Forensics Forensic Acquisition

Forensic Acquisition SATA write blocker by Tableau Molex Power In SATA data connection External Power USB Firewire 800 SATA Power Out Firewire 400

Forensic Acquisition The fundamental connections are power and data. If it doesn’t work verify these connections first. External power

Forensic Acquisition Molex to SATA Power

Forensic Acquisition SATA data connection

Forensic Acquisition USB to computer data connection

Forensic Acquisition Write Blocking Active

Forensic Acquisition SATA Power Connector SATA Data Connector

Forensic Acquisition Different storage technologies require different equipment to image Hard Disk Drives (HDD’s). SATA (Serial ATA) IDE/PATA (Parallel ATA) USB for external storage SD/Compact Flash etc. SCSI/SAS

Forensic Acquisition PATA may be one of the most tortured terms in computers. Originally, the AT form factor (350mm x 305mm) motherboard used by IBM and IBM Clone PC’s. ATA, named from the AT Attachment for hard drives: a forty conductor ribbon with standard IBM .1” spacing used on MODU connectors. This was later retroactively named PATA to distinguish it from Serial ATA. © Dr. D. Kall Loper, all rights reserved

Forensic Acquisition IDE Ribbon Cable, 40 Connectors No copyright claim to image. Used under Fair Use.

Forensic Acquisition PATA, 1.8” and ZIF sled IDE Ribbon Cable MOLEX Power Connector Sled Adaptor for ZIF and 1.8” HDD’s Sled Inserts to 2.5” Male Pins 2.5” IDE Female pins for 2.5” IDE HDD’s

Forensic Acquisition PATA, 1.8” and ZIF form factors IDE Ribbon Cable Adaptor 1.8” HDD’s ZIF Adaptors ZIF Insertion Point

Forensic Acquisition USB Flash Drive

Forensic Acquisition SD Card Write Blocker and Adaptors

Forensic Acquisition SCSI Data Connector MOLEX Power Connector

Forensic Acquisition SCSI Terminator SCA backplane to 50 pin SCSI Adaptor 68 pin VHDCI to 50 pin micro Centronix (Internal) – SCSI-1 or SCSI-2 68 pin VHDCI to 80 pinUltra4 SCSI

Forensic Acquisition Parallel Attached SCSI No copyright claim to image. Used under Fair Use.

Forensic Acquisition SAS - Serial Attached SCSI SATA is Open Here SATA No copyright claim to image. Used under Fair Use. SAS

Forensic Acquisition SAS - Serial Attached SCSI Infiniband (IB) currently comes in 3 speeds: 1x 2.5Gb/s, 4x 10Gb/s, and 8x 30Gb/s No copyright claim to image. Used under Fair Use. Internal SFF-8087 (4XIB) to single lane SAS connectors (four 1XIB’s) SFF-8470, External Connector (4XIB)

Forensic Acquisition SAS – Serial Attached SCSI SFF-8484, 4 lane on HBA Copyright Adaptec. Used under Fair Use. SFF-8470 SFF-8484 SAS 8482, 4 single lane SAS HBA Card (Host Bus Adapter)

Forensic Acquisition SAS – Serial Attached SCSI SAS 8482 SFF-8484 SFF-8484 4 Lane unified on backplane HBA Copyright Adaptec. Used under Fair Use. HBA SFF-8470 4 Lane unified for external SAS 8482 4 Lane with single lane connectors

Forensic Acquisition SSD – Solid State Drive NGFF SSD to SATA Slim SATA to SATA mSATA to SATA mSATA to 2.5” SATA form factor

Forensic Acquisition SSD’s mSATA SSD SATA mSATA

Forensic Acquisition Software Write-blocking Usually only used in *nix (Linux/Unix etc.) Mounts the subject drive in a “read-only” file system. Reboots can cause alteration of subject drive. Can be used in situations where hardware write block is not possible. Cheap and flexible

Forensic Acquisition Acquisition Software There are numerous software tools available for acquisitions. SMART EnCase FTK Imager dd Paladin (Macs) MacQuisition (Macs)

Forensic Acquisition Software Acquisition High Level

Forensic Acquisition FTK Imager is a software acquisition tool. You can download a free copy at http://www.accessdata.com/support

Forensic Acquisition

Forensic Acquisition

Forensic Acquisition

Forensic Acquisition

Forensic Acquisition Output Format Expert Witness Format (EWF) EWF-E01, EWF-Ex01, and EWF-S01) QCOW version 1, 2, 3 RAW (dd) VHD (Virtual Hard Disk) VMDK (Virtual Machine Disk) AFF (Advanced Forensic Format)

Forensic Acquisition

Forensic Acquisition

Forensic Acquisition