Ultimate Forensic Write Protection Kit User Guide

Home > Library > Documentation > Ultimate Forensic Write Protection Kit User Guide

• Ultimate Forensic Write Protection Kit
• How to Use This Manual
• Quick Start
  • Unpacking Your Ultimate Forensic Write Protection Kit
  • Using the Tableau T3u Forensic SATA Bridge
  • Using the Tableau T4 SCSI Bridge
  • Using the T8 USB Bridge
  • Using the T14 IDE Pocket Bridge
  • Using the T14 IDE Pocket Bridge with a TDA5-25 Hard Disk Adapter
• Useful Information
  • Configuration Switches
  • Removal Procedures
  • Daisy-Chaining Forensic Bridges
  • Hot Swapping Drives
  • Other Tips & Information

1.  Ultimate Forensic Write Protection Kit

To Top

The Ultimate Forensic Write Protection Kit (UFWPK) does it ALL for the following media types:  IDE, IDE Notebook, SATA, SCSI(50-pin, 68-pin, and SCA-80), PLUS seven varieties of flash media. The Ultimate Forensic Write Protection Kit comes packaged in either the Targus Laptop Bag, in a Pelican 1450, or in a Plano Tackle Box depending upon whether or not the kit was purchased with a system, and what kind of system.

2.  How to Use This Manual 

To Top

This manual has two main sections:  Quick Start and Useful Information.

The Quick Start section of the manual will give the user enough information about the Ultimate Forensic Write Protection Kit (UFWPK) and its accessories to get started.  There is an overview of the additional components that come with the UFWPK and their use.  The Useful Information section goes into more detail about specific components of the Ultimate Forensic Write Protection Kit (UFWPK).

3.  Quick Start 

To Top

3.1 Unpacking Your Ultimate Forensic Write Protection Kit (UFWPK) 

To Top

In the Ultimate Forensic Write Protection Kit (UFWPK), there are six categories of items:  Forensic Bridges, Cables, Adapters, Power Assembly, Media Reader and Carrier Case. 

When you first receive your UFWPK, please familiarize yourself with all of its contents.  The following table lists each of the items found in the kit.

