guymager / Support Requests / #4 tableau write blocker and guymager

#4 tableau write blocker and guymager

Status: closed

Owner: guy

Labels: None

Priority: low

Updated: 2017-10-16

Created: 2017-08-23

Creator: vincenzo

Private: No

Hi Guy,
I'm trying to acquire the image of a suspect hard disk using guymager. To do this I've connected the suspect hard disk to my PC (Ubuntu 16.04), using the Tableau T35es write blocker. However in the Guymager interface i don't see the suspect hard disk.
As you can see in the attached figure the Tableau is connected via eSATA to my PC and the lspci command show me:
product: ASM1062 Serial ATA Controller
vendor: ASMedia Technology Inc.
configuration: driver=ahci latency=0

What i'm wronging ?

Please, can you assit me ?

Thanks in advance.

Best Regards.

Vincenzo Di Salvo.

1 Attachments

IMG_20170822_125316.jpg

Discussion

guy - 2017-08-24

The write blocker device gets recognised, but I guess that your hard drive has not been detetecd by the kernel. Please try this:
1. Unplug the drive (and maybe also switch it off)
2. On a shell: tail -f /var/log/syslog
3. Replug your drive and see what appears in the syslog. If your're not sure about how to read the output then compare it with a correctly running HDD or post it here.

You may also may try to connect your drive directly, without write blocker, to a system where automount has been disabled. If you're not sure about disabling automount use a forensic Live CD, like for example CAINE, where everything is configured forensically safe.

Guy

PS: Write blockers IMHO have too many disadvantages: Costs, slow, prevent devices from not being recognised, stolen by a colleague, cables missing, .... we don't use write blockers in our lab but have properly configured Linux machines instead.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

vincenzo - 2017-08-26

Hi Guy,

thanks very much.
Please, i send you the screenshoot of the tail command. Can you help me to understand it ?

Is very tedious this problem.

Regarding the use of a properly configured Linux machine I'll write you another email and I will show my doubts about the write blocking techniques.

I hope to hear you soon.

Best Regards.

Vincenzo.

Last edit: guy 2017-08-29

WriteBlocker_tail_command.png

alternate

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

guy - 2017-08-29

Vicenzo,

is that what syslog showed the moment after you connected the drive? Did you do it you the way I described, i.e. 1) unplug drive, 2) tail syslog, 3) replug and keep an eye on syslog's output while replugging? If that's the case, then there's simply nothing to see there about your disk. It looks pretty dead. /dev/sda simply seems to be the boot drive, right?

Btw, the "failed to flush" messages are not related to your disk drive (it's network stuff).

Please try
the same with a disk where you know it's working
the same without write blocker (with automount switched off)

If you don't know how to switch automount off in Ubuntu I can show you, just let me know.

Last edit: guy 2017-10-16

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

guy - 2017-08-29

assigned_to: guy
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

guy - 2017-10-16

status: open --> closed

Priority: high --> low
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Log in to post a comment.