Presentation is loading. Please wait.

Presentation is loading. Please wait.

Testing Write Blockers James R Lyle CFTT Project NIST/ITL/SDCT November 06, 2006.

Published bySalvador Lind Modified over 9 years ago

Similar presentations

Presentation on theme: "Testing Write Blockers James R Lyle CFTT Project NIST/ITL/SDCT November 06, 2006."— Presentation transcript:

1 Testing Write Blockers James R Lyle CFTT Project NIST/ITL/SDCT November 06, 2006

2 Nov 06, 2006Techno Forensics at NIST2 DISCLAIMER Certain trade names and company products are mentioned in the text or identified. In no case does such identification imply recommendation or endorsement by the National Institute of Standards and Technology, nor does it imply that the products are necessarily the best available for the purpose.

3 Nov 06, 2006Techno Forensics at NIST3 Project Sponsors  NIST/OLES (Program management)  National Institute of Justice (Major funding)  FBI (Additional funding)  Department of Defense, DCCI (Equipment and support)  Homeland Security (Technical input)  State & Local agencies (Technical input)  Internal Revenue, IRS (Technical input)

4 Nov 06, 2006Techno Forensics at NIST4 Talk Outline  Software Write Blocking  Hardware Write Blocking

5 Nov 06, 2006Techno Forensics at NIST5 Protection Goals  Prohibit any changes to a hard drive  Prohibit changes by a malicious program  Prohibit accidental change (blunder)  Prohibit change by operating system  Prohibit damage to a drive

6 Nov 06, 2006Techno Forensics at NIST6 Protection Strategies  Standardized & validated procedures  No Protection software or device  Trusted OS & trusted tools  Software write block program  Hardware write block device

7 Nov 06, 2006Techno Forensics at NIST7 Software Write Blocking  Blocking strategies  Interrupt 0x13 command set  Command usage observations  NIST test results for RCMP HDL & Pdblock

8 Nov 06, 2006Techno Forensics at NIST8 Software Blocking Tools  BIOS based interrupt 0x13 DOS TSR  Driver based (e.g., Windows filter stack)  Built in to OS: Windows XP service pack 2

9 Nov 06, 2006Techno Forensics at NIST9 Write Block Strategies  Block unsafe commands, allow everything else +Always can read, even if new command introduced -Allows newly introduced write commands  Allow safe commands, block everything else +Writes always blocked - Cannot use newly introduced read commands

10 Nov 06, 2006Techno Forensics at NIST10 Interrupt 0x13 Commands  256 possible command codes  Common BIOS has about 20 defined  Many obsolete or discontinued commands  Many commands defined for add on products see http://www.ctyme.com/rbrown.htm

11 Nov 06, 2006Techno Forensics at NIST11 Hard Drive BIOS Access

12 Nov 06, 2006Techno Forensics at NIST12 SWB Tool Operation

13 Nov 06, 2006Techno Forensics at NIST13 Test Harness Operation

14 Nov 06, 2006Techno Forensics at NIST14 Phoenix BIOS 4.0

15 Nov 06, 2006Techno Forensics at NIST15 Observations of 0x13 Usage I

16 Nov 06, 2006Techno Forensics at NIST16 Observations of 0x13 Usage II

17 Nov 06, 2006Techno Forensics at NIST17 Comments on 0x13  Only two unsafe commands were in use  Other unsafe commands unlikely to be used  Format: 05, 06, & 07  Diagnostic: 0E, 0F, 12, 13, & 14  Write long: 0B

18 Nov 06, 2006Techno Forensics at NIST18 RCMP HDL & Pdblock

19 Nov 06, 2006Techno Forensics at NIST19 Write Blocking Hardware  Blocking device actions  ATA standards  Observed ATA commands  Device behaviors for two devices

20 Nov 06, 2006Techno Forensics at NIST20 CPU Device Send I/O CMD to Device Return result to CPU BUS1 BUS 2 PROTOCOL ANALYZER Monitor Bus Traffic BUS HWB Testing HWB

21 Nov 06, 2006Techno Forensics at NIST21 Write Blocker Actions  The device forwards the command to the hard drive.  The blocking device substitutes a different command to the hard drive. The is the case if the blocking device uses different bus protocols for communication with the host and hard drive.  The device simulates the command without actually forwarding the command to the hard drive.  If a command is blocked, the device may return either success or failure for the blocked operation. However, returning failure may sometimes cause the host computer to lock up for some commands issued by some operating systems.