Photo	Description
	The Tableau T3U can be used to connect to FireWire400, FireWire800, USB 1.1 and 2.0 devices to extract data from another computer. (PN: T3U)
	The Tableau T4 Forensic Bridge is a write-blocker for use with SCSI (Small Computer Systems Interface) hard disks. The T4 is identifiable from the T3u or the T35e by the SCSI port located on its right side.  (PN:  T4)
	The Tableau T14 Pocket IDE Bridge is very small and will fit into the palm of our hand. One can directly attach the T14 to a typical hard drive, therefore using the T14 as one would use any other forensic bridge. NOTE: The TC-17 is a “Y” cable power connector for the T14, T14-RW and the T15. (PN: T14)
	The Tableau T14-RW Pocket IDE Bridge is very small and will fit into the palm of your hand. One can directly attach the T14-RW to a typical hard drive, therefore using the T14 as one would use any other forensic bridge. (PN: T14-RW)
	The Tableau T8 USB Forensic bridge works with mass storage devices like USB thumb drives, external USB hard drives, Apple iPOD's that have USB interfaces, and even USB-based cameras with card-reader capability.   (PN:  T8)
	The TC10-8 SCSI ribbon cable is a high-quality, 68-conductor SCSI cable with standard high-density 68-pin SCSI connectors at each end. There are pull tabs at each end to make the cable more rugged. (PN:  TC10-8)
	The TC6-8 IDE ribbon cable is a high-quality, 80-conductor IDE cable with standard high-density 40-pin IDE connectors at each end. There are pull tabs at each end to make the cable more rugged. (PN:  TC6-8)
	50-pin SCSI cable
	The P9-P9 FireWire cable is a six feet in length. The P9 stands for the nine parallel wires inside of the cable. FireWire400 uses P4 or P6 connectors that have four or six parallel wires inside of the cable.
	The Mini Type B to USB cable has a type A connector on one end and a type B mini USB connector on the other end.
	TC3-8 SATA Signal Cable:  SATA signal cable to connect ATA hard drives to the T35e.
	TC2-8 Power Cable:  Molex power cable to connect IDE hard drives to the T35e.
	TC5-8 SATA Power Cable:  SATA power cable to connect the 15-pin SATA power connector to the T35e.
	The 6 inch USB Extension Cable is a type A Male to Female USB extension cable, allowing one to extend an existing USB 2.0 connection.
	The TC-17 “Y” Cable is used to provide a power connection from the Tableau T2 Power Switch to a T14, a T14-RW or a T15 Forensic Bridge. There are two Molex® style connectors and one 4-pin “floppy” style power connector. To remove either of the connectors from a device, one must grasp the plastic housing of the Molex® or the 4-pin “floppy” or Berg connectors and gently pull or rock the plastic housing from side to side. Do NOT pull by the wiring, as this will disrupt the electrical connection. (PN: TC-17)
	The 50-pin Male to 68-pin Female SCSI adapter converts a 50-pin SCSI cable to a 68-pin Female connection.
	The P6 Fire Wire adapters are used to convert FireWire800 P9 cables to a FireWire400 P6 connection.  (PN:  TCA7-6-9)
	The P4 FireWire adapters are used to convert FireWire800 P9 cables to a FireWire400 P4 connection.  (PN:  TCA7-4-9)
	The HP68 to SCA-80 Adapter converts a 68-pin SCSI connection to a SCA-80 SCSI connection.
	TDA5-25 2.5" IDE Notebook Adapter:  Adapter for 1.8" notebook hard drives.
	TDA5-18 1.8" IDE Notebook Adapter:  Adapter for 2.5" notebook hard drives.
	The Tableau T2 power switch is used to connect the Tableau TP2 power supply to a device (e.g. a hard drive). By using the T2 one can safely connect and disconnect a device from a power supply without having to turn OFF the power supply itself. (PN: T2)
	The Addonics Mini Digi-Drive (READ ONLY) 12-in-1 Flash Media Reader is capable of accessing twelve different popular digital media types including CF-I, CF-II, Smart Media ™, Memory Stick™, Memory Stick Pro ™, Micro Drive ™, Multimedia Card ™ and Secure Digital Card ™. (PN: ADD-RO)
	The TP2 will connect to all Tableau products. The power cord connects to the TP2 via an IEC C7 “figure of eight” power connector. (PN: TP2)
	The PC Power cords are to power the TP3 power brick and the items that are connected to it.

3.2 Using the Tableau T3U Forensic SATA Bridge

To Top

 

Step by Step Instructions for connecting SATA hard drives to the T35e.

1. Ensure the T3u Forensic SATA Bridge's 'DC IN B' is in the 'B On' position.
2. Connect the TP2 power source to the left side of the T3u SATA Bridge via the 5-pin Mini-DIN connector.
3. Connect the power cable to the TP2 power source and also into an electrical socket.

   (The T3u Forensic SATA bridge can use either the TC2-8 Molex-style Power cable or the TC5-8 SATA-Style Power Cable to transmit power to the suspect hard drive.)

      (Using TC2-8 Molex-Style Power Cable. See Image labeled: T3U Setup Using Molex Power)

4. Connect one female Molex connector of the TC2-8 Molex-style Power cable to the DC OUT located on the right side of the T3u SATA Bridge.
5. Connect the other female Molex connector of the TC2-8 Molex-style Power cable to the suspect hard drive's Molex connector.

         (Using TC5-8 SATA-Style Power Cable. See Image labeled:  T3U Setup Using SATA Power)

6. Connect the female Molex connector of the TC5-8 SATA-Style Power Cable to the DC OUT located on the right side of the T3u SATA bridge.
7. Connect the SATA power connector of the TC5-8 SATA-Style power cable to the suspect hard drive's SATA power connector.

   *Note:  (DO NOT use both Molex and SATA power connections when connecting to a suspect hard drive, as this will overload the suspect hard drive.)

