forensic copy trouble: wd elements

Look for any log files from FTK that may show errors. Its possible there may be read errors on the WD Drive. Also possible it could be an output issue to where the data is going. Could also be the OS not reading the drive well. Check event logs or see if the drive is still mounted.

Not much to offer unless you can provide more details. Also are you using a USB write-blocker or similar tool?

Also try a different USB3 port.
Our experience has been that rear ports (directly connected to the motherboard) are much more reliable than front USB ports. The front ports are typically connected by a low quality internal cable and fill up with dust due to the case fans pulling air through the box, front to back.

acquire parital image of the drive pass first 10 gb or something use data dump from digital detective encase imager vs

thanks all. I am using wiebetech USB writeblocker.

Software imaging of WD's USB native drives (they have no SATA, just USB) can be tricky if the drives have any bad sectors. Because of the nature of the cheap USB bridge built into the PCB they tend to hang and sometimes don't recover when they hit even one bad sector. There's two basic methods to acquire a forensic image in such a case

Option A DeepSpar Disk Imager with USB & forensics addon (~$6,000)
Option B Convert it to a SATA PCB and decrypt the data using PC-3000 system to an Encase image file (~$10.000)

There are other methods to obtain an image of the sectors, but the onboard encryption you'd need to handle afterward would invalidate the "forensic" part of the process.

Let me know if you ever need imaging done. We have both systems here that we use for data recovery. It's easy enough to switch into forensic mode to just image a drive quick.

Option C (where applicable) US $ 159
http//www.dolphindatalab.com/product/western-digital-usb-sata-pcb-package/
Option D (where applicable) US $ 0 (or nearly 0, but a lot of courage and time)
http//tidelog.kitamuracomputers.net/2013/05/31/recovering-data-from-wd-elements-drive-when-the-usb-connector-is-broken/

jaclaz

Option C (where applicable) US $ 159
http//www.dolphindatalab.com/product/western-digital-usb-sata-pcb-package/
Option D (where applicable) US $ 0 (or nearly 0, but a lot of courage and time)
http//tidelog.kitamuracomputers.net/2013/05/31/recovering-data-from-wd-elements-drive-when-the-usb-connector-is-broken/

jaclaz

Option C Problem The data will be encrypted if you convert to SATA PCB as the encryption is handled by the USB bridge chip embedded in the USB PCB. So you'll still need PC-3000 (see option B) to decrypt the data afterward.

Option D Problem Same as Option C

There may be some bootleg ways to handle the encryption after the fact, but now your data won't match the checksum when you imaged it, so you'll not have a truly forensic image.

I'm guessing you own a PC-3k AND that you have taken their training based on the truly forensic image comment.

Option C (where applicable) US $ 159
http//www.dolphindatalab.com/product/western-digital-usb-sata-pcb-package/
Option D (where applicable) US $ 0 (or nearly 0, but a lot of courage and time)
http//tidelog.kitamuracomputers.net/2013/05/31/recovering-data-from-wd-elements-drive-when-the-usb-connector-is-broken/

jaclaz

Option C Problem The data will be encrypted if you convert to SATA PCB as the encryption is handled by the USB bridge chip embedded in the USB PCB. So you'll still need PC-3000 (see option B) to decrypt the data afterward.

Option D Problem Same as Option C

There may be some bootleg ways to handle the encryption after the fact, but now your data won't match the checksum when you imaged it, so you'll not have a truly forensic image.

Dear all,
thanks for your answers. I solvede the situation. The problemwas my writeblocker. So I used caine to acquire the disk.
thanks