reviewed by David Kovar of NetCerto, Inc. (www.netcerto.com)

Digital evidence needs to come from somewhere, right? It doesn’t appear, “forensically sound”, from out of the blue. And the phrase “forensically sound” is key – the evidence needs to be acquired in a manner that ensures that the process doesn’t modify the evidence in any manner. There are exceptions to this – cell phones and live acquisitions come to mind – but even then, the process should be minimally invasive.

The key to this acquisition process is the ubiquitous write blocker, probably the most important tool in any acquisition kit. A write blocker was my first forensics hardware purchase and I keep my collection of write blockers up to date religiously.

The differences between write blockers used to be fairly significant in terms of quality, speed, features, and price. In the last year or two the number of options has expanded somewhat, the major vendors all have similar features, and the prices have come down. The major difference appears to be in the layout, form factor, and physical design of the units.

Testing

Units under test

Guidance FastBloc2 FE
WiebeTech Forensic UltraDock V4
Tableau T35es

The number of write blocker options continues to grow (see "Areas for future research" below). In the interest of keeping this review focused, I am only covering portable hardware write blockers. The two major vendors in this area are Tableau and WiebeTech though ICS just came out with a new product that looks very interesting. Since the majority of the drives we are seeing are SATA drives, the review focuses on just SATA to SATA versions, though Guidance FastBloc2 FE is included for comparison purposes.

Test harness

The test harness was my workhorse forensics workstation, a two year old Dell running XP, an aftermarket eSATA interface card, a USB 2.0 interface, a Firewire 400 interface, and a RAID 5 array.

All of the drives were imaged with EnCase v6.13.

Further research could be conducted with different imaging applications and different hardware.

Test disks

The HPA partition was created on the IDE drive and verified at the end of the tests with the hdparm command to ensure it was still present. Working with HPA partitions is touchy, and doing so moves into a grey area as registers on the disk are written to make the HPA available. These registers must be reset prior to shutting down the drive or the drive could be left in a state that is different from the starting condition.

Test procedures

Each of the three drives was tested with each write blocker. If the write blocker supported more than one host interface, each of the three drives was tested with each interface.

EnCase v6.13 was used to conduct the tests. The default imaging options were used except that compression was turned off for all tests.

The acquisition was allowed to run to completion for each test and time required for acquisition only was noted. The verification step was skipped in all cases.

Areas for future research

1) Did not test with drives containing bad sectors.
2) Better HPA/DCO coverage.
3) Examine the impact of different cables, imaging applications, operating systems, and RAID arrays.

Other write blocking solutions

As I wrote this review, I kept thinking “what about this other option …..” These include:

- Software write blockers – Registry keys and EnCase SE for example.
- Hardware imagers that can be used as write blockers.
- Operating systems and bootable CD collection tools that can mount a device read only – OS X, various Linux distros, Helix, SMART.
- Hardware solutions designed to install in a desktop system.

These are all viable options worth consideration and inclusion in an acquisition kit.