I have a Core 2 Duo laptop, 4GB RAM, Win7 or WinXP with ONE eSata port and USB ports.
I have an eSata Writerblocker (connection to forensic machine can be either eSata or USB)
My storage device can be eSata- or USB-connected to the laptop also
Question for the knowledge well. I need to use the above hardware for an onsite imaging and am looking for best options.
Would you
1. Connect the suspect drive (via write blocker) to the laptop using eSata and the storage drive via USB?
-OR-
2. Connect the suspect drive (via writeblocker) to the laptop using USB and the storage device via eSata?
-OR-
3. Connect the suspect drive (via write blocker) to the laptop using eSata and create the E01 locally to the laptop and then move it over to the storage device.
Would there be noticeable difference between one scenario or the other?
The suspect drive is 160GB, SATA, laptop drive. The user is a "very busy person" and "can not be without the machine for a long time" (aren't they all LOL) - while he is cooperating, I want to try to accommodate him.
Appreciate any advise.
-=Art=-
Your best throughput is most likely to image with your suspect drive on the eSATA connection, and then use an external USB2.0 drive to store the images and use compression.
Or boot the suspect/custodian laptop to a Linux/WinFE boot CD/USB, and image out to USB (or use an eSATA card if there is a slot on the laptop for it for real speed!).
A list of Forensics Linux CDs are here http//
Plus the Windows FE Boot Disk here http//winfe.tk
Raptor 2.0 is also a great tool - boot with CD or make bootable USB, hook up drives and image..
If your only option is using the USB (no expresscard slot available) you might look at the possibility of using a SATA hub (about $100 or so.)
A cheaper option that I have only considered but have never had to use is to use your laptop with a linux boot distro (USB or disk media) and to remove your laptop hdd and exchange it with a sanitized hdd. I would test this option before using but in theory it should work.
As for the direction of the imaging I generally go from slowest (read) to fastest (write) path to ensure I do not have buffer overflow issues.
I've imaged hundreds, perhaps close to 1k drives, and I dislike USB, too many buffer errors causing me to start over.
I like clownboys' suggestion to put a clean drive in your laptop and using a Linux Boot CD ( I know the developer of Raptor. - Great proggie) then connect the evidence using an eSata writeblocker.
Outside of that, Brett's suggestion of booting evidence laptop to Boot Cd and then imaging (preferably) to eSata is also good.
Good Luck.
MarkG
A cheaper option that I have only considered but have never had to use is to use your laptop with a linux boot distro (USB or disk media) and to remove your laptop hdd and exchange it with a sanitized hdd. I would test this option before using but in theory it should work.
If you work a lot with laptops of a particular brand, it can be useful to look for and obtain either a HD unit that fits into the CD/DVD slot (requires USB booting), or a docking station with a separate HD unit in, and then image over the ATA connection. I've used the first a lot with Lenovo laptops mainly to avoid USB acquiry.
From the point of robustness, of course, this is not the best solution the laptop is not as well known piece of equipment as a well-tried imaging station. Imaging a laptop with memory problems or similar hardware glitches will quickly demonstrate that.
Do you have the option to spend a few $ on one of these?
Jonathan gives a good advice.
If I recall correctly, you can mirror on those eSATA ports 6Gbps. Talk about awesome for $50.
Thank you all.
Great set of suggestions.
-=Art=-