I’m reviewing and revising policies and practices at work, including data forensics, the unfortunate necessity caused by employees misusing their company-issued machines.
Early in my career, I had to make the phone call to HR on occasion when I discovered something on an employer-owned PC that shouldn’t be there. I even did forensics once, guided by a lawyer. I had a sector editor and knew how to use it; the lawyer knew what she was looking for. That wasn’t the right way to do it, but this place wasn’t willing to go to the expense required to do it right.
But now I work someplace that is.
One issue–if you can call it that–is that the write blocker we use, a Tableau T35E, won’t detect an IDE hard drive if you plug the cable in backwards. The blue connector has to go to the blocker, and the black connector has to go to the drive.
One of my colleagues (I don’t know if it’s a present or a past team member) wrote that Tableau’s manual doesn’t state this, but the manufacturer is aware of it and has no plans to fix it.
I guess I’m an old-timer, because that’s not an issue at all. Plugging in the cables backwards violates the IDE spec.
In the early days when IDE drives were very slow, you could get away with it. I plugged my first 486′s IDE cable in backwards because the two connectors on the cable reached my two drive bays a lot better that way. I knew you weren’t supposed to do that, but it worked fine, so I left it that way for a while.
In those days, all sorts of things worked that weren’t supposed to work. You were supposed to plug the primary (or master) drive into the top connector and the secondary (or slave) drive to the middle. But you could reverse it and it would work. You could plug a single drive into the middle cable and it would work. If you were really lucky, you could even jumper the drives wrong and it would all still work. Some early Pentium-era boards were extremely forgiving. I remember messing around with one of my early Pentium boards and trying different things just to see what it would let me get away with.
In the mid 1990s, with the advent of ATA-66 and 80-conductor cables, that changed. Faster drives were much more sensitive to noise on the cable, and if there was something wrong with the cable, or you plugged it in wrong, things were less likely to work right.
The 80-conductor cables changed the colors of the connectors to match. The blue connector attached to the IDE connector on the motherboard or interface card. The black connector attached to the primary (or master) device. The gray connector attached to the secondary (or slave) device.
And from about 1997 onward, if you plugged that IDE cable backwards, it just didn’t work at all.
On a write blocker, where something going wrong could destroy evidence or make it not admissible in court, you can’t afford for something to go wrong. In the unusual event that you have to do forensics on an IDE drive these days, you’d better make sure you have a high-quality 80-conductor cable and that it’s 18 inches (457 mm) in length or shorter and that it’s connected the right way.
It’s unlikely that noise on the cable would cause an unintended write on the drive. But if I’m doing an investigation for a $50 million lawsuit, I don’t want to take that chance. If the write blocker isn’t comfortable with how I plugged things in, I’d much prefer for it to just fail to detect the drive.
Because if a malfunction caused a write to the drive, the drive is no longer admissible. Then there’s a pretty good chance HR would be coming after me, and that soon-to-be-former employer would be one I wouldn’t want to use as a reference.
When the stakes are high, I’d rather have immediate failure than future unpredictability. So I don’t see this as an issue or a bug at all. It’s cliche, but this time, I think it really is a feature.