Write blockers

Printable View

October 19th, 2004, 11:25 PM
magnoon

Write blockers

I currently am using a FastBloc LE for hardware write blocking when acquiring drives and am in the market for another write blocker. I'm interested in any devices that you currently use or have used in the past that you would purchase again, and those that you would never use again even if it was given to you.

Below are some devices I have been looking at.

http://www.digitalintelligence.com/products/ultrablock/

http://www.digitalintelligence.com/products/firefly/

http://www.icsforensic.com/show_item_296.cfm

This one looks promising for write blocking flash cards, now if they would only make something similar for USB drives. (I know XP SP2 gives the ability to disable write operations to any connected USB device, but I don't use that for acquisition.)

http://www.icsforensic.com/show_item_339.cfm

The price for this device is almost too good to be true, anybody ever used one?

http://store.yahoo.com/cooldrives/usb20toatabr.html

Finally I am interested in recomendations for purchasing a high quality SATA to EIDE converter/adapter. I have not yet had to acquire a SATA drive, but that is only a matter of time.
October 22nd, 2004, 03:57 AM
hogfly

stick with digital intel
October 23rd, 2004, 03:07 PM
slarty

What a rediculous proposal - a hardware solution for a software problem.

The solution is to tell your OS not to write to the devices when imaging them for forensics. If your OS is too lame to do that, get one which can or install a software add-on which enables it to.

Slarty
October 24th, 2004, 04:44 AM
hogfly

Slarty..hate to say it...but it's not rediculous. Mounting read only still modifies the drive...journaling file systems increase the mount count each time...and windows..holy hell windows modifies something like 500 files each time it boots.

Write blockers are an accepted practice in the industry.

magnoon: if you can afford it..get the masster solo..those types of tools are increasing in popularity.
October 24th, 2004, 04:54 PM
magnoon

Quote:

What a rediculous proposal - a hardware solution for a software problem.

Slarty

Not ridiculous at all, but within the standards that are accepted in the courts in my area. Also non technical people seem to understand the concept of a piece of hardware that blocks writing to a hard drive easier than utilizing software to do the same function. The public constantly hears of software vulnerabilities, and seldom hears the same issues with hardware. (True or not it is perception and in court perception is almost everything) Utilizing hardware write blocking cuts down on the intensity and length of testimony relating to the acquisition process.

I once acquired a machine that resulted in the FBI, DOJ, and IRS getting involved. The use of a hardware write blocker made life so much easier in regards to the the acquisition that I won't do it any other way until something better comes along.

hogfly

Quote:

if you can afford it..get the masster solo

That would indeed be my ultimate, but my current budget puts it a bit out of reach. Do you have experience with using this?
October 24th, 2004, 07:58 PM
slarty

So let me get this right ... these "Write blockers" are not used to prevent writing to the media, they are used to prevent stupid people from thinking that the media could have been written to by faulty forensics software.

It should be possible of course with software, to mount a writable media read-only, in such a fashion that NO writes are done whatsoever to it.

If that is not possible, then it should be possible to use a software modification which causes the block device driver to behave as a readonly one, even if the device is writable.

---

It still seems to me that these devices are used to prevent shortcomings of Windows operating systems which will mount any device they can read/write automatically and in a non-optional fashion.

But I can see why for audit purposes you might want to use one.

Slarty
October 24th, 2004, 08:45 PM
chsh

Quote:

Originally posted here by slarty
So let me get this right ... these "Write blockers" are not used to prevent writing to the media, they are used to prevent stupid people from thinking that the media could have been written to by faulty forensics software.

Actually, they do prevent writes.

Quote:

It should be possible of course with software, to mount a writable media read-only, in such a fashion that NO writes are done whatsoever to it.

This won't work for all filesystems because they often increase a mount count even if mounting read-only, thus rendering it impossible to verify hashes.
The non-Windows filesystems I know this applies to are: EXT2, EXT3, XFS, and ReiserFS.

Quote:

If that is not possible, then it should be possible to use a software modification which causes the block device driver to behave as a readonly one, even if the device is writable.

That's a nice theory, and honestly, I would think that's the case with the linux kernel. However, consider that a lot of forensics are done using Windows boxes. It may be a crutch in theory, but in practice it's apparently the difference between having your evidence thrown out and having it admitted.
October 24th, 2004, 10:14 PM
hogfly

Quote:

Originally posted here by magnoon
Slarty

Not ridiculous at all, but within the standards that are accepted in the courts in my area.

It's not just courts in your area, it's every court in the US. From federal to state.

It's pretty much required..why? because NIST and the NIJ say so. If you don't use a write blocker you run the risk of having your evidence tossed.

Quote:

That would indeed be my ultimate, but my current budget puts it a bit out of reach. Do you have experience with using this?

Never used one, but like I said a lot of companies are starting to use them, it's easier to transport and faster, and it's just as accurate..

Slarty..I agree with your take on it, but that's just not the way things are. NIST & NIJ have done lots of testing on write blockers and software solutions..and the hardware solution wins.

I like to compare it to software vs hardware firewalls. Would you trust windows xp firewall to protect your 100$ million dollars worth of intellectual property ? Or would you want to take every precaution to protect it's integrity?
October 25th, 2004, 12:52 AM
magnoon

Hogfly - thanks for the information, I appreciate it.

Quote:

they are used to prevent stupid people from thinking

Non technical != stupid

There may be a brain surgeon or rocket scientist on the jury, but that does not mean they understand how data is stored on a hard drive.

My point is that it is far easier to introduce reasonable doubt into the acquisition process if it was done with a software solution.
October 25th, 2004, 01:02 AM
jinxy

Quote:

My point is that it is far easier to introduce reasonable doubt into the acquisition process if it was done with a software solution

I'm sorry my friend that is not your job. You should just present the facts as they are. End of story.
October 25th, 2004, 01:28 AM
magnoon

Quote:

I'm sorry my friend that is not your job. You should just present the facts as they are. End of story.

I couldn't agree with you more. I did not mean to imply that I am the one trying to create resonable doubt. Perhaps I should have stated: there is a greater chance that the opposing attorney can create resonable doubt when write blocking software has been used than there is when write blocking hardware was used.