22 Nov 06, 2006Techno Forensics at NIST22 ATA Standards

23 Nov 06, 2006Techno Forensics at NIST23 Using a Protocol Analyzer

24 Nov 06, 2006Techno Forensics at NIST24 ATA Write Commands

25 Nov 06, 2006Techno Forensics at NIST25 Other Unsafe ATA Cmds

26 Nov 06, 2006Techno Forensics at NIST26 Commands Issued by BIOS

27 Nov 06, 2006Techno Forensics at NIST27 Write Commands Issued by OS (Unix)

28 Nov 06, 2006Techno Forensics at NIST28 Write Commands Issued by OS (MS)

29 Nov 06, 2006Techno Forensics at NIST29 Blocking Devices vs Writes  Action by device X and device Y on observed write commands

30 Nov 06, 2006Techno Forensics at NIST30 Blocking Devices vs Reads  Actions against observed read commands for two devices: X & Y  Device Y replaces read multiple with read DMA

31 Nov 06, 2006Techno Forensics at NIST31 Results for an ATA Device The tested device allowed only the following commands: 20=READ W/ RETRY 24=READ SECTOR EXT 25=READ DMA EXT 27=RD MAX ADR EXT 37=SET MAX ADR EXT (volatile) 70=SEEK 91=INIT DRV PARAMS B1=Device Config C8=Read DMA F8=RD NATV MAX ADD F9=SET MAX ADDRESS (volatile) On power on the device issues the following commands to the protected drive: EC=IDENTIFY DRIVE EF=SET FEATURES C6=SET MULTPLE EF=SET FEATURES C6=SET MULTPLE MOD Note that the identify device command is blocked if issued by the host, but the device returns the values obtained at power on.

32 Nov 06, 2006Techno Forensics at NIST32 Another ATA Device  Although no commands were allowed by the write blocker that could change user or operating system data, some unsupported or atypical commands were allowed. Some examples are: CommandComment Down load microcode (0x92)This command allows reprogramming of hard drive firmware. While this could change drive behavior, the information to do so is drive model specific and not generally available. Format Track (0x50)This command is not defined in the current ATA hard drive specifications (ATA-4, through ATA-7). The command was defined in ATA-1, ATA-2 and ATA-3, however all three specifications have been withdrawn. The command could be used to erase information on an older drive that supports the instruction, but could not be used to change the content of any user or operating system data stored on a drive. SMART write (0xB0,D6)This command records information in a device maintenance log, not part of the data area where data files and operating system data is stored. Vendor Specific commandsThese are undocumented commands specific to a given model of hard drive. CFA Erase Erase (0xC0)This command applies to Compact Flash devices, not hard drives. SATA Write FPDMA (0x61)This command is noted by the protocol analyzer, but the command is only valid for Serial ATA (SATA) devices.

33 Nov 06, 2006Techno Forensics at NIST33 Notable Blocker Behaviors  allow the volatile SET MAX ADDRESS, block if non-volatile  cached the results IDENTIFY DEVICE  substituted READ DMA for READ MULTIPLE  allowed FORMAT TRACK  Depending on OS version, might no be able to preview NTFS partition

34 Nov 06, 2006Techno Forensics at NIST34 Contacts Jim LyleDoug White www.cftt.nist.govwww.nsrl.nist.gov cftt@nist.govnsrl@nist.gov Barbara Guttman bguttman@nist.gov Sue Ballou, Office of Law Enforcement Standards susan.ballou@nist.gov

Download ppt "Testing Write Blockers James R Lyle CFTT Project NIST/ITL/SDCT November 06, 2006."

