.

Forensic write blockers

<<

jimbob

Post Wed Jun 13, 2007 2:32 am

Forensic write blockers

Hi,
I am interested in getting a forensic write blocked (FireWire/USB 2.0), does anyone have any recommendations? I don't want to spend a huge amount of money and some of the solutions run into hundreds of dollarpounds. Are there any 'budget' options that would be considered forensically sound?

Jim
<<

warquel

Newbie
Newbie

Posts: 5

Joined: Tue Jul 03, 2007 10:36 pm

Post Thu Jul 05, 2007 12:28 am

Re: Forensic write blockers

It really depends on what you're capturing. PATA? SATA? SCSI (I/II/III)? SCA? 1.8" IDE, 2.5" IDE? USB? Flash? SD? When you get down to it there's no cheap solution. You're likely to spend a lot just to cover the bases.

If you really need to budget then review what your most likely acquisitions are going to be. If you have a lot of legacy systems, it'll likely be IDE. Newer systems, SATA. High Availability servers? SCSI. Then price out one and figure something out for the others.

Some nice little devices that we use are the FireFly (SATA->Firewire) hardware write blocks. They're around US$200. You can find them here http://www.digitalintelligence.com/forensicwriteblockers.php along with other forensic write blockers.

If you want to go the cheapest route, use a linux system with auto mounting disabled and buy some USB or Firewire drive enclosures. If you go this route make sure you create a documented procedure for acquiring evidence and follow it every time. You might even go as far as to record the history of your shell commands as part of your digital case file.
<<

jimbob

Post Thu Jul 05, 2007 3:51 am

Re: Forensic write blockers

Thanks for the excellent response. I am going to go down the route of using Helix, a well documented procedure and a detailed record of the actions taken to acquire the image. I will purchase hardware blockers only if I get a case may go to court and/or the customer is willing to pay extra for the added security.

Regards,
Jim
<<

oleDB

User avatar

Recruiters
Recruiters

Posts: 236

Joined: Thu Jul 20, 2006 8:58 am

Location: HOA

Post Thu Jul 05, 2007 2:26 pm

Re: Forensic write blockers

Not positive on this but I think you can remove the connector for pin23 on your cable and make your own write blocker.

http://en.wikipedia.org/wiki/AT_Attachment

Anyone ever attempt this?
<<

dalepearson

Sr. Member
Sr. Member

Posts: 357

Joined: Thu Nov 09, 2006 10:03 am

Post Tue Jul 10, 2007 5:24 am

Re: Forensic write blockers

I have been using an IDE FastBlock from Guardian up till now, but its been messing around. So I am upgrading the lot and have gone for a Tableau T35i Forensic SATA/IDE Bridge. Should arrive this week hopefully.

Image

Return to Forensics

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software