Another option that has worked for me in the past is to use the old "EnCase Network Boot Disk" (the predecessor of Linen).
Attach a USB "destination" drive to the system, boot it with ENBD and use the DOS version of EnCase to acquire.
I just purchased an adapter that I hope will power up the laptop drive outside of the laptop. If it does, I will use the WB.
If not, I had decided to use the flash technique you just mentioned. Thanks yet again. Stand by.
From what you're describing about the hard drive, it likely has a proprietary adapter over the top of the standard 2.5" IDE pins. Generally you remove this adapter - by sliding it out - and get the standard set of pins. You may need to unscrew some kind of mounting bracket first. With your Tableau kit, you should have a 3.5" to 2.5" adapter, connect this and you're golden.
I agree with Patrick. I had an Hitachi 40Gb drive just two weeks ago with that very configuration. I just unscrewed the proprietary adapter and successfully connected and imaged it with Hard Copy II.
Good luck!
Thank you to everyone. Here is what happened. It turns out that I made a couple of basic mistakes, which I will reveal here in case someone else finds them self in this fix someday.
1. Someone once told me that the Firefly write blocker would power up a laptop drive. I never tested that statement and sure enough, it was wrong, at least for this drive. I had to go find a 2.5 to 3.5 adapter with an external power tap. That allowed me to power up the drive outside of the laptop and use the write blocker.
2. This was a 20 GB drive that showed 18 GB logical and 18 GB physical. I attempted the physical recovery with EnCase. Encase started the acquisition counter at 30 minutes. Everything ran smoothly until it got to 20 minutes. Then the counter reversed and started adding time. I almost pulled the plug at that point, but ended up letting it run all night. When I got up this morning the acquisition was complete with a hash value and all of the evidence files.
3. I ended up with about 13 GB of data IN COMPRESSED files so I think I got all of it. Later I will look at EnCase and make sure. Why the counter reversed itself I don't know. I don't know what happened to make it slow down as it did, bit I guess EnCASE just keeps on doing its' thing.
4. The big lesson I learned was I waited too long to ask for help from others. I could have done that on Saturday instead of waiting until the last minute.
Thanks to all of you for your comments. They were all noted and appreciated.
Challenger,
I have found that EnCase is very slow (albeit, thorough) to image a device. It will count up and up for hours, then, suddenly, drop the count drastically. It does a good job. But, I prefer to use a hardware device or linux-based solution to image. Nothing like good old reliable and speedy "dd"…
Try the raptor tool for FREE.
Raptor is a modified Live Linux CD used to forensically image digital media. Two versions of Raptor exist. One for Intel based computers and the other for the older Macintosh PowerPC architecture. Raptor allows the user to mount, image, hash, format and sterilize digital media in a forensically sound manner. Raptor can image to FAT32, NTFS, HFS+ and EXT3 file systems as either a .E01, DD (raw image), .DMG (Macintosh disk image file) format or even physical device (clone). Raptor also allows for two forensic images to be created simultaneously.
D
Best of all . . . no need to access the command-line or know complicated Linux commands or switches.
http//
Greetings,
If you're using EnCase for imaging and have plenty of disk space on your target, don't use compression and you'll get better speed.
If EnCase's ETA is counting up and suddenly drops it usually indicates that it encountered bad sectors and is retrying the reads. I've not seen this behavior on a disk with no bad sectors.
I've used all sorts of software imaging solutions and found that the speed is often more dependent on hardware factors and configuration settings than the tool used.
Tool selection also depends a lot on the environment. If you'll be using EnCase for analysis later, imaging with EnCase, even if it is a bit slower, may make sense as you set your case up when you're doing the imaging and the imaging results can be added directly to the case notes.
Various versions of dd can write to two destinations at the same time. With one of those or Raptor, bear in mind that they're likely sharing the same IO channel so the imaging time may increase. If you really want to make two copies at the same time at full speed, get a hardware imager.
-David