![dead-box forensics (noun) [Word Notes] - Hacking Humans cover](/_next/image?url=https%3A%2F%2Fmegaphone.imgix.net%2Fpodcasts%2F6d6f162c-c14c-11ef-9380-a310d2b56ee9%2Fimage%2F441b0ca2db080b93b935568d381ce462.png%3Fixlib%3Drails-4.3.1%26max-w%3D3000%26max-h%3D3000%26fit%3Dcrop%26auto%3Dformat%2Ccompress&w=1920&q=75)
Transcript
Rick Howard (0:02)
You're listening to the Cyberwire Network powered by N2K.
Nyla Genoi (0:14)
The IT world used to be simpler. You only had to secure and manage environments that you controlled. Then came new technologies and new ways to work. Now employees, apps and networks are everywhere. This means poor visibility, security gaps and added risk. That's why Cloudflare created the first ever connectivity cloud. Visit cloudflare.com to protect your business everywhere you do business.
Rick Howard (0:51)
The word is deadbox Forensics spelled deadbox for a disconnected read only device and forensics for investigation. Definition A forensic technique where practitioners capture an entire image of a system and analyze the contents offline. Example Sentence Forensic investigators conduct search and seizure operations that involve pulling the power on a suspect's machine and performing dead box forensics to inspect the contents of the disk and identify artifacts of interest, origin, and context. According to Mark Pollitt in his paper A History of Digital forensics, published in 2010, computer forensics probably emerged in the late 1970s as the American Internal Revenue Service, or IRS and the Federal Bureau of Investigation, or FBI started to dip their toes in finding evidence on computers. But by the mid-1980s, the personal computer market and the fledgling Internet began to grow exponentially. Law enforcement personnel from around the world started to realize that these new home computers would be a treasure trove of digital evidence in the future. One of the forensic principles that emerged early was the thought of preserving digital evidence so that it could be used in a court of law. In the paper Live versus Dead Computer Forensic Image Acquisition, Bahesh Kohli and Purnima Acharao said that in order to create a forensic image of an entire disk, best practice dictates that the imaging process should not alter any data on the disk and that all data, metadata and unallocated space should be included, end quote. Forensic investigators accomplish this by powering down the system and removing hard drives in order to connect it to a forensic workstation that has a write blocker capability. Write blockers prevent any data from being written to the disk. Removing a disk from a running system prevents any further changes due to normal system operations or process and user interactions. Using a write blocker during evidence acquisition preserves the integrity of the data and metadata on the system. The community refers to this process as dead imaging. Nerd Reference on The Investigation Discovery YouTube channel in 2009, Chuck Pruitt, a digital forensic specialist, discussed the early history of his job.
Chuck Pruitt (3:42)
Digital evidence recovery is the new DNA. People think they deleted it. It's gone and it's not. No one ever thought to analyze computers until the last decade or so we physically remove the hard drive. Our software will allow us to pull up that deleted information, and then we sit down and have to go through it file by file. There's just all kinds of information. People just don't think about what they're doing when they're using a computer. You learn a lot about a person who they email, financial information, their love life, you name it, it's there. I don't know if you need to get into the mindset, but I think you develop an idea of what they're like by seeing what's on their computer. And boom, you got them just like that. I just work the case and find the necessary information and it all comes together in the big picture to put the people away. We know what we're doing is the right thing, and we know that in the end, the victim's glad we did it.