Write Blockers: A Central Part of a Forensic Analysts Toolbox

December 21, 2016 | Views: 8194

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

So, you are interested in becoming a digital forensic analyst?  That is great!  It is an exciting and growing field, one filled with many possibilities for the enthusiastic learner.  The purpose of this article is to introduce those interested in the forensics field with one of the most important tools in their toolbox, the hardware write blocker.

Any computer forensics course or book will stress that one of the most important parts of the job is preserving the state of the evidence to be examined.  This begins at the seizure of said evidence and it carries all the way through to either the trial or when the evidence is finally destroyed or released.  This is where the write blocker makes its entrance into the forensic framework.

Once a piece of digital evidence has been identified and seized it must be examined.  Now, since you are not supposed to change the original evidence, or at least keep any changes to a minimal that can be explained, there must be a way to create a forensic copy of that evidence.  This copy goes by many different names and this article isn’t intended to provide a full explanation of them.  Some call them bit-by-bit copies, others call them bit stream copies, it makes no difference.  What you are doing is creating an exact replica or copy of the original piece of evidence.

In order to perform this vital part of your job one of the tools available to you is the write blocker.  These are pieces of hardware, versus software write blockers, that provide a level of protection which will allow you to access the evidence, without changing it.  There are methods of write blocking via software that will be explored in a later blog.

It is important to note that proper testing procedures should be followed, as these are hardware pieces and they can fail!  Many an analyst has been surprised when they learned that their write blocker had failed and their evidence had become contaminated.  So, take the time to test your write blockers before plunging into creating a copy of your evidence.

There are many different write blockers on the market, most of which are rather expensive.  If you are just entering into the field, then it is an investment you should consider making.  Many companies provide their analysts with write blockers but if you are desiring to learn on your own or work on your own as a consultant then you should strongly consider purchasing one.  I would note here that working as a digital forensic consultant is a good line of work, but it does require investment on your part, not only in write blockers, but also in good forensic machines and proper training.

 

tableau-forensic-duplicator-1

Fig. 1. Tableau Forensic Duplicator

Above is a photograph of what is known as a forensic duplicator.  This is similar to a write blocker but operates more as a straight duplicator of a hard drive.  You can utilize these as a write blocker, but always remember that is not their main focus.  It is very handy for taking an evidentiary hard drive and transferring it to a similar hard drive for examination.  You can see them at the below listed web page.

https://www2.guidancesoftware.com/products/Pages/tableau/products/duplicators.aspx

A very popular write blocker is the UltraBlock USB kit format sold by Digital Intelligence.  I used these write blockers during my law enforcement career and found them easy to use and reliable.  They run around $300.00 and are a worthy investment if you are performing forensic imaging.

http://www.digitalintelligence.com/cart/ComputerForensicsProducts/UltraBlock-USB-Write-Blocker-Kit.html

$299.00

 

ultra-kit-2

The Ultra Kit combines a variety of different write blockers into one handy Pelican case.  They are purchased all at one time, are combined into one portable kit and are very reliable.  These do cost more than a single write blocker, but if you purchase a kit you will get a variety of write blockers that fit many different hard drive formats.  I would recommend investing in one of these if you are going to seriously enter the realm of digital forensics and want to be prepared for almost any situation that you might face.

http://www.digitalintelligence.com/products/ultrakit/

$1,799 – $4,399

 

wiebetech-ultradock-3

Fig. 3 Wiebetech UltraDock

Another popular write blocker is the WieBeTech UltraDock.  This is a handy sized forensic write blocker that can easily fit into a “go bag” and be taken places with you.  I utilize this particular write blocker routinely and have found it to be very reliable.

http://www.cru-inc.com/products/wiebetech/forensic-ultradock-v5-5/

$300.00

There are many, many more hardware write blockers on the market.  I would encourage you to research the market, find one or several that will suit your needs and take the plunge.  Granted, it is an investment, but it will definitely help you learn the tools of the trade!

Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Ready to share your knowledge and expertise?
6 Comments
  1. Hello

    This may sound like a silly question.

    But would I need to use a write blocker when using the XRY toolkit?

  2. Thankyou for this Cybytes

  3. Hi Dave,
    Thanks for the article.
    I have a question, if you have time.
    I have a bootable USB key with various tools on
    it that I like to boot to. It boots the OS entirely
    into memory and I can remove the key immediately
    after booting. But sometimes it can be a bit unreliable getting
    a strange system to boot from the key. Occasionally
    the OS on the internal drive boots instead while
    the key is plugged in. Would a hardware write blocker
    ensure that the key remains unaltered in this
    event or is that too much to hope for?
    Thanks, Rob.

    • Rob,

      Getting a strange system to boot from your key probably has more to do with the BIOS settings for that system. You have to configure the BIOS to run from the USB key over the system’s hard-drive. There are two things that may need to be configured in the BIOS:

      1) Booting from a USB is allowed and enabled. Some (older) BIOSs may not support this, and some BIOSs may have security settings configured to prevent this from happening.

      2) The boot device priority must be configured to boot from the USB first.

      To get into the BIOS you have to press a key on the keyboard while turning on the computer. The exact key to press differs per manufacturer. Generally it’s the “Del” key or a function key such as F12. Also make sure you save the BIOS configuration changes before exiting the BIOS configuration interface.

      A system would not write to the USB when booting from it. It read the boot sector of the drive (the first 512 bytes), which loads the boot loader, which loads the kernel, which loads the rest of the OS. Generally OSs on USB keys load into RAM directly into “live” mode, which means any changes to the OS (even files saved to it, unless specifically saved on external or persistent media) are made in RAM and will be lost when the OS is shut down or the key removed.

      It’s possible to save files and OS configurations to a USB Live system as well, but something called “persistence” needs to be configured when the OS is installed on the USB drive, which generally requires the USB drive to have a special persitence partition and needs to be booted into persistence mode when prompted on start-up.

      In either case, getting a hardware write-blocker for such a device would not make a lot of sense. It would also be rare for the internal OS of that system to write to the USB without manual intervention if the USB was still plugged in when the internal OS has loaded. If you’re worried that a USB key’s OS is corrupted, you can simply reimage the device. It’s very easy to do and much cheaper that way. There’s also the benefit of installing a later version of the OS if you do it periodically.

      I hope that was helpful!

  4. Thanks for sharing Dave

  5. Thanks for the advice!

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel