Hi ,
Can anyone point me to any 'industry standard' documentation on extracting USB nand-flash stick devices.
I.E use of write blockers, etc.
C.
please, check ur pm
Hello.
I do not know does the procedures in China require hardware write block.
If you can use the software write block create this key
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies]
“WriteProtect”=dword00000001
This will disable the write to USB devices of any kind under Windows. So far I have tested it under Windows PX, Vista, 2003, 2008, 7.
To enable the write use [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies]
“WriteProtect”=dword00000000
To be sure reboot the machine after each change.
Than you can use almost any tool that will make an image of the device, and you can work with the appropriate tools to examine it, extract it, or whatever you need to do with it.
Cheers
Nicci
Not sure if it is exactly what your looking for but found this link searching for our next topic at university and extracting data from USB.
https://
Hi ,
Can anyone point me to any 'industry standard' documentation on extracting USB nand-flash stick devices.I.E use of write blockers, etc.
C.
We use the Tableau USB write blockers. I can't offhand remember the model number but can get that for you if you like once I am back in our lab on Monday.
Hi Guys
a lot of good ideas,
Also I would NEVER use a software write blocker , or registry botches.
I already have 'stelth' code to circumvent such protection systems.
(and a stealth systems to prevent forensic imaging of USB-Nand-Flash devices via other software means)
Yes I have the tableau T8 (kindly dontated by tableau)
But what i was looking for was a written procedure as used in the industry.
I'm well aware of 'how' to do extraction's , but i'm interested in what other people are doing.
By the way thanks for the stuff from sans, it is EXACLTY this depth i was looking for.
Oh and Chioma , what is a "pm", is it related to the time of day?
C.
pm = private message
i.e. a message sent to you through the forum's message service. Check at the top of the page next to the Logout link and you should see a link to your messages.
I have also used LinEn to acquire flash drives. It is fast and right into EnCase with hashes.
Use two machines with a cross over cable. Have one system boot with LinEn as a host with the flash drive and with the collection machine use EnCase ->Add Device -> Network Crossover and do your acquisition.