Home > Computer forensics, hard drives, removable media > Forensic disk imaging in the comfort of your lab

Forensic disk imaging in the comfort of your lab

When it comes to computer forensics, the chain-of-custody and no-tamper rules of evidence apply just as surely as they do for blood samples, patches of hair or bullets pried out of walls. For the many federal agencies who deal increasingly with computer forensics, there is no magic cure for maintaining chain of custody proof.

But how can an investigator or prosecutor know and prove a drive’s contents have not been tampered with? The answer is to hook it up to a one-way cable equipped with a write-blocking device that prevents writing to the suspect drive, while extracting an image of the drive and writing the image onto a target drive for later analysis.

Now WiebeTech, part of CRU-Dataport, is about to ship a device that can turn a workstation into a wrote-blocked extractor for 3.5-inch and 2.5-inch IDE and SATA hard drives, as well as USB thumb drives, for which a forensic image is needed. Very simply, the Forensic LabDock is a standard, 5.25-inch CD-drive sized bay you install in any PC cabinet. The bay does two things. It incorporates write-block software. And it provides an easy slot in which to plug drives into and pull them out once the forensic image is made. The smaller drives require an adapter tray.

James Wiebe told me he thinks lots of forensic investigators would like to have a workstation or console capability to image hard drives in the convenience of a lab and on a fixed workstation. He was showing a prototype at the FOSE show in Washington today, and said the product will ship in May or June with a retail price of around $450.

The device seems to plug a hole in the forensics field between lab-use external frames for holding bays and completely external cable solutions that connect to laptops. A logical piece of mechanical engineering.

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: