The Ethical Hacker Network - Forensic write blockers

Latest Additions

Who's Online

EH-Net Donations

Google Ads

EH-Net News Feeds

Latest Additions

Book Recommendations

jimbob

Sr. Member

Offline

Posts: 307

Forensic write blockers

« on: June 13, 2007, 02:32:46 AM »

Hi,
I am interested in getting a forensic write blocked (FireWire/USB 2.0), does anyone have any recommendations? I don't want to spend a huge amount of money and some of the solutions run into hundreds of dollarpounds. Are there any 'budget' options that would be considered forensically sound?

Jim


	Logged

warquel

Newbie

Offline

Posts: 5

Re: Forensic write blockers

« Reply #1 on: July 05, 2007, 12:28:52 AM »

It really depends on what you're capturing. PATA? SATA? SCSI (I/II/III)? SCA? 1.8" IDE, 2.5" IDE? USB? Flash? SD? When you get down to it there's no cheap solution. You're likely to spend a lot just to cover the bases.

If you really need to budget then review what your most likely acquisitions are going to be. If you have a lot of legacy systems, it'll likely be IDE. Newer systems, SATA. High Availability servers? SCSI. Then price out one and figure something out for the others.

Some nice little devices that we use are the FireFly (SATA->Firewire) hardware write blocks. They're around US$200. You can find them here http://www.digitalintelligence.com/forensicwriteblockers.php along with other forensic write blockers.

If you want to go the cheapest route, use a linux system with auto mounting disabled and buy some USB or Firewire drive enclosures. If you go this route make sure you create a documented procedure for acquiring evidence and follow it every time. You might even go as far as to record the history of your shell commands as part of your digital case file.


	Logged

jimbob

Sr. Member

Offline

Posts: 307

Re: Forensic write blockers

« Reply #2 on: July 05, 2007, 03:51:01 AM »

Thanks for the excellent response. I am going to go down the route of using Helix, a well documented procedure and a detailed record of the actions taken to acquire the image. I will purchase hardware blockers only if I get a case may go to court and/or the customer is willing to pay extra for the added security.

Regards,
Jim


	Logged

oleDB

Full Member

Offline

Posts: 231

Re: Forensic write blockers

« Reply #3 on: July 05, 2007, 02:26:43 PM »

Not positive on this but I think you can remove the connector for pin23 on your cable and make your own write blocker.

http://en.wikipedia.org/wiki/AT_Attachment

Anyone ever attempt this?


	Logged

dalepearson

Full Member

Offline

Posts: 153

Re: Forensic write blockers

« Reply #4 on: July 10, 2007, 05:24:42 AM »

I have been using an IDE FastBlock from Guardian up till now, but its been messing around. So I am upgrading the lot and have gone for a Tableau T35i Forensic SATA/IDE Bridge. Should arrive this week hopefully.


	Logged

:: Security Active ::

Pages: [1] Go Up

« previous next »

Support EH-Net by
Buying all of your
Amazon items using
the search bar above.

Try CBT Nuggets Free!

Recent Forum Topics

Tutorials : problem with use MSF (14) by KrisTeason
Tools : NetWitness Investigator is now free! (5) by ChrisG
Programming : Using Assembly to access locked files (5) by apollo
Other : New to Ethical Hacking? (2) by cleanwithit0607
Forensics : Working for the dark side (6) by pseud0
Malware : Military Bans Removable Media (8) by sgt_mjc
Programming : Exploits (5) by cleanwithit0607
CEH - Certified Ethical Hacker : MSS from EC-Council? (9) by BillV
Looking To Hire : Looking for a Security Intelligence and Analytics Specialist (0) by liztownsend
Malware : Microsoft to Offer Free Anti-malware Tool (8) by jason
Network Pen Testing : page action (3) by lovewadhwa
Tools : Metasploit 3.2 released (1) by RoleReversal
Mass Media : Movie: Untraceable (7) by jason
Hardware : DD-WRT FTW! (1) by jason
Hardware : DIY USB Keystroke Logger? (0) by jason
Oct 2008 - Scooby Doo and the Crypto Caper : [Article]-Scooby Doo and the Crypto Caper (4) by trolley
Forensics : It's time to get that data back! (4) by sgt_mjc
Forensics : Gaining experience... first steps (5) by sgt_mjc
News from the Outside World : OS with Highest Security Rating from NSA goes Commercial (3) by jason
Other : Microsoft Hyper-V Server 2008 Released, Free (3) by sgt_mjc
Book Reviews : The Art Of Exploitation (3) by apollo
Social Engineering : How to Run a Con (0) by jason
Social Engineering : History Channel's Secrets of Body Language (2) by jason
Social Engineering : Facial Expression Test (0) by jason
CEH - Certified Ethical Hacker : Howdy - study question/labs bootcamp etc. (3) by BillV
Other : PC geeks Inc. (0) by iSmith
Other : UK Data Protection Act (3) by RoleReversal
Other : Yahoo CEO Jerry Yang to Step Down (0) by don
Network Pen Testing : Backtrack 3 Install (2) by KrisTeason
Certification : 7 Types of Hard CISSP Exam Questions and How To Approach Them (4) by jason
CEH - Certified Ethical Hacker : new guy (1) by jason
Programming : Small Basic (2) by jason
Other : Where to start? (5) by jason
Certification : I need your advice connecting to IS certs and careers (3) by jason
News from the Outside World : Deleting your digital past (0) by jason
OSCP - Offensive Security Certified Professional : Next Up OSCP101 v2.0 (31) by jason
Forensics : Data Recovery (6) by jason
Book Reviews : Hacking Exposed, 5th Edition (5) by cleanwithit0607
Forensics : Looking for advice on pursuing forensics.. (3) by Ketchup
Tutorials : about Metasploit 3.1 plz help (4) by mr.Z

Support EH-Net by Buying all of your Amazon items using the search bar above. Try CBT Nuggets Free!

Support EH-Net by
Buying all of your
Amazon items using
the search bar above.

Try CBT Nuggets Free!