±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35894
New Yesterday: 0 Visitors: 161

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Software Write Blocker Box

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

thefuf
Senior Member
 

Re: Software Write Blocker Box

Post Posted: Sep 24, 16 15:05

so i'm writing a simple GUI for dcfldd


There is no need to include an imaging tool in the write blocker. Are you trying to make an imager instead?

Also, dcfldd is a bad choice, it will likely misalign sectors in the destination after a bad sector is encountered in the source. This was confirmed by NIST (PDF) (and by me after the source code review). Also, dcfldd may run into an infinite loop in some situations. Use dc3dd instead!

I know software write blockers have to be tested and hardware write blockers are safer but if i can make it really simple, like a single purpose machine, i believe it can work.

Do you trust software write blockers?


That depends. Some forensic live distributions reportedly include a write blocker, but, in fact, they aren't.  
 
  

jaclaz
Senior Member
 

Re: Software Write Blocker Box

Post Posted: Sep 24, 16 15:26

Well, as a matter if fact "hardware" write blockers like the Tableau and similar are actually "dedicated hardware and dedicated software" write blockers, the sheer fact that they have a firmware and that it is (usually) upgradeable shows their essential nature of "software" hardware Shocked blockers.
www.forensicfocus.com/...2/#6566642

What you are doing is however different, it is a "plain" dcfldd, the issues (if any) will likely come from *anything* outside it, like the kernel drivers and similar, i.e. the actual Linux distro in itself.

As an example (not necessarily your case, of course) there was a small glitch found in OSFclone (seemingly unrelated topic):
www.forensicfocus.com/...c/t=14057/
See also:
www.forensicfocus.com/...c/t=12056/

Maybe you want to procure yourself anyway one of these newish and rather convenient hardwares:
www.forensicfocus.com/...c/t=10557/
www.forensicfocus.com/...5/#6583575
and experiment with it.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 


Last edited by jaclaz on Sep 24, 16 15:34; edited 1 time in total
 

Page 1 of 1