Hi, I want to purchase an external USB Hard Drive for laying down forensic images on. WHat considerations do I need to make when purchasing one for forensic images and managing it prior to laying down images on it. Many Thanks
Hi,
First things first. USB isn't very quick so you might prefer to spend a little more money and get a firewire b unit or simply put the hard drive you image to inside your PC.
As for considerations, well there aren't many. Wiping it properly first would be the main thing.
Steve
Hi,
As for considerations, well there aren't many. Wiping it properly first would be the main thing.
Steve
That can be quite contentious! If you are putting, for instance, EnCase .E01 files on to the disk with it's built in CRC and MD5 integrity checks then cross contamination is not really an issue. Wouldn't wiping the disk be a waste of the busy analyst's time?
The only argument I can think of that would be pro-wiping would be that it could remove any 'reasonable doubt' in the eyes of a jury - but then again if you can explain to them clearly that this isn't an issue with E01 files this can be easily tackled.
Another issue regarding drives that you place forensic images on is the file system you format it with. NTFS generally fragments more than FAT32, so you may want to consider formatting it in FAT32 for increased performance.
Hi there Jonathan,
Yes I was being fairly simplistic.
The original post said forensic images so I was assuming it would be an enclosed forensic image file format.
The wiping thing is just precautionary thing and usually means you don't have to exaplin why there couldn't be any cross contamination.
As for FAT vs NTFS. The other consideration might be wanting to access the image files with a Mac or a Linux PC. FAT would be the way to go there then.
Speed was thje first thing that came to mind when reading the post. Searches in EnCase and FTK took about twice as long when I ran some comparisons between USB and internal.
Steve
Steve
Thanks both, the USB will be for collecting the image on the External HD then this will be taken back to the lab and stored on workstations there, so searching from an external device wont be an issue, if I understand you correctly.
paulo,
What OS/software(s) are you using to create and examine the images?
Will the drive be used to store anything else, or more than one job?
This would help determine filesystem requirements.
What image / storage size(s) are you looking at?
USB may not be feasible due to image size and speed considerations. maybe look to use firewire/NAS/internal/dedicated cloner as its only going to be used for transport.
Do You wipe the drive or not. Could be time consuming if it's large and USB, unless you can pop it out of its case and wipe the drive. Some utils use the electronics inside the drive. Much quicker, more secure and forensically sound as a record is left inside the drive of the full wipe.
Kern
400 gig (approx), all image will be off windows based systems, 2000 and XP, no Vista (as yet). No it will be just for images as it will be taken to sites and used with FTK imager, but more than one image potentially. Thanks
Greetings,
I've been using external SATA drive enclosures with both Firewire and eSATA interfaces and have been quite happy with the setup. My field system has Firewire and the lab systems have both. Plenty of speed, far better than USB.
-David
Thanks both, the USB will be for collecting the image on the External HD then this will be taken back to the lab and stored on workstations there, so searching from an external device wont be an issue, if I understand you correctly.
Just to throw in my 2c worth.
If you are using it to write evidence files / Images out to then I would go for eSATA against USB. I have done some basic testing by imaging a known drive and writing out using USB and eSATA. I found the later to be considerably quicker. Really depends on what is an issue, speed against cost etc
Cheers
Mark
Sometimes speed isn't the issue, it's being able to access the images once you've acquired them.