Articles

Now Reading

Software write blockers overview

by Digital Forensics Corp2016-07-12

In this article we’re going to talk about different types of software write blockers.

Linux write blockers

Unfortunatelly, we can tell you nothing about this type of write blockers. A lot of examiners think that they are useless, because one of default Linux features is mounting drives in “read only” mode. But some researchers found bugs in Linux kernel code, due to which attached drives could be available for writing operations (despite the fact they are connected in “read only” mode) [1]. So, because of such bugs, some Linux-based forensic Live-CDs mount attached drives in writable mode.

DOS write blockers

Microsoft DOS operating system turns to drives via Interrupt 13, Interrupt 21 and similar. To block writing operations, an examiner must block these interrupts.

PDBLOCK

PDBLOCK (Physical Drive BLOCKer, by Digital Intelligence Corporate) – the most interesting thing about this write blocker: you can still buy it for 34.95$ [2]. According to its developers, this piece of software can block writing operations in different DOS versions (DOS 6.22, DOS 7.1) and old Windows versions (Windows 3.1 and Windows 95).

RCMP HDL

You could see RCMP HDL software write blocker in National Institute of Standards and Technology (NIST) testing reports. Unfortunatelly, we couldn’t buy it or got it as LE officers. We have the same situation with Safeback 2. In a number of computer forensics books (for example, Incident Response & Computer Forensics by Jason T. Luttgens, Matthew Pepe, Kevin Mandia) Safeback 2 is described as the most common utility for drives imaging. But we could neither buy it nor get it by any other means.

NTFS File System Driver for DOS/Windows V3.0R+

In 1999 Mark Russinovich and Bryce Cogswell released system driver NTFS File System Driver for DOS/Windows V3.0R+. This driver allowed to mount NTFS file systems in read only mode in DOS, Windows 3.1 and Windows 95. It should be noted that this driver works only for newer versions of NTFS.

Software Write Blockers for Windows

DIBLOCK

DIBLOCK (Computer Forensics Ltd.) is an utility included in DIBS Analyzer (DIBS USA Inc.) and is the first software write blocker developed special for Windows (Windows 3.11, Windows 95, Windows 98 and Windows 2000).

Figure 1. DIBLOCK

Write Protect USB Devices in Windows XP

With Service Pack 2 for Windows XP Microsoft allowed to block writing operations via USB by changing registry values [4]. This feature is also available in newer versions of Windows OS. This feature became very popular among computer forensics community. AccessData even released a document describing it [5]. Also, a lot of software write blockers based on this feature were released (most of them are available now). National Center for Forensic Science (NCFS) also released such utulity – NCFS Software Write-block XP.

Figure 2. NCFS Software Write-block XP

National Center for Forensic Science even wrote a short instruction on how to validate this programm:

Step Validation by National Center for Forensic Science

Step #1

a) Insert USB media into PC

b) Wipe USB Media (with Validation) using Encase

c) Format USB Media using Windows XP

d) Copy data and Deleted some data from USB media

e) Create 3 folders for imaging onto Desktop (Step-1, Step-2, Step-5)

f) Image the USB media and create MD5 Hash value with Access Data Imager

Step #2

a) Remove and Reinsert USB media from PC

b) Copy data and Deleted some data from the USB media

c) Image media and create a MD5 Hash value of the USB media

d) Validate Image2 MD5 Hash is DIFFERENT hash value of Image #1

Step #3

a) Remove USB media from PC

b) Start NCFS Write-Block

c) Select Lock, Select Ok, Auto-Reboot

Step #4

a) Insert USB media into PC

b) Attempt to copy files onto USB media

c) Attempt to delete files from USB media

d) Attempt to Format USB media

Step #5

a) Image USB media and create MD5 Hash value of the USB media

b) Validate Image3 MD5 Hash is the SAME MD5 hash value of Image2

Unfortunatelly, this feature blocks writing operations only by software which uses Windows drivers. That’s why after a number of incidents with data writing on examined drives in digital forensics labs this piece of software was deleted from National Center for Forensic Science website, and AccessData started to recommend it only for training.

WriteBlocker

ACES released a number of software write blockers under joint name – WriteBlocker. Each version of WriteBlocker supported one version of Windows OS. For example, WriteBlocker XP supported write-blocking for all devices including CD and DVD, USB and hard drives (excluding system drive) in Microsoft Windows XP.

Figure 3. WriteBlocker XP

SAFE Block

Like ACES, ForensicSoft, Inc. released a few software write blockers under joint name SAFE Block [6], which blocked writing on all devices excluding system drive. Their write blockers support different versions of Windows OS – from XP to 10, both 32 and 64 bit.

Figure 4. SAFE Block for Windows 7

FastBloc SE

Guidance Software released software write blocker as a standalone module for EnCase. The FastBloc® SE (Software Edition) module is a collection of tools designed to control reads and writes to a drive attached to a computer through USB, FireWire, and SCSI connections. It enables the safe acquisition of subject media in Windows to an EnCase evidence file.

Figure 5. FastBlock SE

Discussion

Why are software write blockers not widely used? It’s a difficult question. Probably, it’s due to their prices (you can buy a hardware write blocker for the same money), or users just psychologically trust more on hardware write blockers. Maybe incidents with Write Protect USB Devices in Windows XP played its role (we wrote about it in the main part of the article). Anyway, we would be happy to hear about your experience with software write blockers.