- Write Blocker In Computer Forensics
- What Is A Write Blocker
- Software Write Blockers Free
- Free Software Write Blockers
The software write blocker is directly installed on your image acquisition workstation and additional hardware is not necessary (lightens the load, one less thing to fail, etc). Generally able to use any interface available on your imaging workstation (and any interface that could be added down the road) – prevents an additional purchase when a new storage interface is needed. Software write blockers are limited by the port speed of the port they are blocking, plus some overhead for the write-blocking process. But then, all write blockers are limited in this manner. Hardware write blockers are normally optimized for speed.
(USB) port and a software write-blocker. Take a bit-stream image of the storage device attached to the forensic workstation via the USB port without use of either a hardware or software write-blocker. Document hash value findings. 2.3 Test Sets This project tested two different media types, namely, a hard disk drive (HDD) and a USB. Software write blockers, on the other hand, are simply programs that run on a computer that block all writes to the disks designated in the program (they can block many at once). Because they are programs and not physical pieces of hardware, they are often considerably less expensive than hardware write blockers.
Let’s say we're using some flavor of Linux and we mount a partition using following command:
The partition is supposed to be read-only so that the OS and user cannot write to the disk without changing the mount permissions.
From the ForensicsWiki:
Write blockers are devices that allow acquisition of information on a drive without creating the possibility of accidentally damaging the drive contents. They do this by allowing read commands to pass but by blocking write commands, hence their name.
This seems to me that it is just to prevent accidental flags. The page also says that there are additional features to some write-blockers, such as slowing the disk down to prevent damage. But for this let’s assume it is just a simple one that can only block writing.
If you can just mount a disk in read-only mode, what is the point of buying something such as a write blocker? Is this just to help prevent things such as an accidently mount command with write permissions (user error, which cannot be permitted in some instances, i.e. criminal cases), or am I missing some more of the in-depth features of how filesystems work?
Note: I am aware that some SSDs shuffle data continuously, I am not sure whether to include them in the question or not. It seems like that would make it much more complicated.
JakeGould4 Answers
The Journal of Digital Forensics, Security and Law has an excellent article A STUDY OF FORENSIC IMAGING IN THEABSENCE OF WRITE-BLOCKERS that analyses forensics capture both with and without write blockers. From the journal:
Best practices in digital forensics demand the use of write-blockers when creating forensic images of digital media, and this has been a core tenet of computer forensics training for decades. The practice is so ingrained that the integrity of images created without a write-blocker are immediately suspect.
Merely mounting a file system can cause read/writes. Many modern filesystems, from ext3/4 and xfs to NTFS, all have a journal that maintains metadata about the filesystem itself. If power is lost, incomplete shutdown, or a number of reasons, this journal is automatically read and written back to file structures across the drive to maintain consistency of the filesystem itself. This may happen during the mount process, whether or not the file-system is read-write.
For example, from the ext4 documentation the ro mount option will...
Mount filesystem read only. Note that ext4 will replay the journal (and thus write to the partition) even when mounted 'read only'. The mount options 'ro,noload' can be used to prevent writes to the filesystem.
Although these driver level changes do not affect the content of files, it is a forensics standard to take cryptographic hashes of evidence upon collection in order to maintain a chain of custody. If one can show that the hash, ie sha256, of currently held evidence matches what was collected, then you can prove beyond reasonable doubt that the drive's data has not been modified during the analysis process.
Digital evidence can be cited as evidence in nearly every crime category. Forensic investigators need to be absolutely certain that the data they obtain as evidence has not been altered in any way during the capture, analysis, and control. Attorneys, judges and jurors need to feel confident that the information presented in a computer crime case is legitimate. How can an investigator ensure for certain that his or her evidence is accepted in court?
According to the National Institute of Standards and Technology (NIST), the investigator follows a set of procedures designed to prevent the execution of any program that might modify the disk contents. http://www.cru-inc.com/data-protection-topics/writeblockers/
A write blocker is necessary, because if any bit changes for any reason—OS, driver-level, file-system level or below—then the hashes of the collected vs analysed system will no longer match, and the drive's admissibility as evidence may be questioned.
The write-blocker is thus both a technical control against the possibility of low-level changes, and a procedural control to provide assurance that no changes were made, regardless of user or software. By removing the possibility of changes, it supports hashes to be used to show that analysed evidence matches collected evidence, and prevents many potential evidence handling problems and questions.
