Hi Josh, I have recently been trying to start building a collection of forensics hardware, with little success. As a student with a family, budget is limited as far as buying new goes. I've searched relentlessly for used tableau equipment and found one write blocker through ebay? Can you recommend anywhere that may be able to sell on older/no-longer required equipment? Thanks in advance. Thanks, Richard H

@DFIRScience

2 жыл бұрын

Hi Richard - second hand write blockers are rare. They either keep working (and no need to buy a new one) or they go bad. Make sure you really test anything that you get second-hand. When building out my kit, I first identify what drives I work with the most. You might be able to justify 'investing' in that type of blocker. For connection types I image less frequently, I get adapters that are NOT write-blocked, and then I use kernel-level software write blocking built into Tsurugi Linux. It's much cheaper to start with adapters and get hardware write blockers or cloners when you need/can afford it. There is nothing wrong with software write blocking until then as long as 1) you test test test and 2) your procedure allows it. I feel your pain. I only have one go-to blocker that I use for most of my work. Waiting for the day I can justify the TX1 or Atola!

@Cyb3rScr33ch

2 жыл бұрын

@@DFIRScience Hi Josh, Thanks for the advice, that's saved hours of relentlessly searching for hardware. I've downloaded Tsurugi and looking forward to getting to grips with it, I was unaware of Tsurugi until you had mentioned it - Thanks for that. The write blocker I was able to purchase (for an astonishing £22) seems to work, although will need adapters etc as it's an older write blocker but so far seems to be working 😀. That TX1 certainly does look amazing, it's on my dream list 🤩

@armandomarreropenate9579

Жыл бұрын

Hello Richard, what is the benefit to use hardware write blockers over a software write blocker? Does FTK is a software write-blocker? Thanks

@Cyb3rScr33ch

Жыл бұрын

@@armandomarreropenate9579 I am but a humble student myself, nonetheless I shall answer to the best of my knowledge. As Josh mentioned, hardware write blockers keep working, I was extremely luck to find one for sale on ebay i was surprised it worked with no issues too. IMO they're more reliable and more portable - tableau offer many different hardware tools. (check out some of DFIRScience other videos and Tableau's website for other hardware, i.e., the Tableau TX-1 🤩🤩) that being said I've not really used software based write blockers yet, I'd be worried that the wrong configuration could potentially modify files on the evidence item. FTK is software you would use to create you're E01 (or raw etc) image to examine with forensic tools (autopsy etc). Hope this answers your question 😀