I'm considering upgrading a drive acquisition toolkit and I'm torn between write-blockers and PCMCIA cards given one unique requirement: software write-blocking (booting into Linux and mounting the drive read-only) is sufficient to guarantee the drive has not been tampered with for this level of response.
I was leaning toward the Tableau write-blockers (T14, T4, T3u) assuming that they would provide some benefit by acting like universal controllers so that I could be guaranteed the ability to read from ANY IDE, SCSI, or SATA drive. However, the price tag is quite hefty and since having a hardware write-blocker (software read-only mounting is sufficient) is not required for the group the toolkit will belong to, I'm considering using a boot CD (like Helix) and purchasing PCMCIA cards to externally connect IDE, SCSI, and SATA drives (e.g., http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=120002700854&category =3710) to the forensics laptop. Some concerns: * My primary concern: will I be able to find IDE, SCSI, and SATA PCMCIA controllers which will be compatible with all device designs (e.g., SCSI SE/LVD/DIFF), excluding the data and power cable interface issues addressed below? * I have to be careful to ensure each PCMCIA card is compatible with the Helix distro of Linux. * I'll still need to buy all the same cables and adapters I would if I were using write-blockers: - 40-pin IDE Cable - 80-pin IDE Cable - Extra Jumpers - SATA signal cable - 4-pin Molex to SATA power cable - 68-pin SCSI cable - 50-pin SCSI cable - SCSI terminators - 68-pin to SCA-80 adapter - 68-pin to 50-pin SCSI adapter - 1.8" to 3.5" IDE Notebook Adapter - 2.5" to 3.5" IDE Notebook Adapter - 2 versatile power supplies * I'll probably have to re-boot to change drives * Of course it'll be stocked with other non-electronics tools such as a flashlight, screwdriver w/ bits, anti-static bags, evidence labels, etc. Is there anything I'm overlooking when going to PCMCIA card route? Is that equivalent to using write-blockers without the hardware write-blocking protection? One a second unrelated note, can anyone give advice on the pros/cons associated with different RAID image acquisition techniques? I'm trying to avoid booting from the suspect machine (even when using a trusted OS CD) but it seems this is by far the easier way to go. This discussion from last year seems somewhat helpful (http://www.securityfocus.com/archive/104/392700). It would seem the primary techniques are: * Individually imaging the drives and then reconstructing them using software (like RAID Reconstructor http://www.softslist.com/download-11-2-23686.html?). I think this will be too time-consuming and painful. * Booting the suspect machine from trusted media and transferring the data using a cross-over cable. I'm interested in any pros/cons related to the different RAID acquisition techniques. Thanks in advance, Seth Robertson