The JDFSL article's analysis shows that without a write-blocker, changes were made to the drives they tested. However, on the contrary side - the individual data files hashes would still be intact, so arguments for the soundness of evidence collected without a write blocker exist, but are not considered best-industry-practice.
You can't be sure. @jakegould covers a ton of the legal and technical reasons, so I'm focusing on the operational reasons.
Firstly, you never mount a drive like that, you image an entire device. Your core premise, that you can use filesystem permissions is wrong. You're going to use some flavour of DD or a specialised acquisition tool that should include working read only by default.
Forensics is all about being absolutely sure you've not tampered with the evidence at any stage, and that you can provide a verified copy of the drive with no changes made to it. (In fact, unless you need to do live forensics, you only touch a suspect hard drive once to image it).So in addition to your acquisition tool being read only, it acts as a second line of defence against messing up.
The write blocker does certain things.
- It shifts the burden of proving that the drive was in fact read only
- In a more idiotproof way - It becomes part of your 'acquisition' rig/process
- with the device guaranteed to do so by the manufacturer - which is something you want in your evidence/incident log.
In a sense it slots into the process of evidence collection and there's one less thing for your frail human self to mess up.In addition to verification that the source drive isn't written to, it might save you if you mix up source and destination.
In short it takes out one possible major weak point. You don't have to think about 'did I mount the drive readonly' or 'did I swap my source and destination in dd?'
You hook it in, and you don't need to worry if you overwrote your evidence.
You state this:
If you can just mount a disk in read-only mode, what is the point of buying something such as a write blocker?
Let’s—at a high, non-technical level—logically look at how data for evidence would be collected. And the key to all of this is neutrality.
You have a suspect of… Something in a legal or potentially legal case. Their evidence must be presented as neutral as possible. In the case of physical documents you can just take the printed materials and physically store them in a safe place. For data? The nature of computer systems inherently has an issue of data manipulation in play.
While you state you could just logically mount the volume as “read only” who are you? And how can someone who is not you—like a court or investigator—trust your skills, systems and expertise? Meaning what makes your system so special some background process cannot suddenly pop up on the system and start indexing it the second you plug it in? And how will you monitory that? And heck, what about file metadata? MD5’s on files are useful… But if one character of metadata changes in a file guess what? The MD5 changes.
What it comes down to is in the great scheme of things your personal technical skills have no bearing on the ability for you to present data as neutrally as possible to investigators, courts or others.
Enter a write blocker. This is not a magically device. It clearly blocks data writing on a base level and what else? Well, that’s all it does and that is all it should ever do (or not do).
A write blocker is a neutral piece of hardware made by another company to industry accepted standard that performs one task and one task well: Prevent data writes.
To an investigator, court or others the use of a write blocker basically states, “I am a computer professional who understands data forensics and understands the need for data integrity when providing others information I am charged with gathering. I am using a physical device we all agree prevents writes to access this data to show everyone that yes, this is the evidence you need to do what you need to do.”
So the point of “buying something such as a write blocker” is to buy a tool that is universally recognized by people all over the world as a valid tool for neutral data access and collection. And that if someone else—who is not you—were to access the data with a similar write blocker, they too would get the same data in return.
Another real world example is video camera evidence. Now yes, there is a risk of video evidence being tampered with. But let’s say you witnessed a crime and saw the suspect and know that they did it. In a court, your integrity as a witness will be eviscerated by the defense as they seek to defend their client. But let’s say in addition to your eyewitness report the police get video footage of the crime happening. That impartial, unblinking eye of a neutral image capturing device lays to rest most doubts of your claims. Meaning, a “robot” thing that is not a human but can record data will backup the prosecutions case against the defense and not just your word/trust.
The reality is the world of law and legality really comes down to solid, tangible and—pretty much—irrefutable physical evidence. And a write blocker a tool that ensures physical data evidence is as clean as possible.
JakeGouldJakeGouldThe reason write blockers are used, is because criminals could have put trap processes that destroy evidence upon a event (could be incorrect password attempt, no reach to a specific server, attempt to access a fake file or whatever).
Any trap processes can basically attempt to remount the device in read-write too.
