Seeking Advice: Building a Budget-Friendly Forensic Imaging Workflow for Laptop Returns
Posted by Mehmetince2019@reddit | sysadmin | View on Reddit | 10 comments
Hi everyone,
I recently started a new role where I'm handling laptop returns (rückläufer). My current instructions are simply to copy the user folders and format the drives. Coming from a legal background, I know this is a nightmare for chain of custody and evidence integrity. If any of these cases end up in court, a simple file copy won't hold up.
I’ve been asked to start taking full forensic images of about 1-2 laptops per month for high-risk cases. I know a Write Blocker is essential to ensure the source drive remains untouched.
I found the Tableau bridges, but at €650+, my manager is asking if there are more budget-friendly alternatives since our volume is very low (only a few devices a month).
I have a few questions for the experts here:
- Is a hardware write blocker mandatory for this volume? Or are there reliable "software" write-blocking methods for Linux/Mac that you would trust in a legal setting?
- Budget Hardware: Are there reliable alternatives to Tableau? I’ve seen some cheaper USB-C or SATA bridges, but I’m worried about their reliability in a forensic context.
- Workflow: What is your go-to "budget" stack for imaging (e.g., FTK Imager + a specific bridge)?
I want to do this the right way without breaking the bank, but I also need to convince my boss that "cheap" shouldn't mean "inadmissible in court."
Thanks in advance for your help!
TinderSubThrowAway@reddit
What is the context that you have laptop returns and so many potential court cases?
If it's this serious, why aren't you just keeping the laptop intact as is?
statikuz@reddit
Because then it ties up the whole device when it could be repurposed. I too am curious what craziness they are involved in where they have a "very low" volume of 1-2 devices a month they are wanting to retain for potential legal action.
Anyway, unless it's like "they might be a serial killler" level of severity, why would you tie up a $x000 laptop? Image the drive and move on. We used to just pull the drive and install a new one but holy cow I have not looked at drive prices lately.
Mehmetince2019@reddit (OP)
Actually, we’re leaving it as is. We were advised to take an image to ensure the integrity isn’t compromised. I thought that wasn’t wrong.
dracotrapnet@reddit
We can't do anything forensically without a PI license (private investigator). Nobody in IT is going for a PI license. We could only bag and tag the whole laptop to store it. You might as well hand them over to your lawyer.
BrorBlixen@reddit
This is completely off topic and mostly irrelevant but in the US the requirement for a PI license to perform IT forensics has been shot down by the courts repeatedly. The general consensus is that the court already has established standards for expert witnesses that supersede occupational licensing requirements and that requiring a PI license would unnecessarily exclude qualified people
Jevn@reddit
Can you provide any of the specific instances where this took place? I’m specifically curious about Texas and I’m doing my own homework as well.
BrorBlixen@reddit
I can ask. I have a former co-worker who now owns a business doing IT forensics and provides expert witness testimony in court cases. He occasionally hires me as a consultant on some old technologies that I used to specialize in. We aren't in Texas but he and his people take cases from across the country.
Jevn@reddit
Wiebetech is an example of a more cost effective alternative https://cdsg.com/brands/wiebetech but one thing I have to enforce with all of them is that you always have to keep the firmware updated and something many examiners forget and don’t pay enough attention to. I am a big fan of Tableau though.
sryan2k1@reddit
Nothing you will do will matter. Copy their shit to some shared drive somewhere and reimage the computer.
TechHardHat@reddit
For 1-2 laptops a month, a used Tableau T35u off eBay runs €150-200 and is still fully court-defensible. Pair it with FTK Imager, document your hash values, and your chain of custody is solid. The write blocker isn't where you cut costs, that's the one piece a defense attorney will go after first.