I want to practice forensics on a couple of IDE drives that I took out of a computer. I have a laptop, but I'm not sure what device I need to get in order to do this. Do I need a write-block device, or can I go with a USB external case that can mount an IDE drive? Any tips on getting me started would be much appreciated!
Thanks!
John
IF you are just practicing a WB isn't absolutely necessary, BUT you may as well learn the right way. I actually suggest you do it with and without the WB so you can see what chagnes on your "suspect" drives.
You didn't say your OS or what tools, so can't help you theer. A plain old USB box will not write protect your drives however.
If you are more specific with your question we can help more.
I run Windows XP on my laptop, but I also run backtrack and ubuntu os in a vmware session. Can you do forensics from a vmware session? Anyway, the host os would be xp, and the drive that will be the testing drive has windows xp on it as well. What are the price differences (approx.) between a WB device and a non-WB?
Thanks!
John
Hi,
There is a switch you can make in the registry of Windows XP running SP2 that blocks write access on all USB ports. There are a few free utils that do it for you, so you could download one of those as its quicker to switch it on and off.
With regards to your virtual machine, you might have some issues with devices being correctly recognised. Is there not an option to run Linux and Windows XP as dual boot?
Linux has it's own features which would be good to use. You can set Linux to either not mount anything other than your boot drive or set it to only mount attached devices as read-only. It still means that the OS can write to the disk, but it can't touch the file-system and therefore the files stored within that file-system. Linux offers you a set of free tools that you can use including search features, hex editor and so on. Because Linux will treat your 'suspect' drive as a file it can easily search unallocated space too.
Steve
A couple good Linux CD tools are Helix http//
However, a first appearance they are somewhat overwhelming and mildly complex – I've been told. After practice and repeated use, I find them quite useful. Instructions are available so that you can customize the tools and distro's to your own preference, if you desire.
In all fairness, there a other distro's available also, some FreeBSD based and Knoppix, and Debian based.
So, should I take this as "it's okay to get an external USB tray…" to do some practicing with?
John