The only way to be sure is to use a hardware device. Some hardware writeblockers have a switch that allows the writeblocking function to be disabled, but the main important thing, is that software can never affect hardware if the hardware is not programmed to react to software signals.
The same tought can be applied to USB memories, why some USB memories does have a physical writeprotect switch.
Sometimes the investigator needs to be able to boot the suspect’s OS, that is why the investigator needs to be wary of any trap processes.
The investigation process vary between different countries because of different responsibility laws. In some countries, mere possession of certain files is illegal, it’s your responsibility to keep your computer secured, and you cannot blame the illegal files on a virus.
And in another country, it might be that possession of the file is illegal, but evidence needs to be presented that it was the suspect who placed the files and not a virus.
In the second case, the investigator might need to boot the computer to see whatever is starting up at boot in autostart/run/runonce.
In other words, criminals are by nature malicious, thus anything that could challenge the evidence’s validity in Court needs to be protected at all Costs. Also, if the criminal have put a trap that automatically destroys evidence, it will in many cases NOT be “destruction of evidence”, as opposed to manually deleting something. It could be a disaster if writes is allowed through.
A isolated hardware process is very much more secure than a software process, so writeblockers are used by investigators to secure their material from destruction, ins the same way security professionals use smart cards and tokens to prevent their secrets from being compromised.
JakeGouldNot the answer you're looking for? Browse other questions tagged linuxread-onlywrite-blocker or ask your own question.
Are you aware of some of the efficient, best and useful Write Blocker software available in the market? This software is used to acquire information in a device without causing any accidental damage to the contents of the drive. Here is a list of the best write blocker software along with some of their important features and reviews. These will help you to choose the software for you from the list based on the reviews and features.
Related:
USB Write Blocker
This is one of the best Write Blocking Software, which is very easy to install and use. If the software faces any issue or does not work properly, make sure that the USB drivers are installed correctly. It is recommended not to change the settings of the software at all while the USB flash drive is still connected.
Safe Block
This is a write blocker software based. It functions by facilitating the safe and quick acquisition of flash or disc storage media, which is attached to the workstation directly. It also helps in carrying out proper analysis as well. This software works faster when compared to the hardware-based write blocking software. It has also appeared to be safe to use significantly.
Software Write Block
The Software Write Blocker download is quite an easy process. This software works on the basis of the principle of access interface with the hard drive on the host computer by using a physical interface. This software makes use of its own set of access protocols and commands. It is tested properly before implementing.
Other Platform
There are several other write blocker software available by the computer experts based on the various operating systems. They make use of the various set of commands and protocols to acquire data and carry out the process of analysis efficiently. These software are very effective to carry out the process of data acquisition safely.
Write Blocking for Windows
This is a software, which is used for the Windows platform. It is free to use. It works with any of the models of the Write Blocker. It is very easy to use and provide detailed reports along with a summarized reports as well. It helps to carry out the process of data acquisition and analysis effectively.
Soft Block for Mac
This software is a software-based write blocker. It identifies the hardware devices, which are attached newly. It helps in mounting the device with read-write or read-only permissions based on the preference of the users. It helps to handle the demands of forensic departments. It is used for the Mac operating systems.
Kali Linux for Linux
Write Blocker In Computer Forensics
This software is used to carry out the process of security auditing and penetration testing. This software is used for all those devices, which uses Linux as the operating system. It helps in reverse engineering and forensics as well. It has a lot of tools, which aims in carrying out the various security tasks efficiently.
Mac Forensics Lab Write Controller – Most Popular Software
This is a software, which is used to prevent a Mac device from mounting volumes automatically. it helps in maintaining the integrity of the data suspected. it provides protection, security, flexibility, analyzing and previewing the images in a workstation. This helps in the expedition of the entire process of investigation. You can also seeSPC Software
What Is A Write Blocker
What is Write Blocker Software?
This is a software based tool used mainly by the forensics department for investigation purposes. It helps to acquire data from various sources without causing any damage to the source contents and analyze the data to generate reports accordingly. There is always some differences between the software vs hardware write blockers. You can also seeVideo Recovery Software
The SATA write blocker is being used extensively by the department of forensics to carry out the process of investigation. Right from an individual to the large scale industries, these software are used for carrying out data acquisition process, the process of analysis of the data and finally generating a report based on the analysis.
Software Write Blockers Free
