±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 1 Overall: 35670
New Yesterday: 8 Visitors: 168

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Software Write Blocker Box

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

calimelo
Senior Member
 

Software Write Blocker Box

Post Posted: Sep 24, 16 14:08

Hi all,

I'm working on a project to make a cheap write blocker box. My main focus is on installing a basic linux distro on a raspberry pi 3, 3.5 inch touchscreen, a usb gigabit ethernet card. I couldn't compile a GUI imager like guymager for raspberry's ARM processor so i'm writing a simple GUI for dcfldd. The destination drive would be a network storage, mounted as a CIFS share.

I have 2 TD3s at the lab, with other write blockers but i want to come up with a solution that is cheaper and a little more flexible.

I know software write blockers have to be tested and hardware write blockers are safer but if i can make it really simple, like a single purpose machine, i believe it can work.

Do you trust software write blockers?

Regards
_________________