.

USB Write Blocker

<<

eth3real

User avatar

Sr. Member
Sr. Member

Posts: 309

Joined: Wed Feb 27, 2008 10:35 am

Location: US

Post Wed Dec 10, 2008 12:26 pm

USB Write Blocker

Does anyone have a suggestion for a (relatively cheap) USB write blocker? I know there are some USB flash drives that have a read only switch, as well as SD cards, but I would like to be able to use any type of USB storage device as read only.
Thanks!
Put that in your pipe and grep it!
<<

pseud0

User avatar

Recruiters
Recruiters

Posts: 210

Joined: Sat Nov 17, 2007 8:26 pm

Location: Detroit, Michigan

Post Wed Dec 10, 2008 3:16 pm

Re: USB Write Blocker

We always used the ones from digital intelligence, but I wouldn't call them cheap.  In fact, I'd say they were pretty damn expensive if you couldn't expense them back to your company or a client.
CISSP, CISM, CISA, GCIH, GREM, CEH, HMFIC, KTHXBIROFLCOPTER
<<

eth3real

User avatar

Sr. Member
Sr. Member

Posts: 309

Joined: Wed Feb 27, 2008 10:35 am

Location: US

Post Thu Dec 11, 2008 12:15 am

Re: USB Write Blocker

That's what I figured. It's prety much the only one I can find online. :P
Put that in your pipe and grep it!
<<

jimbob

Post Thu Dec 11, 2008 4:24 am

Re: USB Write Blocker

One cheap option is to use the Helix forensic boot disk. There's no special software write blocking but you can be sure that it won't automagically mount your USB devices in read/write mode.

On a similar subject I have seen IDE/SATA USB bridges without write blocking on sale for about £30. This would give you the same connection options as many forensic write blockers without the write protection. Combine this with Helix and rigid discipline and you have a potential solution.

Jimbob
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Thu Dec 11, 2008 5:22 am

Re: USB Write Blocker

jimbob wrote:Combine this with Helix and rigid discipline and you have a potential solution.


Jimbob, this is a good solution and is how I currently work in my lab for testing and playing.

However, I'm not a forensic guy and haven't had anything come close to requiring legal attention. I'd always assumed that this method whilst it 'works' it is going to get destroyed if the investigation ever comes to court as you can't prove that you did everything right. Alternatively if you used a write-blocker then there couldn't be any unauthorised/unintentional alterations to the evidence (assuming your blocker works of cause....)

Obviously laws vary between states/countries, but can someone with better knowledge provide a quick 'litmus test' yes or no?

Cheers,
RR
<<

jimbob

Post Thu Dec 11, 2008 9:39 am

Re: USB Write Blocker

You can't prove you did everything right with a write blocker alone. If you did not test the write blocker before and after evidence acquisition you can't prove it wasn't faulty. Personally if I was ever asked to give expert witness testimony I would not like to be on the stand saying I hadn't used a write blocker, but sound methodology should be enough. After all forensic scientists handle more volatile and corruptible evidence all the time.

Jimbob
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Thu Dec 11, 2008 6:45 pm

Re: USB Write Blocker

We use the digital intelligence ones too.  Helix, Raptor, and a couple of other forensics boot discs work very well too.  You still have to be careful. 

One other we use in case of emergency and as a last option is the usb write protect option in XP and Vista.  You can configure this through Group Policies or the Registry.  There is also software that will switch the setting on and off nicely.  From what I understand, this method has been used a few times and was accepted in court.
~~~~~~~~~~~~~~
Ketchup
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Fri Dec 12, 2008 3:47 am

Re: USB Write Blocker

Thanks for the insights guys.

I wasn't expecting the legal profession to put much faith in techies stating 'we did it right your honour'. Especially not considering some of the previous cases mixing new technology with the legal system.
<<

pseud0

User avatar

Recruiters
Recruiters

Posts: 210

Joined: Sat Nov 17, 2007 8:26 pm

Location: Detroit, Michigan

Post Fri Dec 12, 2008 2:16 pm

Re: USB Write Blocker

RR, what's funny about that statement is that almost all forensics analysts tend to fall back to "I know what I'm doing and I am saying that I did it correctly."  The defense lawyers will always attempt to attack your abilities and knowledge first because it is the most common area of weakness.  If you can't demonstrate that you know what you're doing then you'll probably get exposed.  If you can demonstrate it on the stand, then they'll attack your tools.  This is harder to do because most of them have been vetted already, but there is always a chance that they can convince the court that something went wrong.  Hardware write blockers have a known failure rate, there can always be something in the tool/platform settings that could screw up the evidence, a cosmic gamma burst could have randomly scrambled those bits on the hard drive so that they magically turned into a picture of a little boy in a sprinkler, etc.  This is more of an exercise in confusing/scaring the jury.  If they can't get you on your knowledge or your tools, then they'll try to attack your integrity.  At the end of the day, everyone who testifies is basically saying "I did what I said I did."
CISSP, CISM, CISA, GCIH, GREM, CEH, HMFIC, KTHXBIROFLCOPTER
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Sat Dec 13, 2008 11:23 am

Re: USB Write Blocker

pseud0 wrote:RR, what's funny about that statement is that almost all forensics analysts tend to fall back to "I know what I'm doing and I am saying that I did it correctly."
...
At the end of the day, everyone who testifies is basically saying "I did what I said I did."


ummm, hadn't thought of it that way. Personally I was hoping that if I was ever in the situation of giving evidence to a court I'd be able to have some fool-proof technical process proving that what I'm saying is the truth. Probably because I'm brilliant in an argument and always come up with the best retorts; an hour after I've already lost the debate.....

In hindsight given my recent, and comical, stint of jury service I should have known this wasn't possible.

Return to Hardware

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software