Good combo of softw...
 
Notifications
Clear all

Good combo of software+hardware (court admissible)

9 Posts
6 Users
0 Likes
1,537 Views
(@leszekbart)
Posts: 3
New Member
Topic starter
 

Dear All,

As my case is highly likely to end up in proceedings (GCC region) I would need to have a backup solution as I won't be able to travel with TX1 device being or other devices remotely non-standard to those known to their customs officers (meaning I can travel with HDDs, cables but not with Aegis Padlock drive as it could trigger safety hazard questions).

I imagine I could travel though with write-blocker and set-up write-blocker and FTK to acquire data.

Can you then recommend some light, small, versatile, inconspicuous write-blocker. Preferably not that expensive 😉
Or otherwise advise on other set-up or solution ?

I would deeply appreciate any helpful comments.

 
Posted : 07/01/2019 10:16 am
(@kenobyte)
Posts: 36
Eminent Member
 

You could use the wiebetch forensic ultradock, laptop and something like ftk imager. If you wanted to spring for something a bit more expensive there is the ditto dx?

https://www.cru-inc.com/products/wiebetech/forensic-ultradock-v5-5/

 
Posted : 07/01/2019 1:19 pm
(@tacobreath)
Posts: 14
Active Member
 

Perhaps the cheapest solution - as in free - is to use a Linux distributions like CAINE, DEFT Zero or Paladin on a laptop to acquire the hard drive(s). The write-blocking function is built into these Linux distros because they allow you to acquire the data by mounting the drive as Read-Only. (Make sure you test and validate this beforehand.) If you load one of these Linux distros onto a USB flash drive, you have a portable operating system that you can use to boot your laptop.

If you prefer using Windows and FTK Imager, a hardware write blocker such as the Coolgear USB 3.0 SATA Adapter (https://www.coolgear.com/product/usb-3-0-sataide-adapter-with-write-protection) is cheap - about $50 US - and very effective. (I have one myself, and I am not affiliated with the company.)

The issue of "court admissible" is another matter. In the US and elsewhere, acquiring data in the 2 methods I mentioned above are generally admissible in court because they are accepted practices in digital forensics. I'm guessing that "GCC region" refers to the Gulf Cooperation Council comprising Bahrain, Kuwait, Oman, Qatar, Saudi Arabia, and the United Arab Emirates. My belief is that courts in those countries probably follow these accepted practices of digital forensics, but perhaps someone from that part of the world can speak to what is court admissible there.

 
Posted : 07/01/2019 5:47 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Perhaps the cheapest solution - as in free - is to use a Linux distributions like CAINE, DEFT Zero or Paladin on a laptop to acquire the hard drive(s). The write-blocking function is built into these Linux distros because they allow you to acquire the data by mounting the drive as Read-Only. (Make sure you test and validate this beforehand.) If you load one of these Linux distros onto a USB flash drive, you have a portable operating system that you can use to boot your laptop.

If you prefer using Windows and FTK Imager, a hardware write blocker …

Or a WinFE, for that matters.

jaclaz

 
Posted : 07/01/2019 7:41 pm
(@leszekbart)
Posts: 3
New Member
Topic starter
 

Thanks for prompt responses. It is both amazing and impressive. I got reassured as I already sent requisition for mentioned by Tacobreath, Coolgear. I decided to go for it as it will be probably much harder to explain that software can do-it-all specially any open-source. Nonetheless I will take a stick with Operating system with one of those.

Ditto seems much smaller and thanks for that advise. It just seems too much.

Maybe it will be far fetched but would some SSD adapter like that work to use with the following set-up Windows Laptop + FTK/Other + Coolgear ?

Can't really say what to expect there, but having some corporate Windows based laptop with SSD I would most likely use some hardware adapters and only later reach for stick-based OS with dedicated tools.

Thanks once again !

 
Posted : 08/01/2019 4:38 am
(@armresl)
Posts: 1011
Noble Member
 

It looks really cheaply made. Granted it doesn't cost much, but would it withstand travel, constant in and out of pelican or backpack?

