Forensic disk imaging in the comfort of your lab
When it comes to computer forensics, the chain-of-custody and no-tamper rules of evidence apply just as surely as they do for blood samples, patches of hair or bullets pried out of walls. For the many federal agencies who deal increasingly with computer forensics, there is no magic cure for maintaining chain of custody proof.
But how can an investigator or prosecutor know and prove a drive’s contents have not been tampered with? The answer is to hook it up to a one-way cable equipped with a write-blocking device that prevents writing to the suspect drive, while extracting an image of the drive and writing the image onto a target drive for later analysis.
Now WiebeTech, part of CRU-Dataport, is about to ship a device that can turn a workstation into a wrote-blocked extractor for 3.5-inch and 2.5-inch IDE and SATA hard drives, as well as USB thumb drives, for which a forensic image is needed. Very simply, the Forensic LabDock is a standard, 5.25-inch CD-drive sized bay you install in any PC cabinet. The bay does two things. It incorporates write-block software. And it provides an easy slot in which to plug drives into and pull them out once the forensic image is made. The smaller drives require an adapter tray.
James Wiebe told me he thinks lots of forensic investigators would like to have a workstation or console capability to image hard drives in the convenience of a lab and on a fixed workstation. He was showing a prototype at the FOSE show in Washington today, and said the product will ship in May or June with a retail price of around $450.
The device seems to plug a hole in the forensics field between lab-use external frames for holding bays and completely external cable solutions that connect to laptops. A logical piece of mechanical engineering.
