Write blockers
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Write blockers

  1. #1
    Senior Member
    Join Date
    Oct 2002
    Posts
    112

    Write blockers

    I currently am using a FastBloc LE for hardware write blocking when acquiring drives and am in the market for another write blocker. I'm interested in any devices that you currently use or have used in the past that you would purchase again, and those that you would never use again even if it was given to you.

    Below are some devices I have been looking at.

    http://www.digitalintelligence.com/products/ultrablock/

    http://www.digitalintelligence.com/products/firefly/

    http://www.icsforensic.com/show_item_296.cfm

    This one looks promising for write blocking flash cards, now if they would only make something similar for USB drives. (I know XP SP2 gives the ability to disable write operations to any connected USB device, but I don't use that for acquisition.)

    http://www.icsforensic.com/show_item_339.cfm

    The price for this device is almost too good to be true, anybody ever used one?

    http://store.yahoo.com/cooldrives/usb20toatabr.html

    Finally I am interested in recomendations for purchasing a high quality SATA to EIDE converter/adapter. I have not yet had to acquire a SATA drive, but that is only a matter of time.
    If you receive something that says \'Send this to everyone you know,\' pretend you don\'t know me.

  2. #2
    Computer Forensics
    Join Date
    Jul 2001
    Posts
    672
    stick with digital intel
    Antionline in a nutshell
    \"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

    Trust your Technolust

  3. #3
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    What a rediculous proposal - a hardware solution for a software problem.

    The solution is to tell your OS not to write to the devices when imaging them for forensics. If your OS is too lame to do that, get one which can or install a software add-on which enables it to.

    Slarty

  4. #4
    Computer Forensics
    Join Date
    Jul 2001
    Posts
    672
    Slarty..hate to say it...but it's not rediculous. Mounting read only still modifies the drive...journaling file systems increase the mount count each time...and windows..holy hell windows modifies something like 500 files each time it boots.

    Write blockers are an accepted practice in the industry.

    magnoon: if you can afford it..get the masster solo..those types of tools are increasing in popularity.
    Antionline in a nutshell
    \"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

    Trust your Technolust

  5. #5
    Senior Member
    Join Date
    Oct 2002
    Posts
    112
    What a rediculous proposal - a hardware solution for a software problem.
    Slarty

    Not ridiculous at all, but within the standards that are accepted in the courts in my area. Also non technical people seem to understand the concept of a piece of hardware that blocks writing to a hard drive easier than utilizing software to do the same function. The public constantly hears of software vulnerabilities, and seldom hears the same issues with hardware. (True or not it is perception and in court perception is almost everything) Utilizing hardware write blocking cuts down on the intensity and length of testimony relating to the acquisition process.

    I once acquired a machine that resulted in the FBI, DOJ, and IRS getting involved. The use of a hardware write blocker made life so much easier in regards to the the acquisition that I won't do it any other way until something better comes along.


    hogfly

    if you can afford it..get the masster solo
    That would indeed be my ultimate, but my current budget puts it a bit out of reach. Do you have experience with using this?
    If you receive something that says \'Send this to everyone you know,\' pretend you don\'t know me.

  6. #6
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    So let me get this right ... these "Write blockers" are not used to prevent writing to the media, they are used to prevent stupid people from thinking that the media could have been written to by faulty forensics software.

    It should be possible of course with software, to mount a writable media read-only, in such a fashion that NO writes are done whatsoever to it.

    If that is not possible, then it should be possible to use a software modification which causes the block device driver to behave as a readonly one, even if the device is writable.

    ---

    It still seems to me that these devices are used to prevent shortcomings of Windows operating systems which will mount any device they can read/write automatically and in a non-optional fashion.

    But I can see why for audit purposes you might want to use one.

    Slarty

  7. #7
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255
    Originally posted here by slarty
    So let me get this right ... these "Write blockers" are not used to prevent writing to the media, they are used to prevent stupid people from thinking that the media could have been written to by faulty forensics software.
    Actually, they do prevent writes.

    It should be possible of course with software, to mount a writable media read-only, in such a fashion that NO writes are done whatsoever to it.
    This won't work for all filesystems because they often increase a mount count even if mounting read-only, thus rendering it impossible to verify hashes.
    The non-Windows filesystems I know this applies to are: EXT2, EXT3, XFS, and ReiserFS.

    If that is not possible, then it should be possible to use a software modification which causes the block device driver to behave as a readonly one, even if the device is writable.
    That's a nice theory, and honestly, I would think that's the case with the linux kernel. However, consider that a lot of forensics are done using Windows boxes. It may be a crutch in theory, but in practice it's apparently the difference between having your evidence thrown out and having it admitted.
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

  8. #8
    Computer Forensics
    Join Date
    Jul 2001
    Posts
    672
    Originally posted here by magnoon
    Slarty

    Not ridiculous at all, but within the standards that are accepted in the courts in my area.


    It's not just courts in your area, it's every court in the US. From federal to state.

    It's pretty much required..why? because NIST and the NIJ say so. If you don't use a write blocker you run the risk of having your evidence tossed.

    That would indeed be my ultimate, but my current budget puts it a bit out of reach. Do you have experience with using this?
    Never used one, but like I said a lot of companies are starting to use them, it's easier to transport and faster, and it's just as accurate..

    Slarty..I agree with your take on it, but that's just not the way things are. NIST & NIJ have done lots of testing on write blockers and software solutions..and the hardware solution wins.

    I like to compare it to software vs hardware firewalls. Would you trust windows xp firewall to protect your 100$ million dollars worth of intellectual property ? Or would you want to take every precaution to protect it's integrity?
    Antionline in a nutshell
    \"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

    Trust your Technolust

  9. #9
    Senior Member
    Join Date
    Oct 2002
    Posts
    112
    Hogfly - thanks for the information, I appreciate it.

    they are used to prevent stupid people from thinking
    Non technical != stupid

    There may be a brain surgeon or rocket scientist on the jury, but that does not mean they understand how data is stored on a hard drive.

    My point is that it is far easier to introduce reasonable doubt into the acquisition process if it was done with a software solution.
    If you receive something that says \'Send this to everyone you know,\' pretend you don\'t know me.

  10. #10
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668
    My point is that it is far easier to introduce reasonable doubt into the acquisition process if it was done with a software solution
    I'm sorry my friend that is not your job. You should just present the facts as they are. End of story.
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •