 Welcome back everyone. Today we're going to be looking at the ultra block kits and we've already done the unboxing. I'm going to show all three external right blockers and how you set them up and then how you do the imaging. So we're going to start with one of the easiest and that is the USB right blocker. So we have the USB external right blocker here out of the kit. I already have our blue cable connected to our forensic workstation and then I have our power cable connected obviously to power. Remove the right blocker from the pack and then we have a connection to our forensic workstation and then the connection for our USB device and then the power connection on the back. So the instructions say you connect the source device first then connect the bridge to the host computer your forensic workstation then connect the power supply to the bridge then press the power button to begin operation and your workstation should detect the USB device. So we have our suspect data here this is going to be our source that we want to image connect that into the USB port. Now imaging will go as fast as your slowest connection so if you have a very slow drive or an older USB style then it will be slower here you want to make sure that you're connecting in your forensic workstation as USB 3.0 and not using like a 2.0 port otherwise it will be very slow whenever it's trying to image. Connect the bridge to our forensic workstation now we can connect the power once everything is connected we can turn our power on we already have DC power light this light indicates power on we want to be able to see the light detected for host and the device we have right block connected host was detected we're now getting some power to our to our target disk we have our host we have our device we have right block and we saw some activity here so we have some information about our target device flashing on the display here but really what you need to check is that host was detected and actually heard it connect to our forensic workstation we have the device detected and right block is enabled so make sure always that that right block is checked whenever we are testing our right blockers we would be using a disk that we don't care if we actually have to write to and then we would test whether we can write to the disk after that so let's go over to our forensic workstation in our forensics workstation let's go ahead and open up fdk imager now we have the evidence tree we need to add a device we can go file add evidence item and then it is a physical drive and we can select the physical drive we want and we detected the toshiba external usb 3.0 usb device let's drive one so if we select that we can click finish and now we have direct access to the physical drive itself some people like to analyze the drive directly to see if it's related to their case but i prefer to do imaging first it does take a little bit longer but if our suspect drive happens to go bad while i'm doing my analysis then i've already lost my image i'd rather be creating our disk image now so go to file and go to create disk image we want to image a physical drive select our drive that we want which is drive one the toshiba external 3.0 and then click finish now we can do image destinations where do we want to save to and the format that we want to save in raw dd smart e01 or a ff if you want compression you really should choose e01 or a ff i'll choose a ff click next give it a case number give it your evidence number and then where do we want to save this to what compression we want if at zero it's no compression one is the fastest the imaging will go quite faster if we have nine it will be the smallest but it will take a long time to compress let's do about a six and click finish we could set up our destination we can say whether we're going to verify the images after they're created go ahead and click start the red led activity light is flashing because we are reading from the suspect disk what i want to show you the view in windows i'm in the disk management console and we can see disk one it's set to read only windows detected it as read only and then i have an efi partition and then i have another partition and some unallocated space if any of these partitions were formatted with a file system that windows could understand like ntfs then they would have automatically been mounted by windows now because they're read only windows wouldn't be able to write anything to them but my point here is that whenever you plug in a drive into windows with an external write blocker it usually shows up as a normal disk so windows will understand it as a normal disk if it can understand the file system then it will automatically mount any file systems that it understands and then you could get direct access to that file system this is an ext formatted partition which is basically a linux file system so windows cannot mount it by default but windows can see the entire disk and all of the partitioning information and it can do all the imaging so again whenever you're connecting a disk with an external write blocker the disk will show up as normal it will just be read only so if you have auto mounting enabled it will auto mount it so just be aware of that and this is why we want to test our write blockers to make sure that they actually are right blocking because we don't necessarily know what's on the disk whenever we're plugging it into our forensic workstation if auto mount happens then we want to make sure that write blocking is working as expected so that's it for this disk one USB disks are relatively easy so let's go ahead and move to another disk type so next for the suspect disk we have a SATA laptop hard drive we have the SATA connections here so this has been removed from the laptop so we can actually use the external imager we have some SATA cables and this is the cable for power and then this is the cable for data included in the ultra block kit we also have our SATA slash IDE bridge and then we also have the quick reference guy as well so go ahead and remove it from the packaging get started we connect our source drive connect the bridge to the host computer with our blue cable again connect the power from our power cable again and then press the power button so pretty much all of them are the same connect the source device then connect it to the forensic workstation then connect it to power so always use that procedure now we have our power and we have our SATA connector here and then we have our connection to our forensic workstation on the back and we have our power connector there so I'm going to go ahead and connect up the suspect disk first we connect our power connect our data connect our forensic workstation and connect our power once you have everything set up again we have our power button we have the power indicator that it is getting power but it's not turned on we have IDE detected SATA detected host detected that's our forensic workstation and then right