I ran into a first today.
A person was waiting to image drives that I had already imaged a day earlier.
One was a PDA and one was an external drive (easily removable drive by taking out TWO screws) (which by the way is what I did)
Anyway, the examiner started to plug the usb external drive right into his laptop and I asked him how he was going to image it, and he said "through the USB registry hack"
was he talking about the (In)famous write protected USB device entry?
You can find in the whitepaper in the Access Data support section.
I've tested it, found it unreliable at best
Bill
I have never had to use it in a case, but I have tested it with many hard drives and USB Flash drives, and never had an issue where the USB hack failed to write block a USB attached device. On the other hand, I have hacked the registry and I was still able to write to a device (only happened once, and upon reboot, I could not write to a device.) As far as system stability issues, I have never had anything noticeable occur.
Bottom line, I would not use it unless I was forced to by circumstances beyond my control.
Now I would have no problem at all if someone connected directly to a properly configured Linux system and imaged the USB drive. Just as long as it was done properly.
Just curious, did the other guy not have a write blocker available?
Matt
Hi,
That registry hack is for XP SP2 only as far as I am aware. It only works on devices you connect after doing the hack, so anything already attached will continue to have read/write access. In my tests it has worked every time but there is a greater risk devices such as media players will power on and start playing if you connect to a PC and that means changes. A better approach for those sorts of devices is a Mac with disk arbitration turned off. Devices don't seem to react to the presence of Mac OS. We tend to dd the device twice to show that although the device might have changed (because it will power on or may have to to do the image) but the individual files still display the same md5.
Steve
Hi Matt,
I imaged the drives the day before.
The several people from the other side, had every tool known to man available to them. The USB reg hack was chosen out of convenience and by what has "worked in the past".
I've used that hack once and only because my tableau write blocker would not recognize the attached USB thumbdrive. I've tested it and it worked, but I would not rely solely on it….just in situations where I have no other option.
Having no other option is one of those things that drive me nuts. I have the Tableau USB write blocker and it works great. My next option (or maybe first option, depending on how the day goes) would be to image in linux. Here in a few weeks, I will have my Macbook pro, so turning off disk arbitration will work great and there I have another option.
Hey D, hope things are going well.