The ComboDock is the sort of device that no forensic investigator can afford to be without if they intend to produce evidence that will be acceptable in legal proceedings.
It turns the target drive into a read-only device by ignoring all write requests to the drive, while indicating to the operating system that the writes have in fact occurred. Forensic imaging programs go to great lengths to avoid writing to the evidence files, but it is still possible for the operating system itself to alter a directory entry, usually to update the last accessed date and time information. And although this does not affect the contents of the file being analyzed, it does cast doubt on the integrity of the investigation.
In turn, this could easily lead to the evidence being ruled inadmissible. Using a hardware device that simply does not allow the drive to be written to in the first place ensures that the forensic process does at least start out with a firm foundation.
The device itself is a small, easily portable set of components that together make up a small docking bay for any IDE hard drive. The system provides connections and power to the drive, so there is no need to rip the covers from a live system to get a suitable power feed, and it can connect to a host system using either the USB2 mini connector or the two 1394b Firewire 800 ports. These connections will operate at the lower USB 1.1 or Firewire 400 standards if required to by the host system. The host system can be running Windows 98SE/Me, Windows 2000/XP, Mac OS9.1, Mac OS9.2 or Mac OS X.
The device can also handle the newer Serial ATA drives using its SATA converter, which has a standard 40-pin IDE connector at one end and a SATA connector at the other. Performance was good, with no appreciable difference in transfer rates between the drive in the ComboDock using the USB interface and the same drive mounted as a normal external USB drive, transferring 1Mb per second in both cases.
