Forensic hardware – Don’t just blindly trust it
I recently found two pictures which I took in the last 2 years, of the Logicube Forensic Dossier misbehaving. I decided to write this very short article to show these pictures. Since this seems to be a 6th(!) generation forensic solution I would not expect this behavior. The Logicube hardware is widely accepted as ‘forensically sound’, there seems to be some sort of blind trust in forensic hardware by forensic experts, while everything else is always disputed at great length.
Designed exclusively for forensic data capture, the Forensic Dossier is the 6th generation of computer forensic solutions from Logicube. The Dossier provides cutting-edge technology with an easy to use interface. A compact and lightweight design makes the Dossier perfect for field or lab imaging requirements; including data collection for eDiscovery and compliance, digital forensic investigations conducted by federal, state and local law enforcement and corporate security forensic investigations.
No firmware signing
The Logicube Forensic Dossier does not seem to sign the firmware against tampering. This means that you can alter the firmware files to do what you want. I only did a quick test with this, which can be seen below where I adjusted the firmware to show my name on the top of the screen. With some more analysis it is probably possible to change stuff like the hash calculation of the device resulting in tampering with the evidence.
There seems to be coding errors in the firmware of the Dossier. In the picture below it shows different times for a mirror copy of two disks to two target disks. Where it shows of minutes in the top, it shows hours in the bottom one. I would expect that the exact same code would be used for both timings, but it seems there is some kind of difference, where this bug was introduced. If there are already bugs in something as simple as displaying the time, what kind of other bugs might be present on the device.
Even when these bugs are fixed at this moment, there seems to be a flaw in the design of this product. If these things are (or were) present in the device, what other bugs might there be? We might want to move away from the blind trust in forensic hardware.