Objectives Understand the concept of write blocking Understand hardware write blocking Understand software write blocking Understand limitations of write blocking
What is Write Blocking Write Blocking is a critical part of the Safety Net you learned about in the Intro to Computer Forensics lecture. Controlling the Boot Process is only part of the Safety Net and only prevents the computer and OS from unknowingly attempting to writing to media attached to the computer. A user could still intentionally or accidentally write to a disk. Write Blocking provides an additional layer of protection beyond the control boot process and prevents accidental or intentional attempts to write to attached media by the user, the OS, software applications, etc.
General Write Blocking Requirements The tool shall not allow a protected drive to be changed. The tool shall not prevent obtaining any information from or about any drive. The tool shall not prevent any operations to a drive that is not protected. Per NIST Computer Forensics Tool Testing (CFTT) program, operated/funded by United States National Institute of Justice. http://www.cftt.nist.govhttp://www.cftt.nist.gov
How does it work? A write blocker (hardware or software) works in one of two ways: The tool can either deny all write attempts to the disk and report them to the OS as failures, or The tool caches the writes for the duration of the session and reports them to the OS as successful, but actually prevents the write. Write blockers do not simply cut the write wire…its a little more complicated than that!
Example: This tool denies all write attempts to the disk and report them to the OS as failures.
Hardware Write Blocking A hardware write blocker (HWB) is a hardware device that attaches to a computer system with the primary purpose of intercepting and preventing (or blocking) any modifying command operation from ever reaching the storage device. Physically, the device is connected between the computer and a storage device. Some of its functions include monitoring and filtering any activity that is transmitted or received between its interface connections to the computer and the storage device. The interface connections do not have to be the same type. For example, the computer connection to a HWB could be using a SCSI interface while the HWB connection to the hard disk could be using an IDE interface. Any assumptions that are made about either the data that the HWB is protecting or about the functions of the HWB itself are based entirely on the notion that the capabilities of the HWB are limited by the capabilities of its interfaces. http://www.cftt.nist.gov/hardware_write_block.htm NIST CFTT Hardware Write Block Specs (Version 2.0) http://www.cftt.nist.gov/HWB-v2-post-19-may-04.pdf
Some HWB, such as these Tableau devices, can be configured to: report write errors to the OS, discard write errors, report write-protected status or not, or not block at all.
Hardware Write Blockers Your OS identifies and communicates with the HWB device, not the source drive attached to the HWB. Depending on how you connect to your host, the drive is identified as a Firewire (IEEE1394) device, USB or eSATA device. Transfer speed depends greatly on interface used.
Software Write Blocking A software write block tool operates by monitoring and filtering drive I/O commands sent from an application or OS through a given access interface. Programs running in the DOS environment can, in addition to direct access via the drive controller, use two other interfaces: DOS service interface (interrupt 0x21) or BIOS service interface (interrupt 0x13) The DOS service operates at the logical level of files and records while the BIOS service operates at the physical drive sector level. More complex operating systems, for example Windows XP or a UNIX variant (e.g., Linux), may disallow any low level interface (through the BIOS or the controller) and only allow user programs access to a hard drive through a device driver, a component of the operating system that manages all access to a device. NIST CFTT Software Write Block Specs (Version 3.0 Final) http://www.cftt.nist.gov/documents/SWB-STP-V3_1a.pdf
DOS Software Write Blocking DOS software write blockers were the computer forensic industry standard write blocking method for years, prior to the creation of HWB devices starting around 2003-2004. HDL (by RCMP) and PDBLOCK (by Digital Intelligence) were the most popular and the only ones tested by NIST CFTT. Placed on DOS Control Boot Disks and set as the first line in the autoexec.bat file to automatically start the SWB as soon as the OS started. http://www.cftt.nist.gov/software_write_block.htm
SAFE Block XP/Vista/Win7 Complex OSs, such as Windows, use filter device drivers or specially designed replacement device drivers for software write blocking.
Linux Software Write Blocking? Currently, as of 2010, no software write blocking device drivers exist for Linux. Popular Linux Forensic boot disks are modified Linux OSs that control the boot environment, preventing inadvertent writing to attached disks and mounting logical file systems as read-only, but do not include software write blockers, as defined by NIST. NIST CFTT Software Write Block Specs (Version 3.0 Final) http://www.cftt.nist.gov/documents/SWB-STP-V3_1a.pdf
Write Blocking Limitations Any possible operations that can take place inside of the storage device that are not accessible or controllable via the interface functionality are outside the scope of write blocking. (i.e. Bad sector handling, wear levelling, SMART-Self-Monitoring Analysis and Reporting Technology, etc.)....write blocking does not prevent changes to a suspect drive, just prevents our system from changing data on a drive. No tool or technology is fool-proof or risk proof. Test and know your tools! http://www.tableau.com/index.php?pageid=drive_incompatibility Tableau Product Incompatibilities Tableau strives to ensure our products remain compatible with all variants of storage devices that exist. Unfortunately there are some compatibility issues we are not able to fix via a firmware update. This page lists the storage devices known to be incompatible with Tableau products, along with notes and suggested workarounds when possible. http://www.spada-cd.info/about.htm What is SPADA? SPADA is based on a modified version of Knoppix…. The modifications made to SPADA allow you to mount, preview and acquire data from a suspect computer that has been booted with the CD directly or indirectly via a floppy. This is done in a forensically secure way without additional hardware like write-blockers i.e. no writes will be made to the suspects hard drive. (NOTE: Software Raids are not protected from low level writes for example fdisk, high level writes are protected i.e. deleting a file or file date-stamp changes on mounted file system)
Write Blocking Limitations There are times, such as Live Forensics, where write blocking of any kind is not possible. In such a case, thoroughly document your steps and tools used and take care to only touch what is absolutely necessary. There are times when HWB can not be used (i.e. Hardware RAID, hard drive must remain in laptop, etc.). Validate your HWB and SWB and re-validate them anytime something changes (i.e. Firmware update on HWB, or installation of Service Pack on Windows OS running SWB.), using hashing....which you will learn about later in this course.
Questions ??? …as usual, use the discussion board!