Presentation is loading. Please wait.

Presentation is loading. Please wait.

Forensics Forensic Acquisition.

Published byFloris Veenstra Modified over 6 years ago

Similar presentations

Presentation on theme: "Forensics Forensic Acquisition."— Presentation transcript:

1 Forensics Forensic Acquisition

2 Forensic Acquisition SATA write blocker by Tableau Molex Power In
SATA data connection External Power USB Firewire 800 SATA Power Out Firewire 400

3 Forensic Acquisition The fundamental connections are power and data.
If it doesn’t work verify these connections first. External power

4 Forensic Acquisition Molex to SATA Power

5 Forensic Acquisition SATA data connection

6 Forensic Acquisition USB to computer data connection

7 Forensic Acquisition Write Blocking Active

8 Forensic Acquisition SATA Power Connector SATA Data Connector

9 Forensic Acquisition Different storage technologies require different equipment to image Hard Disk Drives (HDD’s). SATA (Serial ATA) IDE/PATA (Parallel ATA) USB for external storage SD/Compact Flash etc. SCSI/SAS

10 Forensic Acquisition PATA may be one of the most tortured terms in computers. Originally, the AT form factor (350mm x 305mm) motherboard used by IBM and IBM Clone PC’s. ATA, named from the AT Attachment for hard drives: a forty conductor ribbon with standard IBM .1” spacing used on MODU connectors. This was later retroactively named PATA to distinguish it from Serial ATA. © Dr. D. Kall Loper, all rights reserved

11 Forensic Acquisition IDE Ribbon Cable, 40 Connectors
No copyright claim to image. Used under Fair Use.

12 Forensic Acquisition PATA, 1.8” and ZIF sled IDE Ribbon Cable
MOLEX Power Connector Sled Adaptor for ZIF and 1.8” HDD’s Sled Inserts to 2.5” Male Pins 2.5” IDE Female pins for 2.5” IDE HDD’s

13 Forensic Acquisition PATA, 1.8” and ZIF form factors IDE Ribbon Cable
Adaptor 1.8” HDD’s ZIF Adaptors ZIF Insertion Point

14 Forensic Acquisition USB Flash Drive

15 Forensic Acquisition SD Card Write Blocker and Adaptors

16 Forensic Acquisition SCSI Data Connector MOLEX Power Connector

17 Forensic Acquisition SCSI Terminator SCA backplane to 50 pin
SCSI Adaptor 68 pin VHDCI to 50 pin micro Centronix (Internal) – SCSI-1 or SCSI-2 68 pin VHDCI to 80 pinUltra4 SCSI

18 Forensic Acquisition Parallel Attached SCSI
No copyright claim to image. Used under Fair Use.

19 Forensic Acquisition SAS - Serial Attached SCSI SATA is Open Here SATA
No copyright claim to image. Used under Fair Use. SAS

20 Forensic Acquisition SAS - Serial Attached SCSI
Infiniband (IB) currently comes in 3 speeds: 1x 2.5Gb/s, 4x 10Gb/s, and 8x 30Gb/s No copyright claim to image. Used under Fair Use. Internal SFF-8087 (4XIB) to single lane SAS connectors (four 1XIB’s) SFF-8470, External Connector (4XIB)

21 Forensic Acquisition SAS – Serial Attached SCSI
SFF-8484, 4 lane on HBA Copyright Adaptec. Used under Fair Use. SFF-8470 SFF-8484 SAS 8482, 4 single lane SAS HBA Card (Host Bus Adapter)

22 Forensic Acquisition SAS – Serial Attached SCSI SAS 8482 SFF-8484
SFF Lane unified on backplane HBA Copyright Adaptec. Used under Fair Use. HBA SFF Lane unified for external SAS Lane with single lane connectors

23 Forensic Acquisition SSD – Solid State Drive NGFF SSD to SATA
Slim SATA to SATA mSATA to SATA mSATA to 2.5” SATA form factor

24 Forensic Acquisition SSD’s mSATA SSD SATA mSATA

25 Forensic Acquisition Software Write-blocking
Usually only used in *nix (Linux/Unix etc.) Mounts the subject drive in a “read-only” file system. Reboots can cause alteration of subject drive. Can be used in situations where hardware write block is not possible. Cheap and flexible

26

27 Forensic Acquisition Acquisition Software
There are numerous software tools available for acquisitions. SMART EnCase FTK Imager dd Paladin (Macs) MacQuisition (Macs)

28 Forensic Acquisition Software Acquisition High Level

29 Forensic Acquisition FTK Imager is a software acquisition tool. You can download a free copy at

30 Forensic Acquisition

31 Forensic Acquisition

32 Forensic Acquisition

33 Forensic Acquisition

34 Forensic Acquisition Output Format Expert Witness Format (EWF)
EWF-E01, EWF-Ex01, and EWF-S01) QCOW version 1, 2, 3 RAW (dd) VHD (Virtual Hard Disk) VMDK (Virtual Machine Disk) AFF (Advanced Forensic Format)

35 Forensic Acquisition

36 Forensic Acquisition

37 Forensic Acquisition

38

Download ppt "Forensics Forensic Acquisition."

