Timeline for Is there a need to image the hard drive when using a write blocker?
Current License: CC BY-SA 3.0
9 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Apr 3, 2018 at 17:51 | comment | added | dig | @Reyssor: I seem to recall that either the Snowden catalogue or the Equation Group's leak included tools to sneak malware into hard disk drives' firmware, so it probably exists in the wild. | |
| Oct 6, 2015 at 18:52 | comment | added | athena | Of course. There is one case which you can't protect yourself of anyway. This is the case of the disk which is an evidence and on the verge of dying. The write blocker nor the backup image won't save it from its coming death. This probability is small. On the other hand, the probability of killing a disk by reading repeatedly Gbytes of log can't be neglected. | |
| Oct 6, 2015 at 16:32 | comment | added | try-catch-finally | Doesn't the case that such a harddrive may fail during the analysis, loosing the "evidences" matter too? Further, in case of forensics on a criminal act, I can think of (local) laws or regulations that require one image to be taken and kept safe besides the one an engineer is operating with. | |
| Oct 6, 2015 at 8:22 | history | edited | SilverlightFox | CC BY-SA 3.0 | deleted 1 character in body |
| Oct 6, 2015 at 7:09 | history | edited | athena | CC BY-SA 3.0 | remind the possibility of logical error |
| Oct 6, 2015 at 7:07 | comment | added | athena | Absolutely right. The displacement of a bad block may occur due to a physical damage, but also due to a transient logical error diagnosed (too many retries) by the disk controller which was overloaded on another internal task. | |
| Oct 5, 2015 at 15:54 | comment | added | Reyssor | Even without physical damage, it seems possible to have a lying hard drive (but I don't know if such things really exist in the wild). | |
| Oct 4, 2015 at 21:51 | vote | accept | Othman | ||
| Oct 4, 2015 at 19:33 | history | answered | athena | CC BY-SA 3.0 |