How to forensically...
 
Notifications
Clear all

How to forensically image a 2Tb External HDD

13 Posts
6 Users
0 Likes
2,613 Views
Simarno
(@simarno)
Posts: 11
Active Member
Topic starter
 

Using Tableau Writeblocker, I try to image forensically a 2Tb hgst ehdd.

The device is recognized by OS Win7, but the disk manager shows an error Media write blocked.

Any similar difficulties encountered ? do I absolutely need to use the write blocker ?

 
Posted : 08/11/2017 12:00 pm
mscotgrove
(@mscotgrove)
Posts: 934
Prominent Member
 

If you do not use a write blocker the chances that the disk will be changed in some, even small way, is extremely high.

A forensic image must be 100.00000% identical

 
Posted : 08/11/2017 1:10 pm
minime2k9
(@minime2k9)
Posts: 474
Honorable Member
 

If you do not use a write blocker the chances that the disk will be changed in some, even small way, is extremely high.

A forensic image must be 100.00000% identical

Not strictly true. There are a number of reasons why you might not be able to create a "100% identical" image.
Firstly with NAS systems, especially propriety ones, the only way to get an image can be to power it on and get a logical image over a network. This image would be neither complete or identical.
Same goes for phone extractions, even physicals, where the device must be turned on. RAM captures will be different by the time you made it etc etc.
Its best practice not to change data, but if you connected a disk to a system and it changed the last mounted time on the disk or some file system metadata but it doesn't cause 1000 Indecent Images to appear.

Back to the actual problem in hand though, you could use some USB writeblocking software as opposed to a hardware write blocker or boot your device to a forensic distribution of either Linux (CAINE, DEFT etc) or Windows (WinFE), connect the device and image from the system.

When you are connecting it to a writeblocker, are you removing the hard disk drive from the external case and connecting via SATA or connecting the device in its caddy to a writeblocker using USB connection?

Some external hard disks appear gibberish unless read through the card used as part of the caddy.

 
Posted : 08/11/2017 1:24 pm
Simarno
(@simarno)
Posts: 11
Active Member
Topic starter
 

Seems legit.

When you are connecting it to a writeblocker, are you removing the hard disk drive from the external case and connecting via SATA or connecting the device in its caddy to a writeblocker using USB connection?

I extracted the HDD from the case and connect it through SATA

 
Posted : 08/11/2017 3:06 pm
athulin
(@athulin)
Posts: 1143
Noble Member
 

Using Tableau Writeblocker, I try to image forensically a 2Tb hgst ehdd.

The device is recognized by OS Win7, but the disk manager shows an error Media write blocked.

Tilt? Do I understand you correctly I interpret your post to say that you've write blocked the drive that you want to take a forensic image of. Your device manager confirms it.

Isn't that how you want it to be?

 
Posted : 08/11/2017 3:53 pm
JaredDM
(@jareddm)
Posts: 118
Estimable Member
 

Not strictly true. There are a number of reasons why you might not be able to create a "100% identical" image.
Firstly with NAS systems, especially propriety ones, the only way to get an image can be to power it on and get a logical image over a network. This image would be neither complete or identical.

No, the proper way is to remove the NAS disks, image them individually, and then build a virtual RAID and create an image of that. It'll come out the same no matter how many times you image it if you do it that way. Grabbing an image through the NAS is hack IMHO, and is incredibly slow.

Nearly all NASs these days are Linux or FreeBSD based, so the filesystems and RAID patterns are straight up open source. Usually doesn't take more than a few minutes to figure it out if you know what you are doing.

Unless you are talking about an iSCSI target, which is treated as DAS despite reading over the network. That you might be better off reading through the NAS in some cases, but even then you can do it with the target unmounted and create an image properly multiple times. It'll only change if someone accesses or mounts it, which you should know how to avoid if you're doing forensics.

 
Posted : 08/11/2017 11:29 pm
minime2k9
(@minime2k9)
Posts: 474
Honorable Member
 

No, the proper way is to remove the NAS disks, image them individually, and then build a virtual RAID and create an image of that. It'll come out the same no matter how many times you image it if you do it that way. Grabbing an image through the NAS is hack IMHO, and is incredibly slow.

Nearly all NASs these days are Linux or FreeBSD based, so the filesystems and RAID patterns are straight up open source. Usually doesn't take more than a few minutes to figure it out if you know what you are doing.

My example was probably not the best and neither was the wording and for the majority of NAS boxes I use the method you mention. It does become more tricky to rebuild RAIDS based on partitions rather than disks as quite a lot of NAS boxes using Linux do. A simple way is to connect the disks to a forensic distro of linux and use mdadm command to rebuild. Try doing this through a write-blocker however and you will find that it won't work as it needs to write to the filesystem.

However if you have a propriety RAID card in a NAS system (or PC for that matter) that isn't supported in any forensic tool, you may have to boot it and image that way.

Also you'd be surprised how many forensic companies still image over the network.

 
Posted : 10/11/2017 7:20 am
minime2k9
(@minime2k9)
Posts: 474
Honorable Member
 

I extracted the HDD from the case and connect it through SATA

Try connecting it through a USB writeblocker and then imaging it. If its USB 3 it should be fairly quick anyway.

 
Posted : 10/11/2017 7:22 am
Simarno
(@simarno)
Posts: 11
Active Member
Topic starter
 

I don't get what you mean by *USB 3 Write Blocker*, the HDD got a SATA interface so …. do you mean that I have to use a *SATA to USB 3 adapter* ?

 
Posted : 10/11/2017 2:42 pm
minime2k9
(@minime2k9)
Posts: 474
Honorable Member
 

I don't get what you mean by *USB 3 Write Blocker*, the HDD got a SATA interface so …. do you mean that I have to use a *SATA to USB 3 adapter* ?

I may have misunderstood your last answer.

Is this an external hard disk that came in a plastic casing with a circuit board to make it USB3 or is it simply a 3.5" spinning hard disk with nothing else?

 
Posted : 10/11/2017 2:44 pm
Simarno
(@simarno)
Posts: 11
Active Member
Topic starter
 

3.5" spinning one

 
Posted : 10/11/2017 2:53 pm
minime2k9
(@minime2k9)
Posts: 474
Honorable Member
 

Sorry got the wrong end of the stick.

Do you have multiple imaging machines? Can you try it on another one?
What software are you using to image the disk?

 
Posted : 10/11/2017 2:57 pm
jahearne
(@jahearne)
Posts: 35
Eminent Member
 

I would do it two ways if you have the time and resources.

First is to take the NAS unit and direct attach it to your workstation and grab an image before you take it apart and break it - just in case! Image it first direct attached. In Windows you can use diskpart to disable automount. Carefully document your steps no matter what procedure you use.

Depending on the model of the NAS unit, you can take it apart and the image the drive(s) individually. Most of them are simple, RAID-0 stripe usually 64kb or 512kb, XFS or EXT4 file system. But some are 1/2 kb stripe or a span. Don't even mess with a Drobo! And some WDs have an encrypted bridge.

Good luck,

 
Posted : 17/01/2019 5:19 am
Share:
Share to...