dead-box forensics (noun)
Rick Howard: The word is: dead-box forensics.
Rick Howard: Spelled: dead-box for a disconnected, read- only device, and forensics for investigation.
Rick Howard: Definition: A forensic technique where practitioners capture an entire image of a system and analyze the content offline.
Rick Howard: Example sentence: Forensic investigators conduct search and seizure operations that involve pulling the power on the suspect's machine and performing dead- box forensics to inspect the contents of the disk and identify artifacts of interest.
Rick Howard: Origin and context: According to Mark Pole IT in his paper, "A History of Digital Forensics," published in 2010, computer forensics probably emerged in the late 1970s, as the American Internal Revenue Service, or IRS, and the Federal Bureau of Investigation, or FBI, started to dip their toes into finding evidence on computers. But by the mid 1980s, the personal computer market and the fledgling internet began to grow exponentially. Law enforcement personnel from around the world started to realize that these new home computers would be a treasure trove of digital evidence in the future. One of the forensic principles that emerged early was the thought of preserving digital evidence so that it could be used in a court of law.
Rick Howard: In the paper “Live vs. Dead Computer Forensic Image Acquisition," Mahesh Kolhe and Purnima Ahirao said that " in order to create a forensic image of an entire disk best practice dictates that the imaging process should not alter any data on the disk and that all data, metadata, and unallocated space should be included." Forensic investigators accomplish this by powering down the system and removing hard drives in order to connect it to a forensic workstation that has a write-blocker capability. Write-blockers prevent any data from being written to the disk. Removing a desk from a running system prevents any further changes due to normal system operations or process and user interactions. Using a write-blocker during evidence acquisition preserves the integrity of the data and metadata on the system. The community refers to this process as dead imaging.
Rick Howard: Nerd reference: On the Investigation Discovery YouTube channel in 2009, Chuck Pruitt, a digital forensic specialist discussed the early history of his job.
Chuck Pruitt: Digital evidence recovery is the new DNA. People think they deleted it, it's gone and it's not.
Chuck Pruitt: No one ever thought to analyze computers until the last decade or so. We physically remove the hard drive. Our software will allow us to pull up that deleted information, and then we actually sit down and have to go through it, file by file.
Chuck Pruitt: There's just all kinds of information. People just don't think about what they're doing when they're using a computer. You learn a lot about a person who they email, financial information, their love life, you name it. It's there. I don't know if you need to get into the mindset, but I think you develop an idea of what they're like by seeing what's on their computer and boom, you got them. Just like that.
Chuck Pruitt: I just work the case and find the necessary information. And then it all comes together in the big picture to put the people away. We know we're doing the right thing and we know that in the end, the victim's glad we did it.
Rick Howard: Word Notes is written by Nyla Gennaoui. Executive produced by Peter Kilpe, and edited by John Petrik and me, Rick Howard. That mix, sound design, and original score have all been crafted by the ridiculously talented Elliott Peltzman. Thanks for listening.
