Write Blocking

Write Blocking
CSC 485/585
Understand the concept of write blocking
Understand hardware write blocking
Understand software write blocking
Understand limitations of write blocking
What is “Write Blocking”
Write Blocking is a critical part of the “Safety Net” you
learned about in the Intro to Computer Forensics lecture.
Controlling the Boot Process is only part of the “Safety Net”
and only prevents the computer and OS from unknowingly
attempting to writing to media attached to the computer. A
user could still intentionally or accidentally write to a disk.
Write Blocking provides an additional layer of protection
beyond the control boot process and prevents accidental or
intentional attempts to write to attached media by the user,
the OS, software applications, etc.
General Write Blocking Requirements
The tool shall not allow a protected drive to be changed.
The tool shall not prevent obtaining any information from
or about any drive.
The tool shall not prevent any operations to a drive that
is not protected.
Per NIST Computer Forensics Tool Testing (CFTT) program, operated/funded by
United States National Institute of Justice. http://www.cftt.nist.gov
How does it work?
A write blocker (hardware or software) works in one of
two ways:
The tool can either deny all write attempts to the disk and
report them to the OS as failures, or
The tool caches the writes for the duration of the session and
reports them to the OS as successful, but actually prevents the
Write blockers do not simply “cut the write wire”…it’s a
little more complicated than that!
This tool denies all write attempts to the disk and
report them to the OS as failures.
Hardware Write Blocking
A hardware write blocker (HWB) is a hardware device that attaches to a
computer system with the primary purpose of intercepting and preventing
(or ‘blocking’) any modifying command operation from ever reaching the
storage device. Physically, the device is connected between the computer
and a storage device.
Some of its functions include monitoring and filtering any activity that is
transmitted or received between its interface connections to the computer
and the storage device.
The interface connections do not have to be the same type. For example,
the computer connection to a HWB could be using a SCSI interface while
the HWB connection to the hard disk could be using an IDE interface. Any
assumptions that are made about either the data that the HWB is
protecting or about the functions of the HWB itself are based entirely on
the notion that the capabilities of the HWB are limited by the capabilities
of its interfaces.
NIST CFTT Hardware Write Block Specs (Version 2.0)
Write Blockers
Some HWB, such as these Tableau devices, can be configured to:
report write errors to the OS, discard write errors, report
write-protected status or not, or not block at all.
Hardware Write Blockers
Your OS identifies and communicates with the HWB device,
not the source drive attached to the HWB.
Depending on how you connect to your host, the drive is
identified as a Firewire (IEEE1394) device, USB or eSATA
Transfer speed depends greatly on interface used.
Software Write Blocking
A software write block tool operates by monitoring and filtering drive I/O
commands sent from an application or OS through a given access interface.
Programs running in the DOS environment can, in addition to direct access
via the drive controller, use two other interfaces:
 DOS service interface (interrupt 0x21) or
 BIOS service interface (interrupt 0x13)
The DOS service operates at the logical level of files and records while the
BIOS service operates at the physical drive sector level.
More complex operating systems, for example Windows XP or a UNIX
variant (e.g., Linux), may disallow any low level interface (through the BIOS
or the controller) and only allow user programs access to a hard drive
through a device driver, a component of the operating system that manages
all access to a device.
NIST CFTT Software Write Block Specs (Version 3.0 Final)
DOS Software Write Blocking
DOS software write blockers were the computer
forensic industry standard write blocking method for
years, prior to the creation of HWB devices starting
around 2003-2004.
HDL (by RCMP) and PDBLOCK (by Digital Intelligence)
were the most popular and the only ones tested by NIST
Placed on DOS Control Boot Disks and set as the first
line in the autoexec.bat file to automatically start the
SWB as soon as the OS started.
SAFE Block XP/Vista/Win7
“Complex” OSs, such as Windows, use “filter” device drivers or specially
designed replacement device drivers for software write blocking.
Linux Software Write Blocking?
Currently, as of 2010, no software write blocking device
drivers exist for Linux.
Popular Linux “Forensic” boot disks are modified Linux
OSs that control the boot environment, preventing
inadvertent writing to attached disks and mounting logical
file systems as read-only, but do not include software
write blockers, as defined by NIST.
NIST CFTT Software Write Block Specs (Version 3.0 Final)
Write Blocking Limitations
Any possible operations that can take place inside of the storage device
that are not accessible or controllable via the interface functionality are
outside the scope of write blocking. (i.e. Bad sector handling, wear levelling,
SMART-Self-Monitoring Analysis and Reporting Technology, etc.)....write
blocking does not prevent changes to a suspect drive, just prevents our
system from changing data on a drive.
No tool or technology is fool-proof or risk proof. Test and know your
Tableau Product Incompatibilities
Tableau strives to ensure our products remain compatible with all variants of storage devices that exist. Unfortunately there are some compatibility issues
we are not able to fix via a firmware update. This page lists the storage devices known to be incompatible with Tableau products, along with notes and
suggested workarounds when possible.
What is SPADA?
SPADA is based on a modified version of Knoppix…. The modifications made to SPADA allow you to mount, preview and acquire data from a suspect
computer that has been booted with the CD directly or indirectly via a floppy. This is done in a forensically secure way without additional hardware like
write-blockers i.e. no writes will be made to the suspect’s hard drive.
(NOTE: Software Raids are not protected from low level writes for example fdisk, high level writes are protected i.e. deleting a file or file
date-stamp changes on mounted file system)
Write Blocking Limitations
There are times, such as “Live Forensics”, where write blocking of any kind
is not possible. In such a case, thoroughly document your steps and tools
used and take care to only “touch” what is absolutely necessary.
There are times when HWB can not be used (i.e. Hardware RAID, hard
drive must remain in laptop, etc.).
Validate your HWB and SWB and re-validate them anytime something
changes (i.e. Firmware update on HWB, or installation of Service Pack on
Windows OS running SWB.), using “hashing”....which you will learn about
later in this course.
Questions ???
…as usual, use the discussion board!

similar documents