8. Connect the TC3-8 SATA Signal Cable to the T3u SATA Bridge.
9. Connect the other end of the TC3-8 SATA Signal Cable to the suspect hard drive.
10. The T3u has several means of communication between itself and the host computer: USB 2.0, two FireWire 800 connections and one 4-pin FireWire 400 connection. Plug one end of the chosen data cable to one of the ports on the left side of the T3u SATA Bridge.
11. Plug the other end of the chosen data cable to a port on the host computer.
12. Flip the switch on the top of the T3u SATA Bridge to the 'A On' position. The host computer should now see the suspect hard drive.
13. The T3u SATA Bridge is configured to be a READ ONLY device, hence the black color of the device. To configure the T3u SATA Bridge to be a READ/WRITE device, please refer to the section titled "Configuration Switches".

3.3 Using the Tableau T4 SCSI Bridge 

To Top

Step by Step Instructions for connecting SCSI hard drives to the T4.

 

 

1. Ensure the T4 Forensic SCSI Bridge's 'DC IN B' is in the 'B On' position.
2. Connect the TP2 or TP3 power source to the left side of the T4 SCSI Bridge via the 5-pin Mini-DIN connector.
   

   The 7-Pin DIN plug on the TP3 Power Supply will NOT work with the Tableau Bridges. You MUST use the included 7-pin DIN to 5-pin DIN “TCA-P7-P5” Adapter Cable to connect the TP3 Power Supply to the Tableau Bridges.

3. Connect the power cable to the TP2 power source and also into an electrical socket. 
4. Connect the female Molex connector of the TC2-8 Molex-style Power cable to the DC OUT located on the right side of the T4 SCSI Bridge.
5. Connect one Molex connector of the TC2-8 Molex-style Power cable to the suspect hard drive's Molex connector.
6. Connect the appropriate Signal Cable to the T4 SCSI Bridge.  If the suspect hard drive has a 50-pin SCSI connector then use the 50-pin SCSI cable with the 50-pin to 68-pin SCSI adapter.  If the suspect hard drive has a 68-pin SCSI connector, then use the TC10-8 SCSI Signal Cable.  If the suspect hard drive has a SCA-80 connector, then use the TC10-8 SCSI Signal cable and the SCA-80 Adapter.
7. Connect the other end of the appropriate Signal Cable to the suspect hard drive using the appropriate adapter, if necessary. 
8. The T4 has several means of communication between itself and the host computer:  USB 2.0, two FireWire 800 connections and one 4-pin FireWire 400 connection.  Plug one end of the chosen data cable to one of the ports on the left side of the T4 SCSI Bridge.
9. Plug the other end of the chosen data cable to a port on the host computer.
10. Flip the switch on the top of the T4 SCSI Bridge to the 'A On' position.  The host computer should now see the suspect hard drive.
11. The T4 SCSI Bridge has two additional LED's mounted on the side of the unit between the 'HD68 SCSI connector and the DC OUT Molex connector.  These two LED's indicate which type of SCSI bus is in use:  LVD or Low Voltage Differential (green LED), and the SE or Single Ended (yellow LED).  IF neither LED is illuminated, you may be attempting to use an older HVD SCSI device; and the T4 is not compatible with HVD devices.
12. The T4 SCSI Bridge is configured to be a READ ONLY device, hence the black color of the device.  To configure the T4 SCSI Bridge to be a READ/WRITE device, please refer to the section titled 'Configuration Switches'.

3.4 Using the Tableau T8 USB Bridge 

To Top

 

Step by Step Instructions for connecting USB drives to the T8.

 

1. Ensure the T8 Forensic USB Bridge is in the 'Off' position as shown in Figure 4.1.
2. Connect the TP2 or TP3 power source to the left side of the T8 USB Bridge via the 5-pin Mini-DIN connector.
   

   The 7-Pin DIN plug on the TP3 Power Supply will NOT work with the Tableau Bridges. You MUST use the included 7-pin DIN to 5-pin DIN “TCA-P7-P5” Adapter Cable to connect the TP3 Power Supply to the Tableau Bridges.

