Jump to content

Forensic disk controller

From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by Reswobslc (talk | contribs) at 19:29, 18 April 2008 (Create stub). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.
(diff) ← Previous revision | Latest revision (diff) | Newer revision → (diff)

A forensic disk controller is a specialized type of computer hard disk controller made for the purpose of gaining read-only access to computer hard drives without the risk of damaging the drive's contents. The device is named forensic because its most common application is for use in investigations where a computer hard drive may contain evidence. Such a controller historically has been made in the form of a dongle that fits between a computer and an IDE or SCSI hard drive, but with the advent of USB and SATA, forensic disk controllers supporting these newer technologies have become widespread.

Using hardware to protect the hard drive from writes is very important for several reasons. First, many operating systems, including Windows, may write to any hard disk that is connected to the system. At the very least, Windows will update the access time for any file accessed, and may write things to the disk unexpectedly - such as creating hidden folders for the recycle bin or saved hardware configuration. Virus infections or malware on the system used for analysis may attempt to infect the disk being inspected. Additionally, the NTFS file system may attempt to commit or roll back unfinished transactions, and/or change flags on the volume to mark it as "in use". At the worst, undesired files may allocate and overwrite deleted space on the hard disk which may potentially destroy evidence in the form of previously deleted files.

Protecting an evidence drive from writes during investigation is also important to counter potential allegations that the contents of the drive were altered during the investigation. Of course, this can be alleged anyway, but in the absence of technology to protect a drive from writes, there is no way for such an allegation to be refuted.

How it works

All forensic disk controllers work by capturing commands from the host operating system requesting the drive to write sectors, and preventing them from reaching the drive. When the host bus architecture supports it, the forensic disk controller reports to the host operating system that the drive is read-only.

A forensic disk controller works in one of two ways. The disk controller can either deny all writes to the disk and report them as failures, or use onboard memory to cache the writes for the duration of the session.

A disk controller that denies all writes will likely not be tolerated by an operating system that assumes that all hard disks can be written to.

A disk controller that caches writes in memory presents the appearance to the operating system that the drive is writable, and uses the memory to ensure that the operating system sees changes to the individual disk sectors it attempted to overwrite. This method is transparent to and compatible with all operating systems, and ensures that when the device is powered off, the disk remains unchanged and in its original state.

This article is a stub. You can help Wikipedia by expanding it.

Retrieved from "https://en.wikipedia.org/w/index.php?title=Forensic_disk_controller&oldid=206551273"