Tuesday, August 10, 2010

write blocker cyber forensics

write blocker


Write blocker is usually use to insure that suspect evidence is not compromised, the write blocker allow information to be read from suspect drive but not allow the gaining computer to write the data to the drive.There two way to build the write blockers first the blocker that only allow all command to pass from computer to driver expect those not on list. Another is the blocker can specifically block the write command and let everything else through .Write blockers can may also include drive protection that will limit speed of drive attached to blocker example this added protection could allow drive that can not read at high speed(UDMA modes) to be read at the slower modes(PIO). There are two type of write blocker which is Native and Tailgate. Native is dives use same interface on both in and out example IDE to IDE write block. Tailgate is devices use one interface for one side and a different one for others example is Firewire to SATA write block. Write blocker also include in Hardware and Software. Actually some Software write blocker is design to specific operating system for example if it designed for window it will not work on Linux .Most Hardware write blockers are software independent. Hardware write blockers can be either IDE-to-IDE or Firewire/USB-to-IDE and Software write blockers can be either tailored to an individual operating system or can be an independent boot disk.





1. Example Hardware write blocker





1.1 UltraBlock USB Write Blocker
UltraBlock Forensic USB Bridge brings secure, hardware-based write blocking to the world of USB mass storage devices. The UltraBlock USB Write Blocker supports USB2.0 High-Speed (480 Mbit/s), USB 1.1 Full-Speed (12 Mbit/s) and Low-Speed (1.2 Mbit/s) devices conforming to the USB Mass Storage "Bulk-only" class specification. The UltraBlock USB Write Blocker works with :
 USB thumb drives,
 external USB disk drives,
 even USB-based cameras with card-reader capability.

UltraBlock Usb Write Blocker Function:
The UltraBlock USB Write Blocker is to allow forensically sound images to be extracted from USB mass storage devices. Data can be read from the USB mass storage device without fear that data on the USB device will be modified inadvertently during the acquisition process.
The difference between the UltraBlock USB Write Blocker and our other UltraBlock products. The IDE, SATA, and SCSI forensic bridges can be field-switched between read-only (write-block) and read-write modes of operation, the UltraBlock USB Write Blocker is permanently configured for write-blocking operation.
The UltraBlock USB Write Blocker also incorporates a major new enhancement in the realm of forensic bridges and write-blockers, a built-in LCD user interface.Through this built-in user interface, the user can view the manufacturer, model, capacity, serial number, and numerous other technical details of the attached USB device.



1.2 NoWrite FPU FireWire Write Blocker for IDE Hard Drives






NoWrite FPU is an IDE Drive Tailgate device that connects to the Host computer with a FireWire interface. Plug one side into your host and the other side into the an IDE or SATA hard disk. It will work with any operating system that supports FireWire. NoWrite FPU’s have accessory kit includes: FireWire cable, two USB cables, and a SATA cable. External power supply sold separately.

NoWrite's FPU's Function
 Prevents the computer from writing to the hard disk.
 Preview a drive in the field
Use NoWrite to preview a drive in the field using ProDiscover, Encase, FTK or Ilook preview mode, with complete confidence that the evidence will be preserved.
 Provides Enhanced Drive Access
it returns true drive information about the attached drive. This includes information about Host Protected Areas. Using the included Windows® application, it can also read any addressable sector on the hard drive. Even those out of reach of the operating system.








2. Example Software write blocker
2.1 SAFE Block XP
SAFE Block is a software-based write blocker that facilitates the quick and safe acquisition and/or analysis of any disk or flash storage media attached directly to your Windows workstation. It is proven to be safe, and significantly faster than hardware write blocking solutions, It designed for the Windows XP 32 and 64 bit operating system.
Function :
 it allows for disk imaging speeds that are significantly faster than imaging in Windows using commercially available hardware-based write blockers.
 It also allows you to write block as many devices as are connected to the computer.
 It is application independent and works with all forensic acquisition and analysis software that works on Windows. In order to ensure that you are working forensically sound environment
 provides automatic write blocking of all directly attached media, including IDE (PATA & SATA), SCSI, FC, SAS, USB, and IEEE1394.
 identifies and provides access to Host Protected Areas (HPAs) and Device Configuration Overlay (DCOs) on IDE (PATA and SATA) disks, connected directly via PATA or SATA controllers.

No comments:

Post a Comment