3. Connect the power cable to the TP2 power source and also into an electrical socket. 
4. Connect the suspect USB drive to the right side of the T8 USB Bridge.
5. Connect the other end of the appropriate Signal Cable to the suspect hard drive using the appropriate adapter, if necessary. 
6. The T8 has several means of communication between itself and the host computer:  USB 2.0, and one 6-pin FireWire 400 connection.  Plug one end of the chosen data cable to one of the ports on the left side of the T8 USB Bridge.
7. Plug the other end of the chosen data cable to a port on the host computer.
8. Flip the switch on the right side of the T8 USB Bridge to the 'On' position.  The host computer should now see the suspect hard drive.
9. The T8 USB Bridge has a LCD Display on the front face of the device, with two buttons to navigate.  For more detailed information on navigating the LCD Display, please refer to the T8 LCD Users Guide on Tableau's website:  Tableau T8 LCD Document
10. The T8 USB Bridge is configured to be a READ ONLY device, hence the black color of the device. Unlike the other forensic bridges created by Tableau, which can be 'field.-switched' between READ ONLY (write-block) and READ/WRITE modes of operation, the T8 is permanently configured for write-blocking operation only.

3.5 Using the T14 IDE Pocket Bridge

To Top

 

1. Ensure the T2 ON/OFF switch is in the OFF position as shown in above.
2. Connect the TP2 power source to the left side of the T2 Switch via the 5-pin Mini-DIN connector.

3. Connect the power cable to the TP2 power source and also into an electrical socket.
4. Connect the single end Molex connector of the TC17 Y-Cable to the right side of the T2 Switch.

5. Connect the 4-pin Berg/Floppy connector to the T14 IDE Pocket Bridge, which is located on the right side of the bridge.
6. Connect the remaining Molex connector of the TC17 Y-Cable to the suspect hard drive.

Note:  Verify that the SUBJECT hard disk is configured to be stand-alone Master device. New Western Digital hard disk drives have two Master settings and are properly configured as a single device when NO jumper is installed

7. Connect the suspect hard drive to the rear IDE connector of the T14 IDE Pocket Bridge.
8. Plug one end of the FireWire cable to one of the ports on the front of the T14 IDE Pocket Bridge.
9. Plug the other end of the FireWire cable to a port on the host computer.
10. Flip the switch on the T2 Drive Power switch to the ON state. The host computer should now see the suspect hard drive.
11. The T14-RO IDE Pocket Bridge is configured to be a READ ONLY device, hence the black color of the device. The T14-RW IDE Pocket Bridge is configured to be a READ/WRITE device, hence the yellow color of the device. To configure the T14-RO IDE Pocket Bridge to be a READ/WRITE device, please refer to the section titled "Configuration Switches".

3.5.1 Using the T14 IDE Pocket Bridge with a TDA5-25 Hard Disk Adapter

To Top

 

1. Ensure the T2 ON/OFF switch is in the OFF position as shown in the image above.
2. Connect the TP2 power source to the left side of the T2 Switch via the 5-pin Mini-DIN connector.
3. Connect the power cable to the TP2 power source and also into an electrical socket.
4. Connect the single end Molex connector of the TC17 Y-Cable to the right side of the T2 Switch.
5. Connect the 4-pin Berg/Floppy connector to the T14 IDE Pocket Bridge, which is located on the right side of the bridge.
6. Connect the TDA5-25 or TDA5-18 Hard Disk Adapter to the rear IDE connector of the T14 IDE Pocket Bridge.
7. Connect the remaining Molex connector of the TC17 Y-Cable to the TDA5-25 or TDA5-18 Hard Disk Adapter.

