WK 2 Tools Validation
docx
keyboard_arrow_up
School
SUNY Buffalo State College *
*We aren’t endorsed by this school
Course
COMPUTER F
Subject
Information Systems
Date
Dec 6, 2023
Type
docx
Pages
12
Uploaded by DeanField4049
DIGITAL FORENSIC SCIENCE (DFS-501-85A)
WEEK 2: Tools Validation
CLIFFORD KWAME ATTAGLO
AKETTE COWART
NOVEMBER 7, 2023
Week 2: Tools Validation
Reviewer:
Clifford Attaglo
Description
:
This test is designed to test the validity of Safe Block as a write blocker on behalf of XYZ, Inc. This study was intended to test validity the capabilities of Safe Block software in being able to function as a write-blocker instead of purchasing a new hardware write-blocker. This would give XYZ Inc. a fair idea as to migrate to this software to cut down on expenditure or to continue procuring the usual hardware write-blocker. I used a windows workstation and created my source
evidence labeling it X drive. It was formatted to NTFS. I created three files and copied them to the source evidence. I deleted one and used FTK Imager to acquire a disk image, save it to a folder. I then added another file to the source evidence and then deleted another from it. I acquired another disk image using the same FTK Imager and saved it to a different folder I created on the desktop. I compared the MD5 and the SHA1 values of the two disk images I acquired using FTK Imager and they were two distinct values. Further changes were made to the source evidence by adding a file to it. I installed the Safe Block, ran it and rebooted the workstation. I used FTK Imager once again to acquire a disk image and save it to a different folder I created on the desktop for the image. I then tried to copy, delete a file to and from the source evidence as well as to format it but all rejected or could not do it. I took another physical disk image of the drive and saved it to a different folder. I then compared the MD5 and SHA1 values and all were the same.
Test Result:
From the test results, Safe Block was able to do its job functionally. This is because the first two images that were acquired with FTK Imager and saved to two distinct folders all produced different MD5 and SHA1 values after I made some changes to it. The final disk image I acquired
through FTK Imager after I run Safe Block and tried to manipulate the source evidence did not allow me to add, delete or format it hence this result proves that Safe Block acted as a secure write-blocker and not a single change was made to the drive. Configuration of Test Platform:
Workstation DFS-501 VDI
Model:
VMware Platform
OS Installed:
Windows 10 Enterprise 2016 LTSB
Windows Updates:
All updates complete.
Tool Being Tested:
Title:
Safe Block
Manufacturer:
ForensicSoft
Version:
1.0
Build:
1.0.0.109
Notes Regarding Test Data Set:
A trial version of Safe Block was used for the testing.
Hard Drive Configuration
VMware Virtual Disk SCSI Disk Device
Procedures:
1.
Wipe the entirety of disk being used with Eraser.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
2.
Assign a letter to the source drive.
3.
Format the Unallocated space partitioned to be used. 4.
Copy three files to the source evidence drive and delete one.
5.
Create an image using FTK Imager.
6.
Save it to a folder on desktop.
7.
Add a file to source evidence drive and delete one.
8.
Repeat step 5-6 and save to another folder on desktop.
9.
Compare the hash values.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
10. Add a file(s) to the source drive.
11. Run the Safe Block and ensure that the source drive is locked as shown below.
12. Using FTK Image, obtain a physical image of the source drive.
13. Try to add, delete or format the source drive after running the write blocker.
14. Using FTK Imager, obtain a physical image of the source drive and compare the hash values.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
From the above screenshot, the hash values are the same after Safe Block was activated. This confirms that no changes were made to the source evidence drive when the write-blocker was activated. Results:
Safe Block software functioned as expected and advertised. It was able to prevent files from being added, deleted and or the source evidence from being formatted. The same hash values obtained as shown above was the expectation of my findings to validate the tool.
Cost-Benefit Analysis
The findings I conducted came out positively which gave me confidence to recommend the Safe Block software as a trustworthy and reliable write-blocker solution for the company. The
software is very easy to use and only occupies a little space on the drive. It is user friendly to use with its GUI interface that allows users the ability to block and unblock any disk or flash storage devices detected by Windows. Devices are listed in a tree by type. It also provides automatic write blocking of every directly attached disk and flash media attached with any interface such as
IDE, SCSI, FC, SAS etc. The user can have SAFE Block remember individual device's blocked or un-blocked status for ease of use on media repeatedly used on a workstation/laptop. It has support for many devices and passes every NIST validation test. Safe Block is application independent and works with all forensic acquisition, triage and analysis applications that run on Windows forensic workstations. Product of such benefits does not come cheap as the current price $549 for each. Although the product seems to be on the high side, compared to hardware write-blocker, I do believe it is better than the hardware type XYZ have been using for couple years now. Even though the product is password protected, when accessed by an unauthorized person can uninstall it due to its user-friendly interface. With all these said, I would therefore recommend XYZ do go ahead to purchase this product only if they have the means.
References
Forensicsoft (n.d.). Safe Block
. Retrieved November 10, 2023, from https://www.forensicsoft.com/products/safe-block
Exterro (n.d.). Exterro
. Retrieved November 10, 2023, from https://www.exterro.com/ftk-imager
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help