block and activities the activity is the red light that's flashing again we always want to see the right block turned on and whenever we turn this on we should see host detected okay so the first thing right block the right block led comes on with power I can hear the disk starting to spin up we have host detected and SATA detected so both of those look good and then we had some activity so that's the kind of thing we would expect to see with the right blocker now let's go over to our forensic workstation if we check our disk management console again then we can see disk one again is almost one terabyte it's also set to read only it was unallocated which means that it's been cleaned off or whatever okay so we can go now into f2k imager or whatever imager you're using go to file create disk image we want to create a physical drive every time we can try to make a physical drive if we can't make a physical drive then try it for logical like next we want to choose physical drive one again and it's detected as hd st hts and then this is us and then usb so we know that that's our disk let's go ahead and click finish and then we add our imaging information just like before let's go ahead and do a ff the case number destination let's say temp file name i'll do 002 click finish okay while that's imaging i would normally just leave it to image and maybe go do something else this is why it's nice to have a separate computer from your analysis system that way you can do your imaging um and then analyze on another disk but what i'm going to do now is go to file and add evidence item because i want to actually see if there's anything on that disk click fit next physical drive one finish so i can see that some data was found and i'm just going to scroll through the text editor it's hard to say whether this is actually structured data it's hard to say whether this data is structured or not or whether it's random it looks like it's fairly random so maybe a you know somebody z wrote it maybe somebody wrote random data to the disk so it'd be hard to recover something just like with the usb stick whenever we connect a sata drive through here we always want to check for right block and whenever we detect it on our forensic workstation in windows or linux or mac os it's going to show up as a normal drive and if there's a file system that the operating system can mount again it'll mount it we again didn't have a operating or a file system on here for windows to mount so let's go ahead and look at the final external right blocker so for our third suspect drive we have this m2 drive that we're going to try to image just like before we're connecting the source to the t8u then we're connecting to the forensic workstation then power connect the power and then turn the power on so let's go ahead and get set up so we need an adapter and it has been included here so that's what the adapter looks like so that just slides in and clips okay and then we have our m2 adapter our drive slots in there and then we can use this pin to hold it in where it needs to go okay so we just slide it in there hold that down and then make sure you screw it down at the end okay your drive shouldn't be able to wiggle around now we can just connect directly to our right blocker and it clips next we need to connect the forensic workstation and then we connect the power we now have everything set up all we have to do is hit the power button i can see power in the adapter dc power we have host device right block activity just like all the others so one final thing i wanted to show the sata 3 to m2 ngff connector and that is this little box here and basically it looks like a sata hard drive but whenever we open it up inside you have a place where you can connect either m2 or m sata i have this m2 card i'm going to slip it into there and then we have a small screw to hold it down once you've got the drive in there then you can close this up to protect it and we have just a normal sata connector so that we can connect it to our sata bridge like we did before once everything's hooked up just hit the power button we see right blocks that's what we expect see a power indicator on the drive we have host detected we have sata detected and we saw some activity so now we have access to that disk so let's go take a look at our forensic workstation so on our forensic workstation we have disk number one detected and it did have an ntfs partition on e drive so it's now mounted as e drive we have a couple other partitions and then some unallocated space here so if i open up a folder so we have local disk and this is partition for e drive this ntfs partition 100 gigabytes and right now if i try to write something so let's try to move this temp folder in and whenever we're asked if we want to copy something in there we can't because it's right protected so if you have a disk and windows detects all the partitions and then you have a file system installed on one of those partitions then windows will automatically mount it if auto mount is enabled and then whenever you try to write anything to that partition you won't be able to because it is read only so it is still detected as read only with the disk just like before if we're using fdk imager create disk image physical drive next and then choose drive one and we see it's an intel ss usb device okay and then we select that click finish and then just keep imaging like we did all the other ones we've gone through hooking up the three different types of external hardware right blockers these are very flexible obviously because depending on the media that you get into your lab you can just grab the single uh right blocker that you want to use they're very easy to hook up and they have a lot of adapters we did end up using one of the m2 to sata adapters and it's working as expected so um what i really wanted to show you here is first off how flexible these are how to hook them up and also that windows or whatever system you're using will detect the source disk that you're trying to image it'll detect that source disk just like a regular disk in windows the only difference will be that it will be detected as read only plug in a test disk with your external right blocker and then try to write data directly to the disk now it could be to the partition but trying to write directly to the disk is actually a little bit better for testing because you're skipping the file system level and going directly for the lowest level rights so these are external hardware right blockers i like them because they're flexible and then if you're imaging just a couple disks at a time it's very nice and if you're also trying to do a quick analysis and you don't need the image then they work for that too because it's just going to show up like a normal disk you can then import it into most forensic software and then just start your analysis so that's it for these ultra block kits and some of the adapters i hope it was interesting thank you very much