Loading ...
Sorry, an error occurred while loading the content.
 

RE: [linux_forensics] Re: Advice for HARDWARE drive imaging

Expand Messages
  • Doug Rehman
    I also have a Disc Jockey; to date, I have only used it as a very convenient means to wipe drives. To add to Steve s review: 1) The Disc Jockey is very
    Message 1 of 134 , Jan 1, 2005
      I also have a Disc Jockey; to date, I have only used it as a very convenient
      means to wipe drives.

      To add to Steve's review:

      1) The Disc Jockey is very particular about older UDMA drives. I have
      several 10 GB and under drives that it refuses to work with.

      2) The Disc Jockey has no error handling capability. If it hits a bad
      sector, it stops.

      When it works, it works great. I wouldn't consider it a forensics tool
      however.


      Doug Rehman
      Rehman Technology Services, Inc.
      Specializing in Computer Forensics and Technology Related Investigations
      License A-9800119
      Mount Dora, Florida (Orlando Area)
      (352)357-0500 http://www.electronicdiscovery.com

      President
      Florida Association of Computer Crime Investigators http://www.facci.org
    • Brett Shavers
      A forensic version of the same type of copier can be found at:
      Message 134 of 134 , Sep 18, 2006
        A forensic version of the same type of copier can be found at:
        http://www.diskology.com/catalog/product_info.php/products_id/49?osCsid=586ecca8221f77b426f07d2feb5292c3,
        which is a little more expensive is from Diskology. I may try that
        one
        the next time I need to replace/add a write blocker. Like Steve says, I'm
        more comfortable being able to see what is happening other than relying on
        lights and sounds, but if it works...

        Brett Shavers

        On 1/3/05, Steve Burgess <steve@...> wrote:
        >
        >
        > I recently purchased a Disk Jockey and have used it a few times. It's
        > a mixed bag.
        >
        > Pros:
        > Inexpensive, small, standalone, multiple functions, pretty fast,
        > comes with a keyed 2.5" adapter. Other adapters available (such as
        > SATA), platform-independent as standalone, Mac & Win compatible
        > hooked up to a computer. Can make two copies at once under certain
        > circumstances.
        >
        > Cons:
        > Progress reports are through blinking LEDs, a buzzer, and no other
        > readouts. Does only UDMA-compatible drives (I confirmed this with an
        > old 80 MB IDE drive) - no SCSI, Only Mac & Win compatible when hooked
        > up to a computer.
        >
        > Possible Cons (but I haven't used it enough to know):
        > It has built-in cables which are certain to break with repeated use
        > (like any cable) & I don't know how straightforward it will be to
        > replace them (possible workaround - use an extender IDE cable). It
        > appears that it just requires removing 4 screws, opening the box &
        > replacing the cables, but I don't know that yet.
        > Ditto on the DC cable.
        > Manual rotary switch to change functions will eventually wear
        > out...with possibly dramatic results as when it wears out, it might
        > perform an undesirable function.
        > It seems that certain error conditions might go unreported.
        >
        > Unknown: I haven't done any hashing on the copies I have done. They
        > appear to be identical.
        >
        > Quirky: Both drives must be set as Master.
        >
        > Long Narrative:
        > I find it a little unnerving not to have some kind of text readout
        > giving me a progress report or reporting on errors. The DJ has 3 LEDs
        > and a few beep tones for communication.
        > But it is pretty fast...it claims to go 2 GB/Minute on a 5400 RPM drive.
        > It copied a newer 40 GB drive in 22 minutes...fairly close to its
        > claim (1.8 GB/min).
        > It did ~1/3 that speed on an old 3600 RPM drive (~700 MB/min). The
        > compare on the older drive went faster than the copy for me. The
        > manual says to expect the copy and the compare to take about the same
        > amount of time.
        > It's compact as can be. I put the whole deal with adapters and
        > manual in a little camera bag.
        > Multiple Functions:
        > It can be used to: mount a drive externally with the USB feature,
        > mirror or copy 2 drives at once (from the computer's internal
        > source), span 2 drives as one volume (while hooked up to the DJ),
        > sector-copy/image a drive, compare (sector-by-sector), check a disk
        > for errors, wipe 1X with zeroes, wipe 3X with zeroes.
        >
        > The thing is, with all of these functions and no readout, the
        > possibility of making a mistake seems increased. The rotary switch
        > has a groove right across it as an indicator. Looking a little
        > closer, with my glasses on, I can see that the indicator end is a bit
        > different than the non-indicator end. But if I was feeling confident
        > (always a good idea at the deposition table, but bad in the lab!) and
        > didn't have my glasses handy, it might not be too hard to
        > accidentally set the switch in position 6 (Data Erase x1) rather than
        > position 1 (Mirror), or 7 (Erase x3) instead of 2 (Combine).
        > Fortunately, 3 (Copy) and 4 (Compare) have no opposite (8 & 9 have no
        > functions associated with them).
        >
        > The other thing is - it seems a bit funky to have the DJ communicate
        > only by means of three LEDs and a buzzer. In our wimpy GUI world, a
        > little text readout of some sort and maybe a little downloadable log
        > would be nice.
        >
        > Short summary:
        > Fast, small, inexpensive, and capable, but quirky with some
        > potentially major shortcomings.
        >
        > >Hi all,
        > >
        > >I heard about this product a little while ago and it looks neat (I
        > >haven't used it). It is a hard disk duplicator / adapter called the
        > >Disk Jockey. In addition to allowing unattached disk copying, it can
        > >function as a USB -> IDE adapter or a Firewire -> IDE adapter to connect
        > >to a computer. It also can do "drive combining" which is basically RAID
        > >0 and "drive mirroring" (RAID 1). The mirroring function could be
        > >useful for creating two copies of a HD at once, but I think you would
        > >have to connect the unit to another computer to do that. Actually, I
        > >would guess you could just connect this to the USB port and boot the
        > >original computer with a CD.
        > >
        > >It doesn't mention forensics on the web site, but the disk copy feature
        > >claims to do a sector by sector copy and it mentions in the user manual
        > >that it doesn't write any data to the source drive for forensic purposes.
        > >
        > >Here is the product web site:
        > ><http://www.diskology.com/products.html>
        > http://www.diskology.com/products.html
        > >
        > >Here is a review:
        > ><http://arstechnica.com/reviews/hardware/diskjockey.ars>
        > http://arstechnica.com/reviews/hardware/diskjockey.ars
        > >
        > >Oh yeah, the best part... it costs $330... much less than the
        > SoloMASSter.
        > >
        > >Again, I haven't used it and I don't know anyone who has tested it for
        > >forensic purposes, so you are on your own there.
        > >
        > >Chuck
        >
        > --
        > Steven G Burgess
        > Burgess Consulting & Forensics
        > Expert Witness, Computer forensics
        > Data Recovery, Data Transfer
        > Ph: 805.349.7676, tollfree: 866.345.3345
        > Fax: 805.349.7790
        > email: steve@..., doctordata@...
        > 2255 South Broadway, Suite 9
        > Santa Maria, CA 93455
        >
        > [Non-text portions of this message have been removed]
        >
        >
        >
        >
        > Yahoo! Groups Links
        >
        >
        >
        >
        >
        >
        >
        >


        [Non-text portions of this message have been removed]
      Your message has been successfully submitted and would be delivered to recipients shortly.