, 17:25 
Offline

Joined: October 21st, 2009, 21:28
Posts: 11
Location: South Carolina, USA
I am not aware of any law that requires the hashes be built while the image is made. In the US, the courts have established accepted procedures that if followed and properly documented make the submission of computer forensic evidence easier.

Calculating the hash at the same time the image is created can save time and certainly reduces the number of time a drive need to be read.

There are tools that enable an image to be taken from a LIVE system. A hash is worthless in this situation to compare the image to the original drive. Hashes can be use to insure that the image hasn't been tampered with.

In the US courts detailed documentation and the qualification of the forensic analyst are usually more important than the specific software used. A good forensic analyst would test each software tool and document the results and submit them with the investigation results.

TonyC


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group