   Note:  Verify that the SUBJECT hard disk is configured to be stand-alone Master device. New Western Digital hard disk drives have two Master settings and are properly configured as a single device when NO jumper is installed

8. Connect the suspect 2.5-inch or 1.8-inch laptop hard drive to the rear IDE connector of the TDA5-25 or TDA5-18 Hard Disk Adapter.
9. Plug one end of the FireWire cable to one of the ports on the front of the T14 IDE Pocket Bridge.
10. Plug the other end of the FireWire cable to a port on the host computer.
11. Flip the switch on the T2 Drive Power switch to the ON state. The host computer should now see the suspect hard drive.
12. The T14-RO IDE Pocket Bridge is configured to be a READ ONLY device, hence the black color of the device. The T14-RW IDE Pocket Bridge is configured to be a READ/WRITE device, hence the yellow color of the device. To configure the T14-RO IDE Pocket Bridge to be a READ/WRITE device, please refer to the section titled "Configuration Switches".

4. Useful Information 

To Top

4.1 Configuration Switches

To Top

On each of the following Tableau Forensic Bridges, there is a 4-position DIP switch that can be used to set a variety of configurations:  T3u, T35e, T4 and T5.  The switches can be accessed by removing a small knockout panel on the bottom edge of the bridge's plastic enclosure.

The following table summarizes the function of the configuration switches on Tableau forensic bridges.

	Operation
Switch	Switch OFF	Switch ON
1	Bridge operates in READ-ONLY mode and may be used to capture forensically sound images from subject hard disks.	Bridge operates in READ-WRITE mode.
2	Bridge reports errors if host computer attempts to write when bridge is in READ-ONLY mode.	Bridge does not report write errors when in READ-ONLY mode. (The bridge discards write data without returning an error.)
3	Bridge reports that it is WRITE-PROTECTED to the host computer when in READ-ONLY mode.	Bridge does not report that it is WRITE-PROTECTED when in READ-ONLY mode.
4	This switch is RESERVED as must remain in the OFF position for correct operation.

The following table summarizes the recommended Tableau bridge configuration depending on the operating system you are using. These recommendations apply only when using the Tableau bridge in READ-ONLY mode to capture forensic images from subject hard drives (i.e., when switch 1 is OFF):

O/S	Switch 2	Switch 3	Comments
Windows XP	OFF	OFF	In most situations, Windows XP handles READ-ONLY bridges correctly and will work optimally when leaving switches 2 and 3 in the OFF (default) state. However, Tableau has seen cases where Windows XP will not allow a user to access a read-only partition. If you encounter a situation in which Windows XP reports that a volume is "write protected" and will not allow you to access the partition, then try the switch setting recommended for Windows 2000, below.
Windows 2000	ON	ON	Windows 2000 does not mount NTFS volumes correctly when the bridge declares that it is READ-ONLY. These settings make Windows 2000 believe the bridge is in READ-WRITE mode (even though it is not), and Windows 2000 will successfully mount NTFS volumes.
Windows ME/98se	ON	OFF	Windows ME/98se may not recognize that a bridge is READ-ONLY and may attempt to write to the bridge anyway. If this happens, Windows ME/98se will generate a "blue screen" error. The recommended settings to the left eliminate the "blue screen" error. NOTE: Some forensic users prefer to see the Windows "blue screen" error if a write is attempted. Users with this preference should use the recommended settings for Windows XP instead.
Other	OFF	OFF	Most other modern operating systems handle READ-ONLY forensic bridges correctly, so the default OFF settings is best for users of these operating systems.

IMPORTANT: As long as switch 1 is OFF (as confirmed by the Write Block LED being illuminated), the Tableau bridge will never permit writes or other modifications to the subject hard disk. Switches 2 and 3 only affect the way the bridge appears to behave from the perspective of the host computer.

 

NOTE: Switches 2 and 3 are ignored when the Tableau bridge is in READ-WRITE mode (i.e., when switch 1 is ON).

 

4.2 Removal Procedures 

To Top

• Use the Safely Remove Hardware application (Windows XP see Figure B.1) by clicking on the Safely Remove Hardware icon in the notification area of the Taskbar.  Clicking on the icon will produce a list of removable devices.  Click on the hard disk drive you wish to remove.  A message will appear indicating that the device has been safely removed.

