Edited 01 Jan 08 to make the ENFSI document link work, but I'm sure everyone could work out the problem anyway!My first ever blog post so I might aswell dive straight in!
The verification and validation of tools should be one of the most important routine aspects of computer forensics as it is for the other forensic sciences but whenever I see it mentioned there's usually somewhere, a shrug of the shoulders, a half hearted attempt to convince someone (including themselves) that they do it sufficiently and regularly and a fall back position of having to balance efficiency against the (unrealistic) requirements of academics (or am I being too cynical?).
For hardware or software with limited functions, such as write blockers, there really is no excuse. Prior to purchase, as with other critical purchases checks should be made to ensure that it is fit for purpose. ENFSI have a best practice
document that specifically addresses Commercial Off The Shelf hardware and requires the lab to get a maintenance agreement and some kind of assurance that the manufacturer will provide statements, certificates or other proof that it's fit for purpose should it be questioned in court.
The forensicfocus
blog talks about some methodologies for testing write blockers including the all singing and dancing NIST tests and the more feasible 'Helix test'. The NIST testing is excellent in its detail but you wouldn't be buying much kit if you limited it to those already tested. Maybe, if there were an international standard for these and organisations applied more commercial pressure to the manufacturers such as described by ENFSI, we could see these critical tools tested sooner.
Once purchased though, they need to be maintained and checked regularly, just as other critical items are. I mean, we get our fire extinguishers checked, why not our write blockers?
Tableau, who's products I use regularly, fairly recently released a
critical firmware update which just goes to show that 'hardware' does not 'mean purchase and forget'.
As I see it, the only times a hardware write blocker needs to be checked is before first use and after any firmware upgrades. With software write blockers, where the risk of mis-configuring it is greater a limited (Helix methodology) test ought to be done every time, unless you can verify a setup script. In that case you'd just need to show that the script followed (electronic or even manual checklist?) was identical to that that was validated.
