±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 3 Overall: 36209
New Yesterday: 7 Visitors: 167

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

ILooKIX - What do you think?

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3, 4, 5, 6, 7, 8, 9, 10  Next 
  

jaclaz
Senior Member
 

Re: ILooKIX - What do you think?

Post Posted: Apr 24, 13 00:02

- RyanP
I don't much about EnCase and FTK so I won't bash their products. I got involved in computer forensics around 2004 and used ILook v7 because it was free. Later I used v8 for the same reason.

Good. Smile
Since you are a long time user of the tool (and you use it exclusively or prevalently), do you use the IXimager with or without a writeblocker?
dacton just posted that the intended use is without it, but you reported elsewhere how you often use writeblockers:
www.forensicfocus.com/...6/#6557136

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

RyanP
Member
 

Re: ILooKIX - What do you think?

Post Posted: Apr 24, 13 00:11

Yes, I use a writeblocker in conjunction with IXImager. I have tested IXImager without a writeblocker and have never seen it write to a drive, yet I still use them.

I do not image a drive while still connected to the subject machine if I can avoid it. Since the drive is out and being imaged on a dedicated imaging workstation, I need an interface between the evidence hard drive and imaging workstation as well as a power source; may as well be a write blocker.

I also like the insurance that nothing can be written to the drive even if the operator makes a mistake.

We do take a speed hit using the writeblocker, but I'm okay with that.  
 
  

jaclaz
Senior Member
 

Re: ILooKIX - What do you think?

Post Posted: Apr 24, 13 17:03

- RyanP
Yes, I use a writeblocker in conjunction with IXImager. I have tested IXImager without a writeblocker and have never seen it write to a drive, yet I still use them.

This is something I will never be able to understand Shocked (not really connected to the specific IXimager, only as a general point).
If something is supposed to NOT write to an evidence disk, and it is verified to NOT write to an evidence disk, and you can testimony in court about it, then making additionally use of a write blocker seems a lot superfluous.
If you use a writeblocker, then you can use each and every tool/OS as the writeblocker will take care of writes (if any) and there is no reason to use a "specially crafted to NOT write anything tool/OS".
It seems pretty binary, 0/1 or On/Off, to me.


- RyanP

I do not image a drive while still connected to the subject machine if I can avoid it. Since the drive is out and being imaged on a dedicated imaging workstation, I need an interface between the evidence hard drive and imaging workstation as well as a power source; may as well be a write blocker.

Sure Very Happy , I presume that his happens because Mr. Tableau and Mr. Wiebetech Wink give away them writeblockers for free.

JFYI, I needed something to hang my hat and coat on, now I could use a coat rack, or a single hook fitted to the wall of my room, something like, you know:
www.tipjunkie.com/diy-...ack-ideas/
but I said to myself, why not using this instead?
cdn.lulztruck.com/wp-c...atrack.jpg
Rolling Eyes


- RyanP

I also like the insurance that nothing can be written to the drive even if the operator makes a mistake.

We are again in the above, if the operator makes a mistake while running a tool/OS that already prevents each and every write, it is not IMHO an insurance, it is an additional unneeded link in the chain that may go wrong (and fry an evidence HD as you reported) with the additional drawback of the increase in image time you also report:
- RyanP

We do take a speed hit using the writeblocker, but I'm okay with that.


jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

dacton
Member
 

Re: ILooKIX - What do you think?

Post Posted: Apr 24, 13 20:10

- jaclaz



- RyanP

I do not image a drive while still connected to the subject machine if I can avoid it. Since the drive is out and being imaged on a dedicated imaging workstation, I need an interface between the evidence hard drive and imaging workstation as well as a power source; may as well be a write blocker.

Sure Very Happy , I presume that his happens because Mr. Tableau and Mr. Wiebetech Wink give away them writeblockers for free.


Anyone working in forensics has a few writeblockers laying around. No imager works all the time and sometimes writeblockers are used for tasks that are not imaging. Are you proposing that he buy even more equipment because the writeblocker does more than is required for the task?

- jaclaz

- RyanP

I also like the insurance that nothing can be written to the drive even if the operator makes a mistake.

We are again in the above, if the operator makes a mistake while running a tool/OS that already prevents each and every write, it is not IMHO an insurance, it is an additional unneeded link in the chain that may go wrong (and fry an evidence HD as you reported) with the additional drawback of the increase in image time you also report:
- RyanP

We do take a speed hit using the writeblocker, but I'm okay with that.


jaclaz


I don't think there is an imaging tool in existence that prevents each and every write. It has to write to something or there is no image.  
 
  

jaclaz
Senior Member
 

Re: ILooKIX - What do you think?

Post Posted: Apr 25, 13 00:56

- dacton

I don't think there is an imaging tool in existence that prevents each and every write. It has to write to something or there is no image.

Implied "to the evidence disk". Evil or Very Mad

Maybe I am the only one using logic (or my logic is a particular kind of logic Shocked ) but till now I had gathered that a Writeblocker was something used to prevent writes (to the evidence disk) IF the whatever tool used attempts to write to it.

If the IXimager (or WinFE for that matters, or any number of forensic oriented Linux distros) does NOT write to the evidence disk, the usage of a Writeblocker is superfluous.

BTW you just wrote how specifically IXmager is intended to be used without a Writeblocker, which should mean that it is "guaranteed" to NOT write anything (to the evidence disk), whilst RyanP just posted that he uses nonetheless a writeblocker in connection with it, even adding how this causes a slowdown of operations as a "side effect".

Carpenter's example:
A torque wrench is an expensive tool used to tighten at the correct torque a nut/bolt when there is a risk of over or under tightening them.
If you need to tighten breakaway nuts:
www.tufnutworks.com/su...aspx?id=23
you use a normal wrench, or even a pneumatic one (faster) at "full torque setting", as you need NOT to make sure that you have tightened them at the right torque.
Using a torque wrench on breakaway nuts is superfluous (and slower).

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

RyanP
Member
 

Re: ILooKIX - What do you think?

Post Posted: Apr 25, 13 01:35

The logic of arguing on an Internet message forum escapes me. You asked a question, I gave an answer. If you choose to handle things differently, so be it. The folks at Perlustro would agree with you. I simply prefer the use of a WB.  
 
  

dacton
Member
 

Re: ILooKIX - What do you think?

Post Posted: Apr 25, 13 01:37

- jaclaz

Maybe I am the only one using logic (or my logic is a particular kind of logic Shocked ) but till now I had gathered that a Writeblocker was something used to prevent writes (to the evidence disk) IF [u]the whatever tool used attempts to write to it.

If the IXimager (or WinFE for that matters, or any number of forensic oriented Linux distros) does NOT write to the evidence disk, the usage of a Writeblocker is superfluous.


I think a writeblocker is something that does prevent writes to anything attached to it (assuming it is working correctly) by anything that might write to it. (new exception with SSDs which can have writes made to them even on a writeblocker) Crying or Very sad

- jaclaz

BTW you just wrote how specifically IXmager is intended to be used without a Writeblocker, which should mean that it is "guaranteed" to NOT write anything (to the evidence disk), whilst RyanP just posted that he uses nonetheless a writeblocker in connection with it, even adding how this causes a slowdown of operations as a "side effect".


IXImager can be used with a writeblocker, it's not like it won't work if the evidence drives are behind a writeblocker. It can also be used without a writeblocker and if it is used without a writeblocker there are additional features available.

debbie  
 

Page 7 of 10
Page Previous  1, 2, 3, 4, 5, 6, 7, 8, 9, 10  Next