SATA driving imaging issue (137 GB limitation)
Fairly new in the field. Project is for a pending civil lawsuit.
Using FTK Imager 3.1.2 to image various harddrives(1 x SATA HDD, 2 x USB HDD). Using Talbeau write blockers, specifically the UltraBlock USB 3.0 IDE-SATA.
Write blocker is attached through USB 3.0. Sata is attached to subject harddrive.
Attaching a Toshiba 250 GB harddrive from a dell latitude, i3 laptop (unsure model #).
Upon attempting to image the harddrive only shows 137 GB. My research indicates that this is some LBA 48 issue somewhere - but I don't see how.
My OS is Windows 7 x64, and the same USB 3.0 slot allows full access to a 3TB external HD.
I've looked around these forums and the internet and haven't seen this problem encountered.
I should note that my forensic computer has 1 ssd attached, and 4 x 1tb drives attached so I don't believe its an issue with my motherboard etc…
Upon attempting to image the harddrive only shows 137 GB.
My research indicates that this is some LBA 48 issue somewhere - but I don't see how.
If the HDD clearly says 250 Gb on the outside (or the equivalent number of sectors), and then gives you a different number of sectors *before* you have started the image, I'd guess you have a HPA'd or a DCO'd disk.
Check if the writeblocker or imager software detects this issue, or try to verify it by some other means.
If the HDD reports 250 Gb before imaging, but the resulting image is only 137Gb … I'd probably suspect something USB-related first – I'd check with Tableau if there are any known issues with the write blocker. LBA should not be an issue with modern drives, particularly not SATA drives. (Though if there are any jumpers on the drive, you might want to check what they do first.)
Just asking the obvious here in case you haven't done it as I know sometimes there is a temptation to look for more technical answers first….but…
Have you used Windows disk manager to confirm that what you are seeing, ie is this a logical partition on the drive and FTK is reporting this instead of the physical drive?
Have you tried Xways/Encase or any other tools just in case it's a file system issue that is fooling FTK Imager for some reason? (never heard of this happening but never say never).
Have you tried different write blockers/cables etc to confirm there is no hardware issue?
Have you tried connecting via firewire or eSata in case it's a USB3 issue? (I have numerous issues with USB3 on my analysis machine and never use it now for imaging).
Have you tried a software write block when connecting the drive directly to the motherboard?
Getting the really obvious stuff out of the way
Is 137 GB the size of the image - have you enabled compression ?
When the drive is previewed how many logical volumes are there - have you imaged only of these partitions…or has a previous partition been deleted and there is 100 GB of unused disk but you have only acquired the logical volume ?
If it is a 48 bit LBA issue have you tried aquiring the drive under Linux ?