Tuesday, 21 April 2009

EnCase and Tableau Forensic Bay

Came across this issue today and though I'd share it with you.

I recently installed the latest version of EnCase Version 6.13.0.43. Reading the release notes states that hard drives connected to Tableau Write Blockers are now recognized by EnCase as been write blocked. Since we use a large number of Tableau devices I started testing.

In testing I have found this to be true for the Tableau T35es, T35e, T3u , T4, T14 and the T15.

When testing with the T335 (Forensic Drive Bay Controller Firmware 6.22) I found the that EnCase is not correctly identifying a drive as been write blocked.

Test Results

IDE - Set to Read Only
SATA1 - Set to Read Only
SATA2 - Set to Read Only

EnCase see's all drives as Write Blocked

IDE - Set to Read Write
SATA1 - Set to Read Write
SATA2 - Set to Read Write

EnCase see's all drives as not Write Blocked

IDE - Set to Read Only
SATA1 - Set to Read Write
SATA2 - Set to Read Only

EnCase see's all drives as Write Blocked.

This can be an issue because if you believe what EnCase is telling you when you are creating a forensic image of a suspect drive and it is in a read/write bay you may accidentally alter potential evidence however the EnCase report will state that the drive was acquired while write blocked.

I have made Guidance Software aware of this issue.

23-April-2009
UPDATE
Guidance Software have created defect number 28371 for this issue.

No comments:

Post a Comment