Storage forensics – it's CSI:Disk array
Red ports don't write, says WiebeTech
Forensic storage developer WiebeTech has developed a pair of write-blocked PCIe adapter cards that connect to devices such as disk drives or arrays, but prevent the host computer from writing to them.
The RedPort cards allow an investigator to study or copy stored data without the risk of accidentally altering it, according to WiebeTech CEO and president James Wiebe. He claimed that if you make a normal host adapter read-only it may still be possible to reverse that in software.
"A primary design task was to ensure that an investigator would not be able to turn a RedPort card into a read/write card by accidentally installing the wrong software drivers," he said. "Thus, either RedPort works write-blocked, or it doesn't work at all."
The reason for doing read-only adapter cards is that WiebeTech's other forensic gear only connects to individual hard drives. That's a bit of a pain if you have a multi-drive array to copy – more so if those drives are part of a SAN or a RAID set.
The RedPort cards each provide two write-protected 4Gig Fibre Channel or Ultra320 SCSI connectors. WiebeTech said they're called RedPort because the ports are red. Actually, they're not – the back panel plates are striped red, but the effect is similar.
They're not cheap – they list at £1,769 and £719 respectively – but that's not much compared to the cost of losing a court case because you damaged the evidence. The cards use ATTO hardware with modified firmware, and are distributed in the UK by AM Micro. ®