Reviewed by David Kovar of NetCerto, Inc.
Overview
Digital evidence needs to come from somewhere, right? It doesn’t appear, “forensically sound”, from out of the blue. And the phrase “forensically sound” is key – the evidence needs to be acquired in a manner that ensures that the process doesn’t modify the evidence in any manner. There are exceptions to this – cell phones and live acquisitions come to mind – but even then, the process should be minimally invasive.
The key to this acquisition process is the ubiquitous write blocker, probably the most important tool in any acquisition kit. A write blocker was my first forensics hardware purchase and I keep my collection of write blockers up to date religiously.The differences between write blockers used to be fairly significant in terms of quality, speed, features, and price. In the last year or two the number of options has expanded somewhat, the major vendors all have similar features, and the prices have come down. The major difference appears to be in the layout, form factor, and physical design of the units.
Testing
Units under test
Guidance FastBloc2 FE
WiebeTech Forensic UltraDock V4
Tableau T35es
The number of write blocker options continues to grow (see “Areas for future research” below). In the interest of keeping this review focused, I am only covering portable hardware write blockers. The two major vendors in this area are Tableau and WiebeTech though ICS just came out with a new product that looks very interesting. Since the majority of the drives we are seeing are SATA drives, the review focuses on just SATA to SATA versions, though Guidance FastBloc2 FE is included for comparison purposes.
Test harness
The test harness was my workhorse forensics workstation, a two year old Dell running XP, an aftermarket eSATA interface card, a USB 2.0 interface, a Firewire 400 interface, and a RAID 5 array.
All of the drives were imaged with EnCase v6.13.
Further research could be conducted with different imaging applications and different hardware.
Test disks
The HPA partition was created on the IDE drive and verified at the end of the tests with the hdparm command to ensure it was still present. Working with HPA partitions is touchy, and doing so moves into a grey area as registers on the disk are written to make the HPA available. These registers must be reset prior to shutting down the drive or the drive could be left in a state that is different from the starting condition.
Test procedures
Each of the three drives was tested with each write blocker. If the write blocker supported more than one host interface, each of the three drives was tested with each interface.
EnCase v6.13 was used to conduct the tests. The default imaging options were used except that compression was turned off for all tests.
The acquisition was allowed to run to completion for each test and time required for acquisition only was noted. The verification step was skipped in all cases.
Areas for future research
1) Did not test with drives containing bad sectors.
2) Better HPA/DCO coverage.
3) Examine the impact of different cables, imaging applications, operating systems, and RAID arrays.
Other write blocking solutions
As I wrote this review, I kept thinking “what about this other option …..” These include:
– Software write blockers – Registry keys and EnCase SE for example.
– Hardware imagers that can be used as write blockers.
– Operating systems and bootable CD collection tools that can mount a device read only – OS X, various Linux distros, Helix, SMART.
– Hardware solutions designed to install in a desktop system.
These are all viable options worth consideration and inclusion in an acquisition kit.
Guidance FastBloc2 FE
Guidance partnered with WiebeTech to produce the FastBloc2 FE (Field Edition) which was sold by Guidance and was the only write blocker that EnCase would detect and set the “Write Blocked” flag to “yes” in the acquisition report. Guidance recently enabled recognition of the Tableau write blockers in addition to the FastBloc2.
In its day, the FastBloc2 FE was one of the best write blockers available but its lack of support for SATA meant that it was eclipsed by newer products. It was included in this review as a baseline and to help illustrate that more modern products are still bound by drive and interface speeds.
Interfaces, connectors, and indicators
On the host side, the FastBloc2 has two Firewire 400 interfaces, a USB interface (requires a firmware upgrade), and a power connector. On the drive side, there is an IDE interface and a Molex power connector.
The three LEDs indicate unit power, drive power, and drive activity.
A single power switch controls power to the unit and thus to the drive.
Construction
The unit is very well constructed and provides few opportunities for failure. The one weakness is the Molex power connector which is soldered to the circuit board and passes through an opening in the case with no strain relief. Since the unit can be opened, a failed power connector could easily be replaced by the end user.
Performance
The performance results are shown in the following table:
Notes
– The unit did not detect the HPA on Disk 1.
– The unit does not have a host side eSATA interface.
– The unit does not have a drive side SATA interface. An IDE to SATA converter was used for Disk 2 and Disk 3.
Accessories
The FastBloc2 FE was generally sold as part of a kit which contained drive adapters, cables, the power supply, and a carrying case.
Summary
Product: FastBloc2 FE
Vendor: Guidance Software
Cost: No longer available new
Pros: Very reliable, well constructed, recognized by EnCase
Cons: No SATA support, Molex power connection to circuit board
WiebeTech Forensic UltraDock V4
WiebeTech made the FastBloc2 FE for Guidance Software and went on to make other write blockers and other forensics hardware. Their most recent write blocker product is the WiebeTech Forensic UltraDock V4. This is essentially the successor to the FastBloc2 FE and the lineage is apparent in the construction and layout of the device.
The UltraDock v4 has five host connectors, two drive connectors, eight LEDs and two power source options. Combined with a set of drive adapters, the UltraDock can handle almost any imaging situation.
Interfaces, connectors, and indicators
The UltraDock’s case is packed with interface ports, connectors, and LEDs.
– Drive side – IDE cable and SATA port. The IDE cable is securely connected through the case.
– Host side – Firewire 400, Firewire 800 (x2), mini-USB, eSATA, and DC power.
– Power side – Molex 4 pin power input port and Molex 4 pin power output cable.
