Making complex data simple and compelling
From digital device to digital evidence
Unlock your vehicle's digital evidence potential
Forensic Analysis and Enhancement
Investigating and analyzing financial records
Gain access to the online accounts of deceased loved ones
Clear, precise evidence for a messy world
Expert reports to suit your specific needs
We can locate people anywhere
Stop worrying and learn the truth
Prevent, Detect, Respond To Cyberattacks
First response is crucial. Every minute counts.
The first response is critical to reduce liability
Detection & Removing Spyware Services
Reduce your electronic risk from digital transmittals
Find out who you are really talking to
Experienced, Confidential Services
Swift, professional incident response
Complicated cases require compelling digital facts
Find, recover and document digital evidence
Bring solid evidence before a judge
Cases can be investigated using Social Media
Divorce, custody battles, and other
Win the most important battle of your life
Everything you need
Effective Expert Witness in Court
Evidence shows who is telling the truth
Subpoena power yields strong evidence
Digital evidence can build a strong defense
In this article we’re going to talk about different types of software write blockers.
Unfortunatelly, we can tell you nothing about this type of write blockers. A lot of examiners think that they are useless, because one of default Linux features is mounting drives in “read only” mode. But some researchers found bugs in Linux kernel code, due to which attached drives could be available for writing operations (despite the fact they are connected in “read only” mode) . So, because of such bugs, some Linux-based forensic Live-CDs mount attached drives in writable mode.
Microsoft DOS operating system turns to drives via Interrupt 13, Interrupt 21 and similar. To block writing operations, an examiner must block these interrupts.
PDBLOCK (Physical Drive BLOCKer, by Digital Intelligence Corporate) – the most interesting thing about this write blocker: you can still buy it for 34.95$ . According to its developers, this piece of software can block writing operations in different DOS versions (DOS 6.22, DOS 7.1) and old Windows versions (Windows 3.1 and Windows 95).
You could see RCMP HDL software write blocker in National Institute of Standards and Technology (NIST) testing reports. Unfortunatelly, we couldn’t buy it or got it as LE officers. We have the same situation with Safeback 2. In a number of computer forensics books (for example, Incident Response & Computer Forensics by Jason T. Luttgens, Matthew Pepe, Kevin Mandia) Safeback 2 is described as the most common utility for drives imaging. But we could neither buy it nor get it by any other means.
In 1999 Mark Russinovich and Bryce Cogswell released system driver NTFS File System Driver for DOS/Windows V3.0R+. This driver allowed to mount NTFS file systems in read only mode in DOS, Windows 3.1 and Windows 95. It should be noted that this driver works only for newer versions of NTFS.
DIBLOCK (Computer Forensics Ltd.) is an utility included in DIBS Analyzer (DIBS USA Inc.) and is the first software write blocker developed special for Windows (Windows 3.11, Windows 95, Windows 98 and Windows 2000).
Figure 1. DIBLOCK
With Service Pack 2 for Windows XP Microsoft allowed to block writing operations via USB by changing registry values . This feature is also available in newer versions of Windows OS. This feature became very popular among computer forensics community. AccessData even released a document describing it . Also, a lot of software write blockers based on this feature were released (most of them are available now). National Center for Forensic Science (NCFS) also released such utulity – NCFS Software Write-block XP.
Figure 2. NCFS Software Write-block XP
National Center for Forensic Science even wrote a short instruction on how to validate this programm:
Step Validation by National Center for Forensic Science
a) Insert USB media into PC
b) Wipe USB Media (with Validation) using Encase
c) Format USB Media using Windows XP
d) Copy data and Deleted some data from USB media
e) Create 3 folders for imaging onto Desktop (Step-1, Step-2, Step-5)
f) Image the USB media and create MD5 Hash value with Access Data Imager
a) Remove and Reinsert USB media from PC
b) Copy data and Deleted some data from the USB media
c) Image media and create a MD5 Hash value of the USB media
d) Validate Image2 MD5 Hash is DIFFERENT hash value of Image #1
a) Remove USB media from PC
b) Start NCFS Write-Block
c) Select Lock, Select Ok, Auto-Reboot
b) Attempt to copy files onto USB media
c) Attempt to delete files from USB media
d) Attempt to Format USB media
a) Image USB media and create MD5 Hash value of the USB media
b) Validate Image3 MD5 Hash is the SAME MD5 hash value of Image2
Unfortunatelly, this feature blocks writing operations only by software which uses Windows drivers. That’s why after a number of incidents with data writing on examined drives in digital forensics labs this piece of software was deleted from National Center for Forensic Science website, and AccessData started to recommend it only for training.
ACES released a number of software write blockers under joint name – WriteBlocker. Each version of WriteBlocker supported one version of Windows OS. For example, WriteBlocker XP supported write-blocking for all devices including CD and DVD, USB and hard drives (excluding system drive) in Microsoft Windows XP.
Figure 3. WriteBlocker XP
Like ACES, ForensicSoft, Inc. released a few software write blockers under joint name SAFE Block , which blocked writing on all devices excluding system drive. Their write blockers support different versions of Windows OS – from XP to 10, both 32 and 64 bit.
Figure 4. SAFE Block for Windows 7
Guidance Software released software write blocker as a standalone module for EnCase. The FastBloc® SE (Software Edition) module is a collection of tools designed to control reads and writes to a drive attached to a computer through USB, FireWire, and SCSI connections. It enables the safe acquisition of subject media in Windows to an EnCase evidence file.
Figure 5. FastBlock SE
Why are software write blockers not widely used? It’s a difficult question. Probably, it’s due to their prices (you can buy a hardware write blocker for the same money), or users just psychologically trust more on hardware write blockers. Maybe incidents with Write Protect USB Devices in Windows XP played its role (we wrote about it in the main part of the article). Anyway, we would be happy to hear about your experience with software write blockers.
We would like to thank Jacopo Lazari for help with this article.
Interests: Computer, Cell Phone & Chip-Off Forensics
Interests: iOS forensics, Android forensics, Mac OS X forensics, Windows forensics, Linux forensics
Save my name, email, and website in this browser for the next time I comment.
Speak to a Specialist Now