WORM and hashing

Two interesting and IMO partly related postings were made in the previous days: Sandisk made a press-release about their new write-once-read-many (WORM) storage card, and Jesse Kornblum wrote a blog posting about updates and new features for his hashing tools.

To be honest, I am more thrilled by Jesse’s updates to his tools. The option to use multiple hash algorithms simultaneously is a nice one (we already used multiple algorithms on our evidence files; this saves the time of running multiple programs ;) ). But the option of auditing hash sets looks even more promising, as it allows you to automatically compare the hashes of sets of files to a list saved in a file. Every difference (like a changed hash, but also an added or deleted file) will be noted.

The Sandisk card has the feature that you can only write data to it once; or, as Sandisk states: the data is locked as soon as you write it to the card.

I am not really sure if they really position this card to be used in forensics (a lot of blogs are mentioning this but in the examples forensics is not mentioned); it’s also not something that I consider very useful in forensics. Even if we forget that it is currently only available in a size of 128 MB, I think there are better ways to store your evidence in a proper way. Like… technical measures such as hashing, but not to forget general forensic principles like keeping a proper chain-of-custody documentation. There are lots of ways (most of which at some point consist of keeping some sort of control document or hash value on another location than the evidence) to keep good control on what is happening with evidence files, and which also allow for other parties to control what has been done.

Using WORM media to store these files does not add a lot in my opinion; in fact I would even say that it might give a false sense of control. “Let’s copy these files to our Sandisk WORM card to save them for investigation”. Without proper documentation, there are only 2 things you can then be sure of:

The evidence can not be changed and is safe for 100 years (according to Sandisk) ;)
You can not use it in your investigation

Let’s clarify the last part a bit more: if you store some files on this WORM card, you only know that the data was not changed since the moment it was secured. However, when this data was secured, what was the source, whether the copied data is the same as the original data, and so on… you don’t know.

So let’s not get distracted by these nice gadgets but focus on using the right tools in the right way. A hardware device like this card might be a useful tool in some circumstances, but please don’t forget the basics of proper evidence handling. And of course, a tool like Jesse Kornblum’s md5deep is also just a tool, but definitely one that is a lot closer to the basics than this (probably expensive) hardware solution.