Digital evidence is our major issue of concern in Forensic investigation. Forensic investigators need to absolutely assure of the fact that the data they obtain as digital evidence is not altered during the capture, analysis, and control. In the courtroom everyone including attorneys, judges, jurors need to feel confident that digital evidence has not been tampered and is legitimate. How can you be assured that digital evidence has not tampered?
According to the NIST-National Institute of Standards and Technology, the investigator follows a certain set of rules and procedures to prevent the execution of any program that might modify the contents of the disk. Some of these procedures are:
- Use an operating system and other software that is trusted to not to write anything to the disk without any explicit instruction.
- Use hard disk write block tools to prevent any hard disk writes.
- Wherever possible, set a hardware jumper to make the disk read-only.
In this article we will be discussing the following key areas:
- What are Write Blockers?
- What are the Types of Write Blockers?
- What to look for in a Write Blocker?
What are Write Blockers?
Write Blocker is a tool designed to prevent any write access to the hard disk, thus permitting read-only access to the data storage devices without compromising the integrity of the data. A write blocking if used correctly can guarantee the protection of the chain of custody. NIST has issued a set of general guidelines for write blocking requirements:
- The write-blocker tool shall not allow a protected drive to be changed.
- The write-blocker tool shall not prevent any operations to a drive that is not protected.
- The write-blocker tool shall not prevent obtaining any information from or about any drive.
What are the different types of Write Blockers?
Write Blockers are basically of 2 types: Hardware Write Blocker and Software Write Blocker. Both types of write blockers are meant for the same purpose that is to prevent any writes to the storage devices. Let’s discuss each type of write blocker in detail.
Hardware Write Blocker:
Hardware write blockers are used to intercept and block any modifying command from ever reaching the storage device. Some of its features include:
- They offer monitoring and filtering any activity that is transmitted or received between its interface connections to the computer and the storage device.
- They provide built-in interfaces to a number of storage devices.
- Hardware write blockers can connect to other types of storage with adapters.
- Hardware devices that write block also provide a visual indication of function through LEDs and switches. This makes them easy to use and makes functionality clear to users.
Challenges of using Hardware Write Blockers:
Let’s discuss some of the challenges of using hardware-based write blockers.
- Hardware write blocking devices are very expensive.
- They are awkward to use since they require a physical connection and a different connector for each type of interface for IDE, SCSI, USB, etc.
- Hardware write blockers are comparatively slower as they need to perform protocol conversions.
Software Write Blocker:
Software write blockers are installed on a forensic workstation. According to NIST’s specification on software Write Blocker, a software write blocker tool operates by monitoring and filtering drive I/O commands sent from an application or OS through a given access interface. They provide the ability to simultaneously write block as many disk devices as are connected to a computer without the need for multiple expensive hardware write blocking devices. Some of the features that are provided by different write blocking tools are:
- The user can control automatic write blocking policies for fixed and/or removable disks.
- The user can have write blocking tool remember each fixed device’s blocked or un-blocked status for ease of use on media repeatedly used on a workstation/laptop.
- Some of the write blocking tools provide a GUI interface that allows the user the ability to block and unblock any disk or flash storage device.
Benefits of using Software Write Blockers:
There are some benefits in using Software Write Blockers instead of Hardware Write Blockers.
- They offer faster imaging than using hardware-based write blockers.
- Software write blockers are more affordable than the hardware ones as they don’t need a separate physical connector to be attached to the device for write blocking.
What to look for in a Write Blocker?
When buying a write blocker, the required features depend on your specific needs. However, there are some general points to keep in mind that we recommend to customers:
- It is recommended to use hardware write blockers over software write blockers, even though hardware write blockers are expensive and slow. This is due to the fact that hardware write blockers operate independently from your computer system. On the other hand, Software write blocking tools can be affected by OS updates and many other variables.
- Hardware write blockers or external write blockers have more visual indicators like red/ Green lights and a text screen to verify that your data is protected.
- Make sure that the write blocker is compatible with Advanced Format drives. Keep in mind to choose a write blocker supports the most common Advanced Format type of 512e (emulated 512 bytes).
- Some write blockers allow you to switch between the read-only and read/ write modes. Go for a write blocker that allows the switching for the sake of convenience in the cases where you need to connect to a SATA or IDE Drives.
References: – https://en.wikipedia.org/wiki/Forensic_disk_controller
Attention reader! Don’t stop learning now. Get hold of all the important CS Theory concepts for SDE interviews with the CS Theory Course at a student-friendly price and become industry ready.