Similar presentations

Ali Baydoun1 Controllers (hard drive controllers).

Ali Baydoun1 Controllers (hard drive controllers).
COEN 252 Computer Forensics Hard Drive Geometry. Drive Geometry Basic Definitions: Track Sector Floppy.

COEN 252 Computer Forensics Hard Drive Geometry. Drive Geometry Basic Definitions: Track Sector Floppy.
CSN08101 Digital Forensics Lecture 6: Acquisition

CSN08101 Digital Forensics Lecture 6: Acquisition
IT Essentials PC Hardware & Software v5.0

IT Essentials PC Hardware & Software v5.0
This courseware is copyrighted © 2011 gtslearning. No part of this courseware or any training material supplied by gtslearning International Limited to.

This courseware is copyrighted © 2011 gtslearning. No part of this courseware or any training material supplied by gtslearning International Limited to.
PC Support & Repair Chapter 3 Computer Assembly- Step by Step.

PC Support & Repair Chapter 3 Computer Assembly- Step by Step.
Improving Networks Worldwide. UNH InterOperability Lab Serial Advanced Technology Attachment (SATA) Use Cases.

Improving Networks Worldwide. UNH InterOperability Lab Serial Advanced Technology Attachment (SATA) Use Cases.
Electronics Confidential Information © 3M 2005, All Rights Reserved Enterprise Computing Applications Charlie Staley January 2007.

Electronics Confidential Information © 3M 2005, All Rights Reserved Enterprise Computing Applications Charlie Staley January 2007.
Hard Disk Drives. ATA is the current standard, it uses regular molex power connectors and IDE cables. SATA is a newer product (also SATA2 is already in.

Hard Disk Drives. ATA is the current standard, it uses regular molex power connectors and IDE cables. SATA is a newer product (also SATA2 is already in.
Universal Serial Bus USB Instant connection of external devices No adapter cards needed Mouse, joysticks, thumbnail drives PC standard 1.5 - 12 Megabits.

Universal Serial Bus USB Instant connection of external devices No adapter cards needed Mouse, joysticks, thumbnail drives PC standard Megabits.
Computer Hardware Components for Desktop

Computer Hardware Components for Desktop
G043 – Lecture 02 Inside A Desktop PC Mr C Johnston ICT Teacher www.computechedu.co.uk.

G043 – Lecture 02 Inside A Desktop PC Mr C Johnston ICT Teacher
IT Essentials PC Hardware & Software v4.1 Chapter 1 – Introduction to the PC Jeopardy Review Darren Shaver (Some questions originally from Stacie Bender)

IT Essentials PC Hardware & Software v4.1 Chapter 1 – Introduction to the PC Jeopardy Review Darren Shaver (Some questions originally from Stacie Bender)
UNH InterOperability Lab Serial Advanced Technology Attachment (SATA) Use Cases.

UNH InterOperability Lab Serial Advanced Technology Attachment (SATA) Use Cases.
Improving Networks Worldwide. UNH InterOperability Lab Serial Attached SCSI (SAS) Use Cases.

Improving Networks Worldwide. UNH InterOperability Lab Serial Attached SCSI (SAS) Use Cases.
Secondary Storage Unit 013: Systems Architecture Workbook: Secondary Storage 1G.

Secondary Storage Unit 013: Systems Architecture Workbook: Secondary Storage 1G.
A+ Guide to Managing and Maintaining Your PC, 7e

A+ Guide to Managing and Maintaining Your PC, 7e
COEN 252 Computer Forensics

COEN 252 Computer Forensics
CONNECTORS AND POINTS Elizabeth Viverette. 20-PIN P1  Main power connector for early ATX motherboards.

CONNECTORS AND POINTS Elizabeth Viverette. 20-PIN P1  Main power connector for early ATX motherboards.
Copyright © 2007 Heathkit Company, Inc. All Rights Reserved PC Fundamentals Presentation 20 – The Hard Drive Interface.

Copyright © 2007 Heathkit Company, Inc. All Rights Reserved PC Fundamentals Presentation 20 – The Hard Drive Interface.

Similar presentations

Ads by Google