HDD dock allowing s...
 
Notifications
Clear all

HDD dock allowing simultaneous access from two computers ?  

  RSS
Zul22
(@zul22)
Member

Hi,

Sometimes, it can be useful to gain access the same hard drive simultaneously from both Linux and Windows.

For instance, you're carving files on Linux and want to check some of the already carved files on Windows without having to copy them to some USB key.

I wonder if besides network access, NAS or running Windows applications on Linux through Wine, there is on the market some dock to which you can simply connect a second USB or eSata wire to access the same drive simultaneously. The second access being read-only would not really be a problem.

Thanks.

Quote
Posted : 05/11/2014 6:06 pm
mgilhespy
(@mgilhespy)
Active Member

Truly simultaneous access? I am not aware of anything. You would need something which was not only sharing the resource but also acting as an arbitrator in case of conflicting simultaneous requests (for example two requests to move the head to completely different areas of the disk for reading)…

Something like this might work for you…

Kensington USB sharing device

But you are basically switching from one active device to the other (without having to replug cables)

ReplyQuote
Posted : 05/11/2014 8:22 pm
Bulldawg
(@bulldawg)
Active Member

I don't think you're going to find anything that fits that description. Both computers will assume exclusive access and things will break very quickly.

You may be able to sort of make this work with a Linux virtual machine (VM) and mounting an evidence file with EnCase or something similar. Then, your Windows tool can access the e01 directly and through the mounted device you can also read from the Linux VM. Not sure if this would work because I've had trouble getting VMWare to allow access to an emulated drive in the past.

This is all assuming you're using some sort of containerized evidence file. Let us know if you get it working.

ReplyQuote
Posted : 10/11/2014 8:33 pm
jaclaz
(@jaclaz)
Community Legend

Simultaneously or concurrently certainly not.

But SATA (and of course USB and eSATA) drives are hot-swappable, so, at least in theory, it should be not particularly difficult to make a "switch" not entirely unlike the ones that were once common for "shared" printers, example
http//www.newegg.com/Product/Product.aspx?Item=9SIA4SR1PN3957&cm_re=Parallel_port_printer_switch-_-9SIA4SR1PN3957-_-Product

The procedure would be (let's assume that the Windows PC is "A" and the Linux PC is "B")

  • unmount the disk from "A"
  • switch the the swith from "A" to "B"
  • the disk would be autodetected (or will need to be manually detected) in "B"

Same, reversed for passing from "B" to "A".

Ideally such a thing should provide it's own PSU, in order to be independently powered (to avoid issues if the PC providing the power to the disk is switched off).

Now, what may happen if one uses a USB AND ESATA external enclosure/adapter? ?
Example
http//www.pcper.com/reviews/Motherboards/Oyen-Digital-MiniPro™-eSATA-USB-30-Portable-Hard-Drive-Enclosure-Review
adding to it a switch?

jaclaz

ReplyQuote
Posted : 10/11/2014 10:09 pm
UnallocatedClusters
(@unallocatedclusters)
Senior Member

Related to the question of using HDD docks, or "toasters" as I like to call them, one important consideration I have found is that drive letter assignments can change depending upon what other drives are attached to one's forensic analysis computer.

This changing of the assigned drive letters can cause some forensic analysis software databases to no longer function (until the assigned drive letters are correctly re-assigned).

I believe the problem arises due to the fact that indexing engines used by forensic analysis software will typically hard code paths when an index is first being created. So, for example, if one has a forensic image file stored on drive letter "M", which is being mounted as a virtual drive "N", indexing software will hard code the value "N\" into cross reference files and the indexes themselves.

If one were to, at a later date, first plug in a USB thumb drive, which would then cause the subsequent forensic image file to be assigned the letter "N" and the mounted image the letter "O", one might find that the index created previously is no longer working.

So, my answer has been to keep note for each case the (1) drive letter holding the forensic image file (2) drive letter that a forensic image file has been mounted as a virtual drive letter, so that if I go back to analyze a specific case later on, I can recreate the drive letter assignments that existed when the index was first created.

I do not believe this issue is tied to any one forensic software package, but is simply an issue related to hard coded pathing.

ReplyQuote
Posted : 10/11/2014 11:53 pm
Zul22
(@zul22)
Member

Thank you for your answers.

So, there doesn't seem being such hardware to gain simultaneous eSata or USB access to the same drive from two different machines. (

For instance, you're carving files on Linux and want to check some of the already carved files on Windows without having to copy them to some USB key.

I have to better explain this the carving is still going on and will last more hours or days. But you need some files very quickly and to test the already carved files, you need some software which only runs on Windows.

So yes, I mean really simultaneous access to not have to copy the files, this access could possibly read-only from the computer running Windows.

Beause the carving must still be running, a hardware switch is not the solution.

With a mechanical hard drive, I'm aware that this is very intensive for the spindle.
Exactly like if you're merging the stripes of two RAID-0 drives, two thirds were done and you're eager to have a glance at the reassembled drive to see if the result already contains some valid files.

I wonder if besides network access, NAS or running Windows applications on Linux through Wine, there is on the market some dock to which you can simply connect a second USB or eSata wire to access the same drive simultaneously.

So to gain simultaneous access, would a solution be using a NAS or maybe something like QEMU?

ReplyQuote
Posted : 11/11/2014 5:44 pm
jaclaz
(@jaclaz)
Community Legend

So to gain simultaneous access, would a solution be using a NAS or maybe something like QEMU?

The issue may be with two things

  • WHICH (between the Windows and Linux) will be the "host" and which will be the "hosted" OS
  • the EXACT suitable version of Qemu (or derivative)

expect the "hosted" OS running inside Qemu to have 1/3 speed or less than the same OS run directly.

I often use Qemu (running it in Windows) through a "wrap around" called Qemu Manager, and I remember that earlier versions of Qemu Manager (cannot say if 5.0 or 6.0) allowed for "concurrent access" to an image file (from within the VM and from the "host" OS) while newer version 7.0 prevents this (but "concurrent" access to a "Physical Drive" is still possible, i.e. you can map a Physical Drive - with volumes in it already mounted on the "host" filesystem to a virtual device within the VM).

Possibly the same can be done in a VirtualBox VM (which should be faster), but cannot say.

jaclaz

ReplyQuote
Posted : 11/11/2014 10:19 pm
Zul22
(@zul22)
Member

@jaclaz Thank you a lot for sharing your experience and thoughts, this is much interesting. Regards.

ReplyQuote
Posted : 12/11/2014 7:47 pm
jaclaz
(@jaclaz)
Community Legend

@jaclaz Thank you a lot for sharing your experience and thoughts, this is much interesting. Regards.

You are welcome ) .

Keep us posted with the results of your experiments.

jaclaz

ReplyQuote
Posted : 12/11/2014 9:37 pm
Share: