This simulation tests your knowledge of the digital forensics preservation phase. You will learn to identify the exact hardware requirements for safely acquiring a bit-stream image without compromising original evidence integrity.

CHFI (312-49) Digital Forensics Simulation

Investigation Scenario

You are a digital forensics investigator assigned to a lab in Austin, Texas. Law enforcement has seized a suspect's desktop computer connected to an intellectual property theft case. The primary storage media has been extracted from the suspect's computer tower.

Your immediate task is to perform a physical acquisition (bit-stream image) of the storage media to an external sterilized destination drive, creating an EnCase evidence file (E01) for subsequent analysis. The integrity of the original media must be strictly maintained for legal admissibility.

Evidence Collected

[+] ITEM LOGGED: EV-2026-IP-041
[+] DESCRIPTION: Western Digital 1TB SATA Hard Disk Drive (WD10EZEX)
[+] STATE: Original Evidence Media (OEM)
[+] ACTION REQUIRED: Perform bit-stream acquisition to lab server.
[+] HASH REQUIREMENT: Pre-imaging MD5/SHA-256 verification mandatory.
[+] SYSTEM ENVIRONMENT: Windows 11 Forensics Workstation running FTK Imager.

Question

In a digital-forensics lab in Austin, Texas, an investigator is performing a bit-stream image of a suspect's hard drive. To ensure that the original evidence remains unchanged during the imaging process, which device must the investigator use to connect the hard drive to the forensic workstation?
Forensic Hint: Modern operating systems (like Windows) automatically attempt to write metadata, update access times, or create hidden files (like $Recycle.Bin) the moment a disk is attached. You need hardware that intercepts these write commands at the firmware level.

Expert Analysis

1. What the Evidence Shows

The scenario involves an original, unmodified Western Digital SATA hard drive (OEM). The lab requirements dictate the extraction of a bit-stream image. The critical constraint is the prevention of any data alteration during the physical connection to the investigator's Windows-based forensic workstation.

2. Forensic Stage

Preservation and Collection: Specifically, the Data Acquisition phase, where volatile and non-volatile data is cloned into a forensic container (like E01 or RAW) while preserving chain of custody.

3. Why the Correct Answer is Correct (A)

A write-blocker (hardware or software, though hardware is standard lab practice) is a specialized device placed between the suspect drive and the forensic workstation. It monitors all I/O commands sent from the host OS via the storage controller and actively intercepts/drops any command that would modify the disk state (e.g., write commands), allowing only read commands to pass. This guarantees the cryptographic hash of the drive remains identical before and after imaging.

4. Why Others are Wrong

  • B. Hardware duplicator: While forensic hardware duplicators (e.g., Logicube Falcon) incorporate write-blocking technology, they are standalone devices used to clone drive-to-drive directly, not typically used just to "connect the hard drive to the forensic workstation."
  • C. USB hub: A standard USB hub merely extends I/O ports. It offers zero protection against host OS write commands. Connecting evidence through a USB hub would immediately taint the drive as the OS mounts the file system.
  • D. External drive enclosure: Like a USB hub, a standard enclosure provides connectivity (SATA to USB) but lacks any filtering of write commands, compromising the evidence integrity.

5. Real-World Forensic Action

The investigator will document the drive's serial number, attach it to a SATA hardware write-blocker (e.g., Tableau T35u), power on the blocker, verify the read-only LED indicator is active, connect the blocker via USB3/Type-C to the forensics workstation, and use a tool like FTK Imager to acquire the physical drive (PhysicalDriveX) while generating a post-image verification hash.

MINI LESSON: Evidence Handling & Cryptographic Hashes

In digital forensics, "unaltered" is defined mathematically. When a drive is seized, investigators calculate its MD5 or SHA-256 hash. If an investigator connects a drive without a write-blocker, the OS may invisibly write data (e.g., updating Master File Table attributes or access timestamps). Altering even a single bit of a 1TB drive changes its cryptographic hash entirely. In court, opposing counsel will compare the initial seizure hash to the lab hash. If they do not match, the evidence is deemed spoliated and is likely inadmissible.

Master the CHFI Methodology

Sharpen your digital forensics skills with more scenario-based simulations.

Explore More CHFI Simulations