RE: [linux_forensics] Re: Advice for HARDWARE drive imaging
- I also have a Disc Jockey; to date, I have only used it as a very convenient
means to wipe drives.
To add to Steve's review:
1) The Disc Jockey is very particular about older UDMA drives. I have
several 10 GB and under drives that it refuses to work with.
2) The Disc Jockey has no error handling capability. If it hits a bad
sector, it stops.
When it works, it works great. I wouldn't consider it a forensics tool
Rehman Technology Services, Inc.
Specializing in Computer Forensics and Technology Related Investigations
Mount Dora, Florida (Orlando Area)
Florida Association of Computer Crime Investigators http://www.facci.org
- A forensic version of the same type of copier can be found at:
which is a little more expensive is from Diskology. I may try that
the next time I need to replace/add a write blocker. Like Steve says, I'm
more comfortable being able to see what is happening other than relying on
lights and sounds, but if it works...
On 1/3/05, Steve Burgess <steve@...> wrote:
> I recently purchased a Disk Jockey and have used it a few times. It's
> a mixed bag.
> Inexpensive, small, standalone, multiple functions, pretty fast,
> comes with a keyed 2.5" adapter. Other adapters available (such as
> SATA), platform-independent as standalone, Mac & Win compatible
> hooked up to a computer. Can make two copies at once under certain
> Progress reports are through blinking LEDs, a buzzer, and no other
> readouts. Does only UDMA-compatible drives (I confirmed this with an
> old 80 MB IDE drive) - no SCSI, Only Mac & Win compatible when hooked
> up to a computer.
> Possible Cons (but I haven't used it enough to know):
> It has built-in cables which are certain to break with repeated use
> (like any cable) & I don't know how straightforward it will be to
> replace them (possible workaround - use an extender IDE cable). It
> appears that it just requires removing 4 screws, opening the box &
> replacing the cables, but I don't know that yet.
> Ditto on the DC cable.
> Manual rotary switch to change functions will eventually wear
> out...with possibly dramatic results as when it wears out, it might
> perform an undesirable function.
> It seems that certain error conditions might go unreported.
> Unknown: I haven't done any hashing on the copies I have done. They
> appear to be identical.
> Quirky: Both drives must be set as Master.
> Long Narrative:
> I find it a little unnerving not to have some kind of text readout
> giving me a progress report or reporting on errors. The DJ has 3 LEDs
> and a few beep tones for communication.
> But it is pretty fast...it claims to go 2 GB/Minute on a 5400 RPM drive.
> It copied a newer 40 GB drive in 22 minutes...fairly close to its
> claim (1.8 GB/min).
> It did ~1/3 that speed on an old 3600 RPM drive (~700 MB/min). The
> compare on the older drive went faster than the copy for me. The
> manual says to expect the copy and the compare to take about the same
> amount of time.
> It's compact as can be. I put the whole deal with adapters and
> manual in a little camera bag.
> Multiple Functions:
> It can be used to: mount a drive externally with the USB feature,
> mirror or copy 2 drives at once (from the computer's internal
> source), span 2 drives as one volume (while hooked up to the DJ),
> sector-copy/image a drive, compare (sector-by-sector), check a disk
> for errors, wipe 1X with zeroes, wipe 3X with zeroes.
> The thing is, with all of these functions and no readout, the
> possibility of making a mistake seems increased. The rotary switch
> has a groove right across it as an indicator. Looking a little
> closer, with my glasses on, I can see that the indicator end is a bit
> different than the non-indicator end. But if I was feeling confident
> (always a good idea at the deposition table, but bad in the lab!) and
> didn't have my glasses handy, it might not be too hard to
> accidentally set the switch in position 6 (Data Erase x1) rather than
> position 1 (Mirror), or 7 (Erase x3) instead of 2 (Combine).
> Fortunately, 3 (Copy) and 4 (Compare) have no opposite (8 & 9 have no
> functions associated with them).
> The other thing is - it seems a bit funky to have the DJ communicate
> only by means of three LEDs and a buzzer. In our wimpy GUI world, a
> little text readout of some sort and maybe a little downloadable log
> would be nice.
> Short summary:
> Fast, small, inexpensive, and capable, but quirky with some
> potentially major shortcomings.
> >Hi all,
> >I heard about this product a little while ago and it looks neat (I
> >haven't used it). It is a hard disk duplicator / adapter called the
> >Disk Jockey. In addition to allowing unattached disk copying, it can
> >function as a USB -> IDE adapter or a Firewire -> IDE adapter to connect
> >to a computer. It also can do "drive combining" which is basically RAID
> >0 and "drive mirroring" (RAID 1). The mirroring function could be
> >useful for creating two copies of a HD at once, but I think you would
> >have to connect the unit to another computer to do that. Actually, I
> >would guess you could just connect this to the USB port and boot the
> >original computer with a CD.
> >It doesn't mention forensics on the web site, but the disk copy feature
> >claims to do a sector by sector copy and it mentions in the user manual
> >that it doesn't write any data to the source drive for forensic purposes.
> >Here is the product web site:
> >Here is a review:
> >Oh yeah, the best part... it costs $330... much less than the
> >Again, I haven't used it and I don't know anyone who has tested it for
> >forensic purposes, so you are on your own there.
> Steven G Burgess
> Burgess Consulting & Forensics
> Expert Witness, Computer forensics
> Data Recovery, Data Transfer
> Ph: 805.349.7676, tollfree: 866.345.3345
> Fax: 805.349.7790
> email: steve@..., doctordata@...
> 2255 South Broadway, Suite 9
> Santa Maria, CA 93455
> [Non-text portions of this message have been removed]
> Yahoo! Groups Links
[Non-text portions of this message have been removed]