UTMN’s developers present a prototype of the forensic hard drive duplicator
Research and Innovations
29 November 2018
Mikhail Karpov, Iskander Zulkarneev and Vladimir Nestor, employees of the UTMN Department of Information Security, are developing a forensic hard drive duplicator. The device is intended for use by organizations that investigate cybercrimes.
Being a material evidence, a server is usually withdrawn and sent for examination during the investigation. “The removal of a server with all accounting information interrupts business processes, which in 75% of cases leads to financial losses. The second problem arises during the expertise of a hacked server. According to the existing laws and accepted standards, organization investigating cybercrimes is required to preserve data integrity — not a single bit on the drive should be changed. Violation of this rule leads to the loss of reputation, furthermore, such evidence is almost impossible to use in court,” says Mikhail Karpov.
In such cases, a full backup of the drive is created. One of the copies is given to the injured party (this solves the problem of interrupting business processes), the other one stays with an expert. In Russia, to create copies, they use a chain of devices: a hard drive that is connected to a software recording blocker (to exclude the possibility of accidental modification of data). The blocker, in its turn, is connected to a computer with an installed software for copying information. However, this method has many drawbacks: sometimes the blocker does not work and the data integrity changes, only a specialist can work with such a chain and, finally, personal computer slows down the speed of data copying.
The UTMN Institute of Mathematics and Computer Sciences’ developers offer to solve the problem by combining three devices in one — forensic hard drive duplicator. According to M. Karpov, the device is based on the algorithm that guarantees absolute data integrity. It is intended only for copying information, which allows to increase the data copying rate up to 9 GB per minute.
"The device will be of interest to law enforcement agencies, centers of expertise and licensees of technical protection of confidential information, as well as organizations that have information security departments. Statistically, the amount of damages caused by cybercrimes has increased 6 times over the past 5 years in the world,” explained the developer.
There prototype of the device partially implements functionality of the final product. The creation of the first test product is planned for mid-2019. The developers intend to receive a certificate of the Federal Service for Technical and Export Control (FSTEK). It will allow to use the device in legal proceedings.
Source: UTMN Department of Strategic Communications
Link to Russian version: https://www.utmn.ru/presse/novosti/nauka-segodnya/606350/
Being a material evidence, a server is usually withdrawn and sent for examination during the investigation. “The removal of a server with all accounting information interrupts business processes, which in 75% of cases leads to financial losses. The second problem arises during the expertise of a hacked server. According to the existing laws and accepted standards, organization investigating cybercrimes is required to preserve data integrity — not a single bit on the drive should be changed. Violation of this rule leads to the loss of reputation, furthermore, such evidence is almost impossible to use in court,” says Mikhail Karpov.
In such cases, a full backup of the drive is created. One of the copies is given to the injured party (this solves the problem of interrupting business processes), the other one stays with an expert. In Russia, to create copies, they use a chain of devices: a hard drive that is connected to a software recording blocker (to exclude the possibility of accidental modification of data). The blocker, in its turn, is connected to a computer with an installed software for copying information. However, this method has many drawbacks: sometimes the blocker does not work and the data integrity changes, only a specialist can work with such a chain and, finally, personal computer slows down the speed of data copying.
The UTMN Institute of Mathematics and Computer Sciences’ developers offer to solve the problem by combining three devices in one — forensic hard drive duplicator. According to M. Karpov, the device is based on the algorithm that guarantees absolute data integrity. It is intended only for copying information, which allows to increase the data copying rate up to 9 GB per minute.
"The device will be of interest to law enforcement agencies, centers of expertise and licensees of technical protection of confidential information, as well as organizations that have information security departments. Statistically, the amount of damages caused by cybercrimes has increased 6 times over the past 5 years in the world,” explained the developer.
There prototype of the device partially implements functionality of the final product. The creation of the first test product is planned for mid-2019. The developers intend to receive a certificate of the Federal Service for Technical and Export Control (FSTEK). It will allow to use the device in legal proceedings.
Source: UTMN Department of Strategic Communications
Link to Russian version: https://www.utmn.ru/presse/novosti/nauka-segodnya/606350/
