How To Ship Drives

From ForensicsWiki
Revision as of 01:08, 23 February 2010 by Jbgross (Talk | contribs)

Jump to: navigation, search

I was recently asked about shipping drives for forensic analysis, and since I've seen this done successfully and seen failures, I thought I would write this advice up for general consumption.

Shipping disks is tricky, but often needs to be done. Copying entire images over networks is often impossible due to the sheer size of the image. If you must ship disks, here are some instructions:

  1. Never ship the original drive (unless necessary for legal reasons). Regardless of the ultimate disposition of the original drive, always start by shipping an.
  1. Use one of the Write Blockers mentioned on this page.
  1. A drive can be imaged by a number of free software tools, such as FTK_Imager.
  1. Image to a bare (internal) hard drive, such as these internal hard drives.
  1. Use enter a [1]