SANS Digital Forensics and Incident Response Blog: Category - Write Blockers

Three hard drive imaging tools

Capturing an image of a hard drive for purpose of further review and investigation is a common digital forensics activity. Here is a quick review of three of my favorites tools.

Hardcopy II


Hardcopy II

The VOOM Hardcopy II is a great general purpose hard drive imaging tool and is my go-to solution. It is fast, simple to use and can either image or clone if you prefer. The imaging rate of these is limited only by transfer rate of the suspect and evidence drives. I routinely see 2-3+ GB/minute imaging rates with newer drives. Expect to pay

...


The Lab Rat - Testing Digital Forensics Tools and Gear

I recently got my hands on the Tableau T35es Forensic Bridge. Excited to try out the first Tableau bridge with an eSATA host connection, I ordered two (kits with the power supply and all cables) from Digital Intelligence. A few days later, it was like Christmas in April. Or, so I thought.

Problems Start Just After Opening The Package

Upon opening the package, I discovered that the included "eSATA cable" was really an "eSATA to SATA" cable - one end was simply an L-shaped SATA connector. Luckily, I had a spare eSATA cable handy.

Immediately upon first trying it out, I had a scare. It failed to detect all three of the Seagate Barracuda 7200.11 500 GB drives that I

...


Putting Disk Imaging in the Fast Lane

When it comes to imaging a hard disk, I believe that keeping it simple is best. I also believe that faster is better. The less time it takes to prepare for imaging, and the faster the imaging speed, the sooner I can begin analysis.

I've imaged disks using many different methods. A few of the more common methods are:

  • Connecting the suspect drive to a computer using Tableau write block devices and using EnCase or dcfldd
  • Booting the suspect system using the Helix CD-ROM; saving the disk image to external media or to a network share
  • Using a self-sustaining device such as the