Deleting collected digital evidence by exploiting a widely adopted hardware write blocker

back to overview


Meffert, C. S., Baggili, I., & Breitinger, F. (2016). Deleting collected digital evidence by exploiting a widely adopted hardware write blocker. Digital Investigation, 18, 87 - 96.

Publication type

Article in Scientific Journal


In this primary work we call for the importance of integrating security testing into the process of testing digital forensic tools. We postulate that digital forensic tools are increasing in features (such as network imaging), becoming networkable, and are being proposed as forensic cloud services. This raises the need for testing the security of these tools, especially since digital evidence integrity is of paramount importance. At the time of conducting this work, little to no published anti-forensic research had focused on attacks against the forensic tools/process. We used the TD3, a popular, validated, touch screen disk duplicator and hardware write blocker with networking capabilities and designed an attack that corrupted the integrity of the destination drive (drive with the duplicated evidence) without the user's knowledge. By also modifying and repackaging the firmware update, we illustrated that a potential adversary is capable of leveraging a phishing attack scenario in order to fake digital forensic practitioners into updating the device with a malicious operating system. The same attack scenario may also be practiced by a disgruntled insider. The results also raise the question of whether security standards should be drafted and adopted by digital forensic tool makers.


Organizational Units

  • Institute of Information Systems
  • Hilti Chair for Data and Application Security