As an Expert Witness, you depose in front of the court and justify your analysis carried out at your digital forensics Laboratory. Your testimony is taken as the gospel truth and the court comes to some conclusion either in favour or against the accused. Whatever you say in the court has to be technically right and there should be no ambiguity about it.
The commonly used phrase is that the digital forensic analysis was carried out in a ‘Sound Forensic manner and Using the Best Practices in Digital Forensics’. Many times there are things which are wrongly quoted by the Forensic Analyst deposing as an Expert Witness.
How many have done this mistake? We’ll let me own up, Initially, I too made such mistakes. In the ‘Digital Forensics Hidden Truths’ Series, I will put forth such mistakes that most of the forensic analysts make. Today let’s speak about a basic concept of ‘Imaging’ and the hidden truth behind it.
In front of the court, imaging is defined as Bit by Bit image of the original media (HDD, Flash Drive, etc). It is supposed to contain everything that is there on the original media and there is nothing left out. What is the actual truth? Let’s demystify.
The truth is that during imaging we get the image of the ‘user addressable’ area and not of the whole media (HDD, Flash drive, etc). There are few areas on the drive which are less accessible to the forensic tools. Have you heard of this:-
Service/System Area – Service Area is also known as System Area. It is used to store manufacturer data such as Servo information, firmware, and the drive defects tables. The drive “SMART” (Self-Monitoring, Analysis and Reporting Technology) data is also stored in the Service Area.
Servo Information – It is written to the disk by the manufacturer during the initial structural layout of the platter’s geometry. It is basically markers, that contain information used by the hard drive to control spindle rotation and head and actuator arm movement.
Host Protected Area (HPA) – Files to perform a factory reset, diagnostic programs, or other utilities are in the HPA. Malicious programs may hide inside the HPA to avoid detection.
Firmware – Firmware code is found in the ROM of the PCB and allows the drive to boot up. It tells the computer certain information about the hard disk drive’s physical and logical locations of space on the drive and where to find the translation data on the disk.
Device Configuration Overlay (DCO) – Manufacturers use the Device Configuration Overlay (DCO) when they wish to have a series of hard drives of varying capacities (possibly because they are from different vendors) that all exhibit the exact same storage volume from the perspective of the OS.