Similar presentations

Chapter 13: I/O Systems I/O Hardware Application I/O Interface

Chapter 13: I/O Systems I/O Hardware Application I/O Interface
OPERATING SYSTEMS Lecturer: Szabolcs Mikulas Office: B38B

OPERATING SYSTEMS Lecturer: Szabolcs Mikulas Office: B38B
Chapter 5 Input/Output 5.1 Principles of I/O hardware

Chapter 5 Input/Output 5.1 Principles of I/O hardware
The Modern Control Boot Disk. 2 What do we mean by a Modern control boot disk? In your previous lectures you learned about the original DOS control boot.

The Modern Control Boot Disk. 2 What do we mean by a Modern control boot disk? In your previous lectures you learned about the original DOS control boot.
COEN 252 Computer Forensics Hard Drive Geometry. Drive Geometry Basic Definitions: Track Sector Floppy.

COEN 252 Computer Forensics Hard Drive Geometry. Drive Geometry Basic Definitions: Track Sector Floppy.
A Strategy for Testing Hardware Write Block Devices James R Lyle National Institute of Standards and Technology.

A Strategy for Testing Hardware Write Block Devices James R Lyle National Institute of Standards and Technology.
Write Blocking CSC 485/585.

Write Blocking CSC 485/585.
Operating System Structures

Operating System Structures
Jim Lyle National Institute of Standards and Technology.

Jim Lyle National Institute of Standards and Technology.
Deleted File Recovery Tool Testing Results Jim Lyle NIST 2/21/13AAFS -- Washington 1.

Deleted File Recovery Tool Testing Results Jim Lyle NIST 2/21/13AAFS -- Washington 1.
Creating Deleted File Recovery Tool Testing Images Jim Lyle National Institute of Standards and Technology.

Creating Deleted File Recovery Tool Testing Images Jim Lyle National Institute of Standards and Technology.
Lecture 11: Operating System Services. What is an Operating System? An operating system is an event driven program which acts as an interface between.

Lecture 11: Operating System Services. What is an Operating System? An operating system is an event driven program which acts as an interface between.
Disclaimer Certain trade names and company products are mentioned in the text or identified. In no case does such identification imply recommendation.

Disclaimer Certain trade names and company products are mentioned in the text or identified. In no case does such identification imply recommendation.
Motherboard, BIOS and POST The external data bus connects devices on the motherboard together. Everything is also connected to the address bus. These busses.

Motherboard, BIOS and POST The external data bus connects devices on the motherboard together. Everything is also connected to the address bus. These busses.
14 May 2010Montana Supreme Court Spring Training Conference 1 Verification of Digital Forensic Tools Jim Lyle Project Leader: Computer Forensic Tool Testing.

14 May 2010Montana Supreme Court Spring Training Conference 1 Verification of Digital Forensic Tools Jim Lyle Project Leader: Computer Forensic Tool Testing.
Forensic Tool Testing Results Jim Lyle National Institute of Standards and Technology.

Forensic Tool Testing Results Jim Lyle National Institute of Standards and Technology.
Unit 6- Operating Systems.  Identify the purpose of an OS  Identify different operating systems  Describe computer user interaction with multiple operating.

Unit 6- Operating Systems.  Identify the purpose of an OS  Identify different operating systems  Describe computer user interaction with multiple operating.
1 DOS with Windows 3.1 and 3.11 Operating Environments n Designed to allow applications to have a graphical interface DOS runs in the background as the.

1 DOS with Windows 3.1 and 3.11 Operating Environments n Designed to allow applications to have a graphical interface DOS runs in the background as the.
Operating System Organization

Operating System Organization
Operating Systems.

Operating Systems.

Similar presentations

Ads by Google