 

Figure B.1 Windows XP Safely Remove Hardware Icon.

• On the forensic bridge (T3u, T35e, T4 or T8), move the power switch to the OFF position and wait for the hard disk drive to stop spinning.  If using the TP2 5-pin DIN connector, move the switch to the 'B On' position.  If using a Molex connector, move the switch to the 'A On' position.
• Shutdown the forensic workstation, carefully disconnect all cables and store them in a manner to prevent physical damage.
• According to the situation, properly secure the SUBJECT hard drive(s).

4.3 Daisy-Chaining Forensic Bridges 

To Top

To accomplish a daisy-chain of forensic bridges, one must use only the FireWire 400 or 800 ports on the T3u, the T35e, the T4 or the T5 forensic bridges.  One can NOT use the USB ports and cables to cascade devices.

For instance, if one had two differing types of suspect hard drives, one could connect each to their appropriate forensic bridge, daisy chain the forensic bridges together using FireWire cabling and then connect the set to the host computer.

 

Figure c.1 Daisy Chain Example without both TP2 Power Units.

 

Daisy Chain Example (SATA and SCSI)

Items Needed:

• Host computer
• SATA suspect hard drive
• SCSI suspect hard drive (68-pin)
• (2) T2 Drive Power Switches
• (2) TP2 Power Units
• (2) Power Cables
• (2) P9 FireWire cables
• TC3-8 SATA Signal Cable
• TC10-8 SCSI Signal Cable (68-pin)
• T3u SATA Bridge
• T4 SCSI Bridge
• (2) TC2-8 Molex-Style Power Cables
• Or TC2-8 Molex-Style Power Cable and TC5-8 SATA-Style Power Cable
• (if needed:  FireWire Cable Adapters)

1. Use the T3u SATA Bridge Installation Procedure and the T4 SCSI Installation Procedure from Chapters 2 & 3 except for the 'power on' of both procedures.
2. Connect the p9 FireWire cable to the left hand side of the T3u SATA Bridge.
3. Connect the other end of that same cable to the left hand side of the T4 SCSI Bridge.
4. Connect another p9 FireWire cable to the second port of the T4 SCSI Bridge.
5. Connect the other end of the second p9 FireWire cable to the host computer.
6. If using the TP2 power unit without the T2 Drive Power switch, turn the T3u on by placing the top switch to the 'A On' position.  Do the same with the T4.  If using the TP2 power unit with the T2 Drive Power Switch, turn both T2 Drive Power switches on, and turn both the T3u and the T4 switches to the 'B On' position.
   
   

4.4 Hot-Swapping Drives 

To Top

 

1. Follow 1 and 2 of the Removal Procedures listed above.
2. Disconnect the power connection from the suspect hard drive.
3. Disconnect the data/signal cable from the suspect hard drive.
4. Connect the power connector to the new suspect hard drive.
5. Connect the data/signal cable to the new suspect hard drive.
6. Switch the forensic bridge to the 'ON' position:  if using TP2 only, switch to the 'A On' position, if using TP2 and T2 Drive Power Switch, switch to the 'B On' position.

4.5 Other Tips & Information 

To Top

• When removing the Berg/Floppy connector from the T14s or the T15, ALWAYS firmly grasp the plastic housing of the Berg/Floppy connector and gently pull or rock the plastic housing from side-to-side.  Do NOT pull by the wiring, as this will disrupt the electrical connection.

• Do NOT remove a hard drive from a forensic bridge while the power is ON.

• Do NOT use USB cable extenders with any forensic bridge.

• As with all established Computer Forensics Best Practices it is the user's responsibility to test the hardware on non-evidentiary media/data prior to using the hardware/software/procedures on live evidence.

• When a removable device such as a FireWire module/hard disk drive combination is improperly removed from a booted system it is referred to as a 'surprise removal' and the FireWire device may or may not reinitialize correctly.  In some situations the 'surprise removal' can result in data loss or corruption.  Using the T2 Drive Power Switch eliminates this problem.