-
October 19th, 2004, 11:25 PM
#1
Write blockers
I currently am using a FastBloc LE for hardware write blocking when acquiring drives and am in the market for another write blocker. I'm interested in any devices that you currently use or have used in the past that you would purchase again, and those that you would never use again even if it was given to you.
Below are some devices I have been looking at.
http://www.digitalintelligence.com/products/ultrablock/
http://www.digitalintelligence.com/products/firefly/
http://www.icsforensic.com/show_item_296.cfm
This one looks promising for write blocking flash cards, now if they would only make something similar for USB drives. (I know XP SP2 gives the ability to disable write operations to any connected USB device, but I don't use that for acquisition.)
http://www.icsforensic.com/show_item_339.cfm
The price for this device is almost too good to be true, anybody ever used one?
http://store.yahoo.com/cooldrives/usb20toatabr.html
Finally I am interested in recomendations for purchasing a high quality SATA to EIDE converter/adapter. I have not yet had to acquire a SATA drive, but that is only a matter of time.
If you receive something that says \'Send this to everyone you know,\' pretend you don\'t know me.
-
October 22nd, 2004, 03:57 AM
#2
Antionline in a nutshell
\"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"
Trust your Technolust
-
October 23rd, 2004, 03:07 PM
#3
What a rediculous proposal - a hardware solution for a software problem.
The solution is to tell your OS not to write to the devices when imaging them for forensics. If your OS is too lame to do that, get one which can or install a software add-on which enables it to.
Slarty
-
October 24th, 2004, 04:44 AM
#4
Slarty..hate to say it...but it's not rediculous. Mounting read only still modifies the drive...journaling file systems increase the mount count each time...and windows..holy hell windows modifies something like 500 files each time it boots.
Write blockers are an accepted practice in the industry.
magnoon: if you can afford it..get the masster solo..those types of tools are increasing in popularity.
Antionline in a nutshell
\"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"
Trust your Technolust
-
October 24th, 2004, 04:54 PM
#5
What a rediculous proposal - a hardware solution for a software problem.
Slarty
Not ridiculous at all, but within the standards that are accepted in the courts in my area. Also non technical people seem to understand the concept of a piece of hardware that blocks writing to a hard drive easier than utilizing software to do the same function. The public constantly hears of software vulnerabilities, and seldom hears the same issues with hardware. (True or not it is perception and in court perception is almost everything) Utilizing hardware write blocking cuts down on the intensity and length of testimony relating to the acquisition process.
I once acquired a machine that resulted in the FBI, DOJ, and IRS getting involved. The use of a hardware write blocker made life so much easier in regards to the the acquisition that I won't do it any other way until something better comes along.
hogfly
if you can afford it..get the masster solo
That would indeed be my ultimate, but my current budget puts it a bit out of reach. Do you have experience with using this?
If you receive something that says \'Send this to everyone you know,\' pretend you don\'t know me.
-
October 24th, 2004, 07:58 PM
#6
So let me get this right ... these "Write blockers" are not used to prevent writing to the media, they are used to prevent stupid people from thinking that the media could have been written to by faulty forensics software.
It should be possible of course with software, to mount a writable media read-only, in such a fashion that NO writes are done whatsoever to it.
If that is not possible, then it should be possible to use a software modification which causes the block device driver to behave as a readonly one, even if the device is writable.
---
It still seems to me that these devices are used to prevent shortcomings of Windows operating systems which will mount any device they can read/write automatically and in a non-optional fashion.
But I can see why for audit purposes you might want to use one.
Slarty
-
October 24th, 2004, 08:45 PM
#7
Originally posted here by slarty
So let me get this right ... these "Write blockers" are not used to prevent writing to the media, they are used to prevent stupid people from thinking that the media could have been written to by faulty forensics software.
Actually, they do prevent writes.
It should be possible of course with software, to mount a writable media read-only, in such a fashion that NO writes are done whatsoever to it.
This won't work for all filesystems because they often increase a mount count even if mounting read-only, thus rendering it impossible to verify hashes.
The non-Windows filesystems I know this applies to are: EXT2, EXT3, XFS, and ReiserFS.
If that is not possible, then it should be possible to use a software modification which causes the block device driver to behave as a readonly one, even if the device is writable.
That's a nice theory, and honestly, I would think that's the case with the linux kernel. However, consider that a lot of forensics are done using Windows boxes. It may be a crutch in theory, but in practice it's apparently the difference between having your evidence thrown out and having it admitted.
Chris Shepherd
The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
\"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
Is your whole family retarded, or did they just catch it from you?
-
October 24th, 2004, 10:14 PM
#8
Originally posted here by magnoon
Slarty
Not ridiculous at all, but within the standards that are accepted in the courts in my area.
It's not just courts in your area, it's every court in the US. From federal to state.
It's pretty much required..why? because NIST and the NIJ say so. If you don't use a write blocker you run the risk of having your evidence tossed.
That would indeed be my ultimate, but my current budget puts it a bit out of reach. Do you have experience with using this?
Never used one, but like I said a lot of companies are starting to use them, it's easier to transport and faster, and it's just as accurate..
Slarty..I agree with your take on it, but that's just not the way things are. NIST & NIJ have done lots of testing on write blockers and software solutions..and the hardware solution wins.
I like to compare it to software vs hardware firewalls. Would you trust windows xp firewall to protect your 100$ million dollars worth of intellectual property ? Or would you want to take every precaution to protect it's integrity?
Antionline in a nutshell
\"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"
Trust your Technolust
-
October 25th, 2004, 12:52 AM
#9
Hogfly - thanks for the information, I appreciate it.
they are used to prevent stupid people from thinking
Non technical != stupid
There may be a brain surgeon or rocket scientist on the jury, but that does not mean they understand how data is stored on a hard drive.
My point is that it is far easier to introduce reasonable doubt into the acquisition process if it was done with a software solution.
If you receive something that says \'Send this to everyone you know,\' pretend you don\'t know me.
-
October 25th, 2004, 01:02 AM
#10
My point is that it is far easier to introduce reasonable doubt into the acquisition process if it was done with a software solution
I'm sorry my friend that is not your job. You should just present the facts as they are. End of story.
What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|