Beyond having the necessary hardware and software to perform the forensic imaging, it is critical to pre-stage a location to hold the image or evidence file. For incident response teams, the best option to utilize as an evidence repository is an external USB or FireWire disk drive. This allows for a degree of portability, as incident responders may have to investigate an incident offsite or at a variety of locations without the benefit of a forensics laboratory.

There are two tasks that need to be performed on evidence drives prior to their use. The first is to ensure that the repository is free of any data. Incident response teams should have a policy and procedure that dictates that an evidence drive be wiped prior to each use. This includes drives that are new in box. This is due to the fact that a number of manufacturers ship drives with backup software or other data that needs to be removed prior to use. Wiping further ensures that previously utilized drives.

This is easily accomplished through a wiping program. There are a number of programs both free and commercial that can be utilized. For example, the program Eraser by Heidi Computers is a freeware wiping utility that can be utilized for both file and volume wiping (Eraser can be downloaded at https://eraser.heidi.ie/).

In the following example, a 2 TB external hard drive will be erased and prepared for use as an evidence drive. The following sequence should be repeated every time that a drive is going to be placed into a state that can be utilized for an incident investigation:

1. Start the application Eraser. In the GUI, click Erase Schedule and New Task:

2. A task name can be assigned. This may be helpful in properly documenting the erasure of the evidence drive. Click the Add Data button. This will open another window:

For Target type, select Drive/Partition. In the Settings area, there will be a drop-down list of partitions and drive letters. Pay very close attention to the drive letters assigned to the various drives and ensure that the external drive that requires wiping is selected. In this case, a new Seagate external HDD is being utilized. Finally, select the erasure method. There are several different options for wiping drives. In this case, the US DoD 5220.22-M (8-306./E) (3 Pass) wiping option is selected:

2. Click OK and the wiping task will be listed in the Erase Schedule.

3. Right-click the Partition: Seagate Expansion Drive(E:) task and click Run Now. This will start the wiping process. As was stated before, ensure that the correct evidence drive is being wiped:

Depending on the size of the drive and the system that is performing the wipe, the process can last hours or even days. Once completed, the incident response analyst should capture any wiping information that verifies that the evidence drive has been properly wiped. This is important information to include in a written forensic analysis report as it demonstrates that the incident response analyst took appropriate measures to ensure that any evidence files were free from corruption or co-mingling with other files on the evidence drive.

It is recommended that incident response analysts have several drives available and that these drives be pre-wiped before any incident. This will allow incident response analysts to immediately utilize a wiped drive instead of having to wipe a drive onsite, which wastes time better spent on incident-related activity.

A second preparation step that can be undertaken is to encrypt the evidence drive. Software such as VeraCrypt or another disk encryption platform can be utilized to encrypt the partition of the evidence drive that contains the evidence files. Incident response analysts that are dealing with confidential information such as credit cards or medical records should encrypt the evidence drive regardless of whether it leaves the facility or not.

There are two methods that can be leveraged to encrypt the evidence drive. The first is to utilize the encryption software on the forensic workstation that is utilized in the imaging process. This approach is limited to imaging on drives that have been removed from the system and imaged on dedicated systems that have the encryption software installed. A second option is to include the encryption software on the evidence drive. In a previous chapter, an evidence drive was divided into two partitions. One partition was set aside for the evidence files. The second partition is utilized for tools such as those for dumping memory files or imaging. In this scenario, the encryption software can be loaded in the tools partition and the drive encrypted during the evidence imaging process. This limits the amount of changes to the system under investigation.