Notifications

Clear all

Need Help Fast on a Acquisition

Page 1 / 2 Next

General (Technical, Procedural, Software, Hardware etc.)

Last Post by kovar 16 years ago

17 Posts

8 Users

0 Reactions

1,973 Views

RSS

Challenger

(@challenger)

Active Member

Joined: 16 years ago

Posts: 14

Topic starter 03/08/2009 1:10 am

I am attempting to acquire a Hitachi DK23DA-20F IDE laptop HDD for a forensic investigation. This drive is a 20GB drive about 7 years old and resides in a Dell Inspiron Laptop. We are using EnCase 6.11, doing a network crossover through a switch, but have also attempted a direct Xover with a Xover cable. Same result, as described below, both times.

We are using the Linen boot disk to write protect the subjects drive. We select Option 1 and boot up in Sever Mode, when the subject's machine is listening we select "Add Device" on the lab machine, then select ‘network device’, and it takes off. Initially 44 MB are transferred to the lab machine, and then suddenly the transfer stops. It appears as if the MFT is transferred and nothing more. I can view some images and such. Next, I right click on the subjects drive (hda1) and select acquire. The acquisition starts but every time, when it acquires 664 MB, it suddenly stops.

I also attempted an acquisition with a Tableau write blocker. However, no matter what I do, that drive will not power up outside that laptop. The Tableau powers up and the green lights come on, but that drive just sits there and will not spin up. It is a standard laptop IDE drive but when it plugs into the laptop it must have an adapter that looks like some sort of SCSI adapter. It accepts the normal IDE pins on one side but on the other side it has "flat" pins that obviously slide into some type of connector on in the laptop. Somehow that drive does not power up when using a Tableau externally. The power pin configuration must be different, or something.

If I re-insert the drive into the Laptop it will spin up just fine.

Please forgive the urgency, but, I am running out of time.

Any help is greatly appreciated.

Thank you!

Quote

mitch

(@mitch)

Estimable Member

Joined: 19 years ago

Posts: 135

03/08/2009 1:21 am

rather than do a network Xover. Remover the HD from the laptop, Use a Write Protect device, and try imaging direct.

Regards

ReplyQuote

Challenger

(@challenger)

Active Member

Joined: 16 years ago

Posts: 14

Topic starter 03/08/2009 1:32 am

Hi

rather than do a network Xover. Remover the HD from the laptop, Use a Write Protect device, and try imaging direct.

Regards

You are absolutly correct. Somehow, I left out of my post that I ahve tried thats everal times with the problem that the drive will not power up outside of the computer. Sorry, please excuse that ommission.

Here is what I accidently omited

If I re-insert the drive into the Laptop it will spin up just fine.

Thank you!

ReplyQuote

miket065

(@miket065)

Estimable Member

Joined: 21 years ago

Posts: 187

03/08/2009 1:37 am

Try to boot up with Helix or another disto. See if you can read the disk with it. If so, use it for your acquisition.

ReplyQuote

keydet89

(@keydet89)

Famed Member

Joined: 21 years ago

Posts: 3568

03/08/2009 1:43 am

If booting to a Linux distribution and imaging it over to the cross-over cable doesn't work, can you boot the system, login, and do a live acquisition? You can most likely use the ntchpwd boot disk to change the Admin password if you need to, and be sure to thoroughly document what you do, as well as when and why you do it.

ReplyQuote

Challenger

(@challenger)

Active Member

Joined: 16 years ago

Posts: 14

Topic starter 03/08/2009 1:56 am

If booting to a Linux distribution and imaging it over to the cross-over cable doesn't work, can you boot the system, login, and do a live acquisition? You can most likely use the ntchpwd boot disk to change the Admin password if you need to, and be sure to thoroughly document what you do, as well as when and why you do it.

I have never attempted that. It would seem to take one outside of the 'forensic bubble'. Is that why you say be sure to take the notes as to what and why? I can try it, but need to ask my client before I do it in order to ascertain the risks. If she approves that would be a a good idea.
Thank you.

ReplyQuote

Challenger

(@challenger)

Active Member

Joined: 16 years ago

Posts: 14

Topic starter 03/08/2009 1:58 am

Try to boot up with Helix or another disto. See if you can read the disk with it. If so, use it for your acquisition.

I have never tried that. Do you have any details? Where can I get the correct Helix disk? Thank you.

ReplyQuote

miket065

(@miket065)

Estimable Member

Joined: 21 years ago

Posts: 187

03/08/2009 2:27 am

http//www.efense.com/helix3-download.php

ReplyQuote

Challenger

(@challenger)

Active Member

Joined: 16 years ago

Posts: 14

Topic starter 03/08/2009 2:55 am

http//www.efense.com/helix3-download.php

Thank you sir!

ReplyQuote

miket065

(@miket065)

Estimable Member

Joined: 21 years ago

Posts: 187

03/08/2009 3:27 am

Another option that has worked for me in the past is to use the old "EnCase Network Boot Disk" (the predecessor of Linen).

Attach a USB "destination" drive to the system, boot it with ENBD and use the DOS version of EnCase to acquire.

ReplyQuote

Page 1 / 2 Next

8 Forums
15.7 K Topics
92.3 K Posts
187 Online
41.1 K Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed