Digital Forensics Tutorials – Write Blocking Explanation Section Write Blocking – Definition Write blocking is the act of ensuring that the contents of an evidence drive cannot be modified during the scope of an investigation. It allows acquisition of information on a drive without creating the possibility of accidentally damaging the drive contents. Write blockers do this by allowing read commands to pass but by blocking write commands, hence their name. This can be done one of two ways: with either hardware or software write blockers. Hardware Write Blocking - Definition Hardware write blockers are generally smaller pieces of technology that connect to the evidence drive via IDE, USB, or SATA. The write blocker then proceeds to disallow all write commands to the drive. In professional workplaces these are often preferred as they are not reliant on an underlying operating system or software-based subsystem and have clear visual indication of function through physical lights and switches. They are also easier to understand for non-technical users. However, since they are physical entities, it means more equipment must be carried around and checked for failure and breakage. Software Write Blocking - Definition Software write blockers such as SAFE Block by ForensicSoft are also commonly used, and have the same goal as their hardware-based counterparts. Software write blockers have several advantageous aspects: they are directly installed on the computer on which you are performing the data acquisition, and additional hardware is not necessary. Additionally, in general you can use them with any existing interface on your investigative machine. It is not necessary to purchase new hardware. However, they are reliant on underlying hardware and/or software (i.e. OS). Due to this, interaction creates additional complexity and introduces the possibility of failure through updates, upgrades, etc. However, since free versions of write blocking software exist, we will be using these. In This Tutorial Once a disk image has been created, hashing and write blocking the image are the immediately pivotal steps to be taken in order to ensure the integrity of the evidence file. Write blocking tools have been written into several of the free software programs we have used or have available, including WinHex and DiskExplorer NTFS. Alternatively, it is possible to do a form of write blocking by simply changing the status of the disk image to read-only. In this tutorial we will go through the process of creating a write blocked disk image in order to prevent changes in the course of the investigation.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Digital Forensics Tutorials – Write Blocking
Explanation Section
Write Blocking – Definition Write blocking is the act of ensuring that the contents of an evidence drive cannot be modified during
the scope of an investigation. It allows acquisition of information on a drive without creating the
possibility of accidentally damaging the drive contents. Write blockers do this by allowing read
commands to pass but by blocking write commands, hence their name. This can be done one of two
ways: with either hardware or software write blockers.
Hardware Write Blocking - Definition Hardware write blockers are generally smaller pieces of technology that connect to the evidence drive
via IDE, USB, or SATA. The write blocker then proceeds to disallow all write commands to the drive. In
professional workplaces these are often preferred as they are not reliant on an underlying operating
system or software-based subsystem and have clear visual indication of function through physical lights
and switches. They are also easier to understand for non-technical users. However, since they are
physical entities, it means more equipment must be carried around and checked for failure and
breakage.
Software Write Blocking - Definition Software write blockers such as SAFE Block by ForensicSoft are also commonly used, and have the same
goal as their hardware-based counterparts. Software write blockers have several advantageous aspects:
they are directly installed on the computer on which you are performing the data acquisition, and
additional hardware is not necessary. Additionally, in general you can use them with any existing
interface on your investigative machine. It is not necessary to purchase new hardware. However, they
are reliant on underlying hardware and/or software (i.e. OS). Due to this, interaction creates additional
complexity and introduces the possibility of failure through updates, upgrades, etc. However, since free
versions of write blocking software exist, we will be using these.
In This Tutorial Once a disk image has been created, hashing and write blocking the image are the immediately pivotal
steps to be taken in order to ensure the integrity of the evidence file. Write blocking tools have been
written into several of the free software programs we have used or have available, including WinHex
and DiskExplorer NTFS. Alternatively, it is possible to do a form of write blocking by simply changing the
status of the disk image to read-only.
In this tutorial we will go through the process of creating a write blocked disk image in order to prevent
changes in the course of the investigation.
Tutorial Section LEARNING OBJECTIVES:
Write block a disk image file using WinHex
Write block a disk image file using DiskExplorer NTFS
Write block a disk image file using file properties and read-only
Part 1 – Write Blocking a Disk Image File Using WinHex
1. Login to the Virtual Lab website (https://v5.unm.edu/cloud/org/ialab), and enter the ‘NEST Digital
Forensics’ vApp. Click on the Windows 8 machine to open the VM.
2. Launch WinHex. Click File >> Open and select ‘Georges Drive Image.001’. You will something similar
to the screen below.
3. In the navigation bar at the top of the program, navigate to Options >> Edit Mode. A small window
will appear that gives you the choice to allow the default edit mode, use an in-place edit mode, or to
allow read-only mode, which is write protected. Select read-only mode and click OK.