Crimefighting tool lets users copy an entire hard drive without a trace

Crimefighting tool lets users copy an entire hard drive without a trace

BOX SCORE

BImage MASSter Solo 2 Forensic Kit


HARD DRIVE DUPLICATOR AND THERMAL PRINTER WITH CD-REWRITABLE DRIVE


Intelligent Computer Solutions Inc.;

Chatsworth, Calif.;

tel. 818-998-5805

www.ics-iq.com

Price: $2,750


+ Fast duplication

- Ambiguous labeling

The Solo 2 kit includes a disk duplicator, a thermal printer and a CD-RW drive.

Law officers use this forensic kit, even though it can take a half an hour

Even before the terrorist attacks, the Secret Service and other law enforcement agencies were using the Image MASSter Solo 2 Forensic Kit, a three-piece hardware kit for covertly copying a suspect's computer files.

Under the right conditions, the Solo 2 can copy everything on a PC hard drive without requiring you to open the chassis or remove the hard drive.

In GCN Lab tests using a PC parallel port, I could duplicate onto a separate test drive all of the PC's 6G of data in about a half-hour. The transfer rate over an IDE cable was about 40 megabytes/sec.

It did seem to me, however, that a half-hour is a long time for a law enforcement agent to hang around a potentially dangerous place copying things.

After duplicating the PC drive through the parallel port, I connected the test drive directly to the Solo 2 via an IDE cable connection. That took less than 10 minutes. The 1:1 transfer between the two hard drives zoomed along at about 1.2 gigabytes per minute.

Nice and warm

The kit also included a thermal printer to print an audit report on the type of drive copied, its capacity and number of sectors. The report listed boot record details and described the partitions and whether their formats were File Allocation Table or NT File System.

A third component in the kit, a CD-rewritable drive, connected to the Solo 2 to archive its data.

Because the Solo 2 can copy information from several suspect drives onto one master drive, immediately archiving data would extend the capacity for field investigations.

Another handy use for the Solo 2 is to create a master drive with all the software and operating system settings necessary to troubleshoot problems on equipment you support in your network operating center.

For example, one lab PC had a corrupt Dynamic Link Library file. It was time to reformat the drive and reinstall the OS and applications. I cut those lengthy chores in half with my preconfigured master drive. Because the computer had several aging parts, I did have to hunt down some obscure device drivers, but I didn't need to spend time installing the OS or other software separately.

A couple of warnings for investigators: If a suspect's computer happens to have a boot-sector password initiated in the BIOS, its data cannot be duplicated covertly through the parallel port. The agent has to open the computer and remove the hard drive to copy it, possibly alerting the suspect.

And if the data on the suspect's hard drive has been encrypted, it will still be encrypted after the Solo 2 copies it.

I discovered a couple of glitches in using the master drive. The Solo 2 device has three IDE plugs for PC drive connections'one on the outside and two under a removable cover. The covered plugs are marked Target-2 and Master.

What's its name?

They are labeled wrong. To my way of thinking, the master should connect to the drive you want to copy, and the target plug should connect to the blank drive you are copying to. But Solo 2 works the opposite way.

I was confused, and other users have been too. Luckily, Solo 2's data transfer was made unidirectional, because some agents have apparently overwritten suspects' hard drives, giving them information or reformatting their disks, rather than taking the data.

Note that on the Pro version of Solo 2, the Target-2 plug is disabled anyway.

The unmarked external connection is Target-1, but it has no label. It should.

Another needed improvement is documentation about certain brands of hard drives that must be modified before they can be duplicated.

I found the Solo 2 could not detect one or two hard drives. Then I discovered that a Western Digital Corp. drive must have its jumper peg completely removed to be duplicated. This was not documented.

I wasted time figuring this out. A law enforcement officer would have even less time to waste'and the need to change jumpers would kill the chance of quickly duplicating a suspect's drive.

Reader Comments

Wed, May 18, 2011

The article does not talk about "leave behinds" these tools contain.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above