– Top – Power switch, DC power input indicator, 4 pin power input indicator, +5V DC power indicator, +12V DC power indicator, Firewire host indicator, USB host indicator, disk activity indicator, and write block indicator.
Power for the UltraDock can be provided either from a dedicated power converter (included) or via a standard four pin Molex connector. Each power source has an associated LED to indicate that it is active.
The presence of an HPA or DCO partition is indicated by the status LED flashing and will occur independent of any host connection or activity.
Construction
The unit’s case is brushed aluminum and will stand up to quite a bit of abuse. Most of the ports are recessed below the surface of the case for protection. The two cables – IDE and 4 pin power out – are connected through the case with strain reliefs. The power switch is slightly recessed and the resistance is firm enough to help eliminate accidental changes in position. The LEDs are bright and clearly labeled.
Performance
The performance results are shown in the following table:
HPA/DCO Detection
The UltraDock did detect the HPA on disk 1 but left it up to the user to make the HPA partition available. This is certainly the safest approach to handling an HPA/DCO partition but it means that either the user needs to work with the drive without a write blocker to make the HPA/DCO partition available or use another imaging tool that handles the partition directly.
Accessories
The unit comes with a 110/220V AC adapter, FireWire, USB, and eSATA cables, a drive bottom plate and screws, and an information CD. WiebeTech sells drive adapters for attaching other drive types to the unit.
Summary
Product: Forensic UltraDock v4
Vendor: WiebeTech
Cost: $255
Website: http://www.wiebetech.com/products/Forensic_UltraDock.php
Pros: Very reliable, superb construction, compact, full featured.
Cons: Only detects HPA/DCO – cannot make partition available.
Tableau T35es
Tableau’s series of write blocker products is well respected in the industry due to their reliability and performance. In April of 2008, Tableau released the T35es, delivering the first eSATA write blocker to the market.
Interfaces, connectors, and indicators
There are five host connectors – two FireWire 800, one FireWire 400, one mini-USB, and one eSATA. On the drive side, there is an IDE port, a SATA port, and a four pin Molex port. A single toggle switch on the upper edge of the unit controls power for the entire unit. It is possible to accidentally throw this switch and some care should be taken when arranging the unit on the workspace.
LEDs on the top surface indicate DC power in, power out, IDE drive detect, SATA drive detect, host detect, write block, and drive activity.
The Molex power cables that come with the T35es are some of the finest I’ve seen. Rather than utilizing a raised edge on the connector, the T35es connectors have wide grips running the length of the connector. These connectors are significantly easier to unplug than the connectors shipped with other products. This attention to detail is apparent throughout the product.
Construction
The ports on the T35es are laid out quite intelligently with all the drive connections on one side and the host connections on the other side of the unit. All of the ports are flush with the surface of the case so there are no edges to catch on. Unlike some other write blockers, the IDE interface is just a port and not a ribbon cable extending through the case. This means that there is no need to open up the case if the IDE cable is damaged.
The case is made out of durable plastic with well rounded edges. It is impervious to most scratches, slides easily into cases, and resistant to any normal abuse.
Performance
The T35es was comparable with other units when connected to the host via USB or FireWire but was slightly faster when connected to the host via eSATA.
HPA/DCO Detection
The T35es detected the HPA on disk 1, made the partition available for imaging, and restored the partition to its original state. A Tableau representative confirmed that the T35es manages the HPA as volatile information so that it is returned to its original state if power is lost during the imaging process.
The T35es does not automatically unlock a DCO partition as this is a permanent change. A third party tool is required to unlock the DCO. Tableau’s TDM – Tableau Disk Monitor tool – provides a DCO unlock function, as well as other functions.
Other Notes
The documentation for the T35es is provided on laminated cards about the size of the unit. The quality of the documentation is excellent and the compact size makes it easy to keep the documentation with the unit.
With the 6.13 release of EnCase, Guidance added detection and reporting of the Tableau write blockers to EnCase.
The firmware on the T35es, and all Tableau products, is easy to update. Tableau has addressed various firmware issues promptly in the past, and the ability to update the device helps ensure its usefulness over time.
Accessories
The unit comes with a 110/220V AC adapter, FireWire, USB, and eSATA cables, and printed documentation. Tableau sells write blockers for other types of drive interfaces, or adapters can be used with the T35es.
Summary
Product: eSATA Forensic Bridge Model T35es
Vendor: Tableau
Cost: $299 (reduced from $369 July ’09)
Website: http://www.tableau.com/index.php?pageid=products&model=T35es
Pros: Very reliable, superb construction, compact, updateable firmware, detected by EnCase, HPA unlock, DCO detection.
Cons: None.
Conclusions
All three units have a place in any collection kit, though there’s not much sense in investing in a FastBloc FE unless you can pick it up for very little money and you are just starting out. The WiebeTech Forensic UltraDock v4 is a well crafted, very functional unit available at a very good price. However, for about $40 more, the Tableau delivers a unit that supports firmware updates, HPA unlock capability, and no hardwired cables.
David Kovar is the founder and principal investigator for NetCerto, Inc. He has been involved with software engineering, IT consulting, and computer forensics since the late 70’s, focusing primarily on computer forensics since 2006. He has conducted acquisitions in hostile environments, run three week acquisition tours through Asia, investigated IP theft cases for several Silicon Valley high tech firms, and is currently providing computer forensics analysis, ediscovery support and forensics computing environment development consulting support through NetCerto.
David Kovar
Founder – NetCerto, Inc.
555 Bryant Street, Suite 246
Palo Alto, CA 94301
650-278-1774
kovar@netcerto.com
http://www.linkedin.com/in/davidkovar
CISSP, CCE, CA Private Investigator License No: 00025048