Ethical Hacking Training at InfoSec Institute

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Computer Forensics Computer-Forensics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Hardware needed for a complete drive acquisition tool kit and techniques

from [Robertson, Seth (JSC-IM)] Network Security [Permanent Link]
Subject: Hardware needed for a complete drive acquisition tool kit and techniques for RAID acquisition
Date: Mon, 10 Jul 2006 14:39:37 -0500 
I'm considering upgrading a drive acquisition toolkit and I'm torn
between write-blockers and PCMCIA cards given one unique requirement:
software write-blocking (booting into Linux and mounting the drive
read-only) is sufficient to guarantee the drive has not been tampered
with for this level of response.

I was leaning toward the Tableau write-blockers (T14, T4, T3u) assuming
that they would provide some benefit by acting like universal
controllers so that I could be guaranteed the ability to read from ANY
IDE, SCSI, or SATA drive.  However, the price tag is quite hefty and
since having a hardware write-blocker (software read-only mounting is
sufficient) is not required for the group the toolkit will belong to,
I'm considering using a boot CD (like Helix) and purchasing PCMCIA cards
to externally connect IDE, SCSI, and SATA drives (e.g.,
http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=120002700854&category
=3710) to the forensics laptop.

Some concerns:

* My primary concern: will I be able to find IDE, SCSI, and SATA PCMCIA
controllers which will be compatible with all device designs (e.g., SCSI
SE/LVD/DIFF), excluding the data and power cable interface issues
addressed below?
* I have to be careful to ensure each PCMCIA card is compatible with the
Helix distro of Linux.
* I'll still need to buy all the same cables and adapters I would if I
were using write-blockers:
   - 40-pin IDE Cable
   - 80-pin IDE Cable
   - Extra Jumpers
   - SATA signal cable
   - 4-pin Molex to SATA power cable
   - 68-pin SCSI cable
   - 50-pin SCSI cable
   - SCSI terminators
   - 68-pin to SCA-80 adapter
   - 68-pin to 50-pin SCSI adapter
   - 1.8" to 3.5" IDE Notebook Adapter
   - 2.5" to 3.5" IDE Notebook Adapter
   - 2 versatile power supplies
* I'll probably have to re-boot to change drives
* Of course it'll be stocked with other non-electronics tools such as a
flashlight, screwdriver w/ bits, anti-static bags, evidence labels, etc.

Is there anything I'm overlooking when going to PCMCIA card route?  Is
that equivalent to using write-blockers without the hardware
write-blocking protection?



One a second unrelated note, can anyone give advice on the pros/cons
associated with different RAID image acquisition techniques?  I'm trying
to avoid booting from the suspect machine (even when using a trusted OS
CD) but it seems this is by far the easier way to go.  This discussion
from last year seems somewhat helpful
(http://www.securityfocus.com/archive/104/392700).  It would seem the
primary techniques are:

* Individually imaging the drives and then reconstructing them using
software (like RAID Reconstructor
http://www.softslist.com/download-11-2-23686.html?).  I think this will
be too time-consuming and painful.
* Booting the suspect machine from trusted media and transferring the
data using a cross-over cable.


I'm interested in any pros/cons related to the different RAID
acquisition techniques.


Thanks in advance,


Seth Robertson
[More messages with this same subject...]


<Prev in Thread] Current Thread [Next in Thread>
  • Hardware needed for a complete drive acquisition tool kit and techniques for RAID acquisition, Robertson, Seth (JSC-IM) <=
Previous by Date:  RE: wipe patterns, Nick Johnston
Next by Date:  Re: Nigilant32 - Free Windows Incident Response Tool based on Sleuthkit - Final Article Released, Jason T. Hallahan
Previous by Thread:  RE: wipe patterns, Nick Johnston
Next by Thread:  Tradeoff's in usage, shyaam
Indexes:  [Date] [Thread] [Top] [All Lists]