Forensic duplicate

Backing up a hard disk using a write blocker

In IT forensics, a forensic duplicate is the 1: 1 bit-by-bit copy of a digital data carrier . The use of special hardware and software ensures that the duplicate is an identical copy of the original. All investigative work should only be carried out on this duplicate.

On Unix systems, and thus also on many diagnostic CDs (see Knoppix STD or Kali ), the program dd or ddrescue (does not abort in the event of read errors ) is used for this purpose . When choosing a tool, it is crucial that there are no doubts about its reliability and integrity. Only areas of the hard disk that are actually visible can be copied. Hidden areas that have been replaced with undamaged areas due to errors cannot be accessed with these programs. For this purpose, there is only a modified firmware of the hard disk or a direct reading of the disks with special devices.

So-called " write blockers " are often used to prevent accidental changes to the data carrier to be duplicated . A write blocker is connected between the data carrier to be duplicated and the computer system with which the duplicate is to be created. It only allows read access to the data carrier and filters write access. Write blockers exist for many hard disk and data carrier interfaces, for example SATA, IDE, SCSI and USB.

If the information obtained from a forensic duplicate is to be used in court, the process must be traceable and verifiable. All further duplicates of the original must correspond to the first duplicate. Cryptographic checksums are used to enable this verification .

Web links

IT Forensics Guide - BSI's basic work on IT forensics (March 2011).

Individual evidence

↑ "IT Forensics" guide, Version 1.0.1 p. 26. Federal Office for Information Security, March 1, 2011, accessed on March 24, 2019 .
↑ XXXV: On the "Evidence of information technology expertise", p. 30. Schmid, Viola, December 7, 2012, accessed on April 10, 2019 .
↑ Kessler, GC, & Carlton, GH: A Study of Forensic Imaging in the Absence of Write-Blockers . In: Journal of Digital Forensics . 9, No. 3, 2014, pp. 51–58.
^ Forensic Use of Hash Values and Associated Hash Algorithms. Netherlands Forensic Institute, January 2018, accessed April 10, 2019 .

[BSI_Leitfaden_I-1] "IT Forensics" guide, Version 1.0.1 p. 26. Federal Office for Information Security, March 1, 2011, accessed on March 24, 2019 .

[CyLaw-Report-2] XXXV: On the "Evidence of information technology expertise", p. 30. Schmid, Viola, December 7, 2012, accessed on April 10, 2019 .

[joDF-3] Kessler, GC, & Carlton, GH: A Study of Forensic Imaging in the Absence of Write-Blockers . In: Journal of Digital Forensics . 9, No. 3, 2014, pp. 51–58.

[hash-4] Forensic Use of Hash Values and Associated Hash Algorithms. Netherlands Forensic Institute, January 2018, accessed April 10, 2019 .