Also, I don't see a write block jumper or switch, how does it handle that?

**EDIT**

Saw this on Amazon for that product.

.0 out of 5 starsWould not buy again, does not support more recent …
March 22, 2018
Verified Purchase
Would not buy again, does not support more recent or very old drives. Newer model not supported on OSX. Junk.

Perhaps the cheapest solution - as in free - is to use a Linux distributions like CAINE, DEFT Zero or Paladin on a laptop to acquire the hard drive(s). The write-blocking function is built into these Linux distros because they allow you to acquire the data by mounting the drive as Read-Only. (Make sure you test and validate this beforehand.) If you load one of these Linux distros onto a USB flash drive, you have a portable operating system that you can use to boot your laptop.

If you prefer using Windows and FTK Imager, a hardware write blocker such as the Coolgear USB 3.0 SATA Adapter (https://www.coolgear.com/product/usb-3-0-sataide-adapter-with-write-protection) is cheap - about $50 US - and very effective. (I have one myself, and I am not affiliated with the company.)

The issue of "court admissible" is another matter. In the US and elsewhere, acquiring data in the 2 methods I mentioned above are generally admissible in court because they are accepted practices in digital forensics. I'm guessing that "GCC region" refers to the Gulf Cooperation Council comprising Bahrain, Kuwait, Oman, Qatar, Saudi Arabia, and the United Arab Emirates. My belief is that courts in those countries probably follow these accepted practices of digital forensics, but perhaps someone from that part of the world can speak to what is court admissible there.

 
Posted : 08/01/2019 6:42 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Also, I don't see a write block jumper or switch, how does it handle that?

What do you mean?
https://www.coolgear.com/wp-content/uploads/2013/05/127asd-usb3-ide-sata-hdd-adapter1x1000.jpg
Ther are two switches on the top, one for IDE, one for SATA with at their sides a closed padlock on the left and an open padlock on the right.
What would they do? 😯

We have here at least two "positive reviews"
https://www.forensicfocus.com/Forums/viewtopic/p=6589831/#6589831
https://www.forensicfocus.com/Forums/viewtopic/p=6589833/#6589833
which personally I trust more than any of Amazon reviews written by who knows who.

Back to original topic, for acquisition on a trip in a foreign country, even if you are a "hardware write blocker" fan[1], additionally carrying also a USB stick or two with a minimal WinFE with FTKimager (or *whatever* other program) and a small Linux specifically designed for acquisitions only, like the OSforensics OSFClone
https://www.osforensics.com/tools/create-disk-images.html

costs near to US$0 and you never know if your hardware writeblocker will not work for *whatever* reasons.

jaclaz

[1] If you are, you might be interested in reading here
https://www.forensicfocus.com/Forums/viewtopic/t=16073/
[2] and if you are not, you might be interested reading starting from here
https://www.forensicfocus.com/Forums/viewtopic/p=6582616/#6582616

 
Posted : 08/01/2019 11:30 am
(@leszekbart)
Posts: 3
New Member
Topic starter
 

@jaclaz - thanks a lot for reply.
I can't predict really what will be there, yet I need to be "rationally" covering most options.
I am guessing that write/blocker should work. If not I will use the distro, now tested CAINE, but would need to test other just in case.

On a positive note, all this research and testing made me really appreciate what we are doing and the knowledge we have to do things right (not compromise). What is even better - my boss understood also value of recognized tools that we have. The final test would be of course to find stuff on devices to "make it worth a hustle".

I am really grateful also to have this space to reach for advise and get valuable responses.
Having a chance to somehow show my gratitude I will certainly will.

 
Posted : 16/01/2019 7:04 am
watcher
(@watcher)
Posts: 125
Estimable Member
 

Even with a bootable forensic release like CAINE, you should attempt to use a write blocker anyway. Granted it's not technically necessary, but it precludes fishing trips and explanations to, "Did you use a write blocker?" It's much easier to say "Yes" than to explain why it wasn't necessary to people that only know the buzz phrases.

 
Posted : 16/01/2019 6:10 pm
Share: