SANS Digital Forensics and Incident Response Blog: Tag - write block

Digital Forensics: How to configure Windows Investigative Workstations

I like Windows. There... I said it. I understand that this statement will probably come with the requisite beatings, but I honestly enjoy using Windows on a day to day basis more than other operating systems and am willing to take whatever flack comes my way over it (and yes, my team at work loves … Continue reading Digital Forensics: How to configure Windows Investigative Workstations


The Lab Rat - Testing Digital Forensics Tools and Gear

I recently got my hands on the Tableau T35es Forensic Bridge. Excited to try out the first Tableau bridge with an eSATA host connection, I ordered two (kits with the power supply and all cables) from Digital Intelligence. A few days later, it was like Christmas in April. Or, so I thought.

Problems Start Just After Opening The Package

Upon opening the package, I discovered that the included "eSATA cable" was really an "eSATA to SATA" cable - one end was simply an L-shaped SATA connector. Luckily, I had a spare eSATA cable handy.

Immediately upon first trying it out, I had a scare. It failed to detect all three of the Seagate Barracuda 7200.11 500 GB drives that I

...


Putting Disk Imaging in the Fast Lane

When it comes to imaging a hard disk, I believe that keeping it simple is best. I also believe that faster is better. The less time it takes to prepare for imaging, and the faster the imaging speed, the sooner I can begin analysis.

I've imaged disks using many different methods. A few of the more common methods are:

  • Connecting the suspect drive to a computer using Tableau write block devices and using EnCase or dcfldd
  • Booting the suspect system using the Helix CD-ROM; saving the disk image to external media or to a network share
  • Using a self-sustaining device such as the