– Hardware imagers that can be used as write blockers. – Software write blockers – Registry keys and EnCase SE for example. The verification step was skipped in all cases.ġ) Did not test with drives containing bad sectors.ģ) Examine the impact of different cables, imaging applications, operating systems, and RAID arrays.Īs I wrote this review, I kept thinking “what about this other option ….” These include: The acquisition was allowed to run to completion for each test and time required for acquisition only was noted. The default imaging options were used except that compression was turned off for all tests. If the write blocker supported more than one host interface, each of the three drives was tested with each interface.ĮnCase v6.13 was used to conduct the tests. These registers must be reset prior to shutting down the drive or the drive could be left in a state that is different from the starting condition.Įach of the three drives was tested with each write blocker. Working with HPA partitions is touchy, and doing so moves into a grey area as registers on the disk are written to make the HPA available. The HPA partition was created on the IDE drive and verified at the end of the tests with the hdparm command to ensure it was still present. The test harness was my workhorse forensics workstation, a two year old Dell running XP, an aftermarket eSATA interface card, a USB 2.0 interface, a Firewire 400 interface, and a RAID 5 array.Īll of the drives were imaged with EnCase v6.13.įurther research could be conducted with different imaging applications and different hardware. Since the majority of the drives we are seeing are SATA drives, the review focuses on just SATA to SATA versions, though Guidance FastBloc2 FE is included for comparison purposes. The two major vendors in this area are Tableau and WiebeTech though ICS just came out with a new product that looks very interesting. In the interest of keeping this review focused, I am only covering portable hardware write blockers. The number of write blocker options continues to grow (see “Areas for future research” below). The major difference appears to be in the layout, form factor, and physical design of the units. In the last year or two the number of options has expanded somewhat, the major vendors all have similar features, and the prices have come down. A write blocker was my first forensics hardware purchase and I keep my collection of write blockers up to date religiously.The differences between write blockers used to be fairly significant in terms of quality, speed, features, and price. The key to this acquisition process is the ubiquitous write blocker, probably the most important tool in any acquisition kit. There are exceptions to this – cell phones and live acquisitions come to mind – but even then, the process should be minimally invasive. And the phrase “forensically sound” is key – the evidence needs to be acquired in a manner that ensures that the process doesn’t modify the evidence in any manner. Reviewed by David Kovar of NetCerto, Inc.ĭigital evidence needs to come from somewhere, right? It doesn’t appear, “forensically sound”, from out of the blue.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |