±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35615
New Yesterday: 0 Visitors: 106

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

How to forensically image a 2Tb External HDD

Discussion of forensic workstations, write blockers, bridges, adapters, disk duplicators, storage etc. Strictly no advertising of commercial products, please.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

Simarno
Member
 

How to forensically image a 2Tb External HDD

Post Posted: Nov 08, 17 13:00

Using Tableau Writeblocker, I try to image forensically a 2Tb hgst ehdd.

The device is recognized by OS Win7, but the disk manager shows an error [i]Media write blocked[/i].

Any similar difficulties encountered ? do I absolutely need to use the write blocker ?  
 
  

mscotgrove
Senior Member
 

Re: How to forensically image a 2Tb External HDD

Post Posted: Nov 08, 17 14:10

If you do not use a write blocker the chances that the disk will be changed in some, even small way, is extremely high.

A forensic image must be 100.00000% identical
_________________
Michael Cotgrove
www.cnwrecovery.com
www.goprorecovery.co.uk 
 
  

minime2k9
Senior Member
 

Re: How to forensically image a 2Tb External HDD

Post Posted: Nov 08, 17 14:24

- mscotgrove
If you do not use a write blocker the chances that the disk will be changed in some, even small way, is extremely high.

A forensic image must be 100.00000% identical


Not strictly true. There are a number of reasons why you might not be able to create a "100% identical" image.
Firstly with NAS systems, especially propriety ones, the only way to get an image can be to power it on and get a logical image over a network. This image would be neither complete or identical.
Same goes for phone extractions, even physicals, where the device must be turned on. RAM captures will be different by the time you made it etc etc.
Its best practice not to change data, but if you connected a disk to a system and it changed the last mounted time on the disk or some file system metadata but it doesn't cause 1000 Indecent Images to appear.

Back to the actual problem in hand though, you could use some USB writeblocking software as opposed to a hardware write blocker or boot your device to a forensic distribution of either Linux (CAINE, DEFT etc) or Windows (WinFE), connect the device and image from the system.

When you are connecting it to a writeblocker, are you removing the hard disk drive from the external case and connecting via SATA or connecting the device in its caddy to a writeblocker using USB connection?

Some external hard disks appear gibberish unless read through the card used as part of the caddy.  
 
  

Simarno
Member
 

Re: How to forensically image a 2Tb External HDD

Post Posted: Nov 08, 17 16:06

Seems legit.

- minime2k9
When you are connecting it to a writeblocker, are you removing the hard disk drive from the external case and connecting via SATA or connecting the device in its caddy to a writeblocker using USB connection?


I extracted the HDD from the case and connect it through SATA  
 
  

athulin
Senior Member
 

Re: How to forensically image a 2Tb External HDD

Post Posted: Nov 08, 17 16:53

- sim4n6
Using Tableau Writeblocker, I try to image forensically a 2Tb hgst ehdd.

The device is recognized by OS Win7, but the disk manager shows an error Media write blocked.


Tilt? Do I understand you correctly: I interpret your post to say that you've write blocked the drive that you want to take a forensic image of. Your device manager confirms it.

Isn't that how you want it to be?  
 
  

JaredDM
Senior Member
 

Re: How to forensically image a 2Tb External HDD

Post Posted: Nov 09, 17 00:29

- minime2k9

Not strictly true. There are a number of reasons why you might not be able to create a "100% identical" image.
Firstly with NAS systems, especially propriety ones, the only way to get an image can be to power it on and get a logical image over a network. This image would be neither complete or identical.


No, the proper way is to remove the NAS disks, image them individually, and then build a virtual RAID and create an image of that. It'll come out the same no matter how many times you image it if you do it that way. Grabbing an image through the NAS is hack IMHO, and is incredibly slow.

Nearly all NASs these days are Linux or FreeBSD based, so the filesystems and RAID patterns are straight up open source. Usually doesn't take more than a few minutes to figure it out if you know what you are doing.

Unless you are talking about an iSCSI target, which is treated as DAS despite reading over the network. That you might be better off reading through the NAS in some cases, but even then you can do it with the target unmounted and create an image properly multiple times. It'll only change if someone accesses or mounts it, which you should know how to avoid if you're doing forensics.
_________________
Lead Data Recovery Tech at Data Medics® - www.data-medics.com 
 
  

minime2k9
Senior Member
 

Re: How to forensically image a 2Tb External HDD

Post Posted: Nov 10, 17 08:20

- JaredDM

No, the proper way is to remove the NAS disks, image them individually, and then build a virtual RAID and create an image of that. It'll come out the same no matter how many times you image it if you do it that way. Grabbing an image through the NAS is hack IMHO, and is incredibly slow.

Nearly all NASs these days are Linux or FreeBSD based, so the filesystems and RAID patterns are straight up open source. Usually doesn't take more than a few minutes to figure it out if you know what you are doing.



My example was probably not the best and neither was the wording and for the majority of NAS boxes I use the method you mention. It does become more tricky to rebuild RAIDS based on partitions rather than disks as quite a lot of NAS boxes using Linux do. A simple way is to connect the disks to a forensic distro of linux and use mdadm command to rebuild. Try doing this through a write-blocker however and you will find that it won't work as it needs to write to the filesystem.

However if you have a propriety RAID card in a NAS system (or PC for that matter) that isn't supported in any forensic tool, you may have to boot it and image that way.

Also you'd be surprised how many forensic companies still image over the network.  
 

Page 1 of 2
Page 1, 2  Next