Oki thanks for confirmation Jefferreira, i use TD3 all the time, these feedback are interesting.
if I understand correctly, it is better to use only the T35 as a blocker to image from a workstation (with auto mount disabled) or just a live boot if i cannot extract the disk…
Is that correct?
if I understand correctly, it is better to use only the T35 as a blocker to image from a workstation (with auto mount disabled) or just a live boot if i cannot extract the disk…
Aquachimere thank you.
I only had access to one write blocker*, and I will not be able to confirm if other writer blockers can be used. The reader should test, if possible, if other write blockers can be used.
Because live cds have write protection that prevents changes to occur to the drive, a live cd with auto mount is enough to image the SSD, but a write-blocker should always be used when performing forensic Acquisition of any drive.
* I used a Tablaeu T8-R2, this change will be made to the article soon.
Jefferreira we are agree!
Do you know if paladin has auto mount disable? Is it a good live cd to image ssd drive?
I honestly don't know.
I used Deft zero 2017.1 mostly and Caine and parrotsecand these have the automount disabled and write protection enabled by default. These were all good to image SSDs.
Maybe some other user will be able to tell you if paladin has automount disabled or not. )
I honestly don't know.
I used Deft zero 2017.1 mostly and Caine and parrotsecand these have the automount disabled and write protection enabled by default. These were all good to image SSDs.
Maybe some other user will be able to tell you if paladin has automount disabled or not. )
I just checked it, auto mount is disable on Paladin..
Jeffeira,
you tell on 2.4 that the hash is different when the device is mounted and unmounted and that the data is not corrupting , so i don't understand if the device is a SSD drive mounted , the TRIM is active and you have a potential loss of data.. No?
What I am trying to explain on 2.4 is that a device either a HDD or an SSD will generate 2 different hash values depending on their mounting status.
Probably a poor example, but It is like a switch. On=H_1, Off=H_2
If you plug a drive without mounting it, the drive will produce one hash value H_1 once you mount it the same drive will produce a different hash value value H_2
Thank you for letting me know that paladin doesn't mount the drives. )
Thank you for letting me know that paladin doesn't mount the drives.
I confirm, Paladin have automount disable, i just checked it
Aquachimere, thank you.
If there are any other questions feel free to ask.
What I am trying to explain on 2.4 is that a device either a HDD or an SSD will generate 2 different hash values depending on their mounting status.
Probably a poor example, but It is like a switch. On=H_1, Off=H_2
If you plug a drive without mounting it, the drive will produce one hash value H_1 once you mount it the same drive will produce a different hash value value H_2
Thank you for letting me know that paladin doesn't mount the drives. )
Yes understood, but on one SSD drive, if it is mounted, you can loss data with the TRIM active, maybe you have to precise on SSD some data can be lost..