Join Us!

How to forensically...
 
Notifications
Clear all

How to forensically image a 2Tb External HDD  

  RSS
Simarno
(@simarno)
New Member

Using Tableau Writeblocker, I try to image forensically a 2Tb hgst ehdd.

The device is recognized by OS Win7, but the disk manager shows an error Media write blocked.

Any similar difficulties encountered ? do I absolutely need to use the write blocker ?

Quote
Posted : 08/11/2017 12:00 pm
mscotgrove
(@mscotgrove)
Senior Member

If you do not use a write blocker the chances that the disk will be changed in some, even small way, is extremely high.

A forensic image must be 100.00000% identical

ReplyQuote
Posted : 08/11/2017 1:10 pm
minime2k9
(@minime2k9)
Active Member

If you do not use a write blocker the chances that the disk will be changed in some, even small way, is extremely high.

A forensic image must be 100.00000% identical

Not strictly true. There are a number of reasons why you might not be able to create a "100% identical" image.
Firstly with NAS systems, especially propriety ones, the only way to get an image can be to power it on and get a logical image over a network. This image would be neither complete or identical.
Same goes for phone extractions, even physicals, where the device must be turned on. RAM captures will be different by the time you made it etc etc.
Its best practice not to change data, but if you connected a disk to a system and it changed the last mounted time on the disk or some file system metadata but it doesn't cause 1000 Indecent Images to appear.

Back to the actual problem in hand though, you could use some USB writeblocking software as opposed to a hardware write blocker or boot your device to a forensic distribution of either Linux (CAINE, DEFT etc) or Windows (WinFE), connect the device and image from the system.

When you are connecting it to a writeblocker, are you removing the hard disk drive from the external case and connecting via SATA or connecting the device in its caddy to a writeblocker using USB connection?

Some external hard disks appear gibberish unless read through the card used as part of the caddy.

ReplyQuote
Posted : 08/11/2017 1:24 pm
Simarno
(@simarno)
New Member

Seems legit.

When you are connecting it to a writeblocker, are you removing the hard disk drive from the external case and connecting via SATA or connecting the device in its caddy to a writeblocker using USB connection?

I extracted the HDD from the case and connect it through SATA

ReplyQuote
Posted : 08/11/2017 3:06 pm
athulin
(@athulin)
Community Legend

Using Tableau Writeblocker, I try to image forensically a 2Tb hgst ehdd.

The device is recognized by OS Win7, but the disk manager shows an error Media write blocked.

Tilt? Do I understand you correctly I interpret your post to say that you've write blocked the drive that you want to take a forensic image of. Your device manager confirms it.

Isn't that how you want it to be?

ReplyQuote
Posted : 08/11/2017 3:53 pm
JaredDM
(@jareddm)
Active Member

Not strictly true. There are a number of reasons why you might not be able to create a "100% identical" image.
Firstly with NAS systems, especially propriety ones, the only way to get an image can be to power it on and get a logical image over a network. This image would be neither complete or identical.

No, the proper way is to remove the NAS disks, image them individually, and then build a virtual RAID and create an image of that. It'll come out the same no matter how many times you image it if you do it that way. Grabbing an image through the NAS is hack IMHO, and is incredibly slow.

Nearly all NASs these days are Linux or FreeBSD based, so the filesystems and RAID patterns are straight up open source. Usually doesn't take more than a few minutes to figure it out if you know what you are doing.

Unless you are talking about an iSCSI target, which is treated as DAS despite reading over the network. That you might be better off reading through the NAS in some cases, but even then you can do it with the target unmounted and create an image properly multiple times. It'll only change if someone accesses or mounts it, which you should know how to avoid if you're doing forensics.

ReplyQuote
Posted : 08/11/2017 11:29 pm
minime2k9
(@minime2k9)
Active Member

No, the proper way is to remove the NAS disks, image them individually, and then build a virtual RAID and create an image of that. It'll come out the same no matter how many times you image it if you do it that way. Grabbing an image through the NAS is hack IMHO, and is incredibly slow.

Nearly all NASs these days are Linux or FreeBSD based, so the filesystems and RAID patterns are straight up open source. Usually doesn't take more than a few minutes to figure it out if you know what you are doing.

My example was probably not the best and neither was the wording and for the majority of NAS boxes I use the method you mention. It does become more tricky to rebuild RAIDS based on partitions rather than disks as quite a lot of NAS boxes using Linux do. A simple way is to connect the disks to a forensic distro of linux and use mdadm command to rebuild. Try doing this through a write-blocker however and you will find that it won't work as it needs to write to the filesystem.

However if you have a propriety RAID card in a NAS system (or PC for that matter) that isn't supported in any forensic tool, you may have to boot it and image that way.

Also you'd be surprised how many forensic companies still image over the network.

ReplyQuote
Posted : 10/11/2017 7:20 am
minime2k9
(@minime2k9)
Active Member

I extracted the HDD from the case and connect it through SATA

Try connecting it through a USB writeblocker and then imaging it. If its USB 3 it should be fairly quick anyway.

ReplyQuote
Posted : 10/11/2017 7:22 am
Simarno
(@simarno)
New Member

I don't get what you mean by *USB 3 Write Blocker*, the HDD got a SATA interface so …. do you mean that I have to use a *SATA to USB 3 adapter* ?

ReplyQuote
Posted : 10/11/2017 2:42 pm
minime2k9
(@minime2k9)
Active Member

I don't get what you mean by *USB 3 Write Blocker*, the HDD got a SATA interface so …. do you mean that I have to use a *SATA to USB 3 adapter* ?

I may have misunderstood your last answer.

Is this an external hard disk that came in a plastic casing with a circuit board to make it USB3 or is it simply a 3.5" spinning hard disk with nothing else?

ReplyQuote
Posted : 10/11/2017 2:44 pm
Simarno
(@simarno)
New Member

3.5" spinning one

ReplyQuote
Posted : 10/11/2017 2:53 pm
minime2k9
(@minime2k9)
Active Member

Sorry got the wrong end of the stick.

Do you have multiple imaging machines? Can you try it on another one?
What software are you using to image the disk?

ReplyQuote
Posted : 10/11/2017 2:57 pm
jahearne
(@jahearne)
Junior Member

I would do it two ways if you have the time and resources.

First is to take the NAS unit and direct attach it to your workstation and grab an image before you take it apart and break it - just in case! Image it first direct attached. In Windows you can use diskpart to disable automount. Carefully document your steps no matter what procedure you use.

Depending on the model of the NAS unit, you can take it apart and the image the drive(s) individually. Most of them are simple, RAID-0 stripe usually 64kb or 512kb, XFS or EXT4 file system. But some are 1/2 kb stripe or a span. Don't even mess with a Drobo! And some WDs have an encrypted bridge.

Good luck,

ReplyQuote
Posted : 17/01/2019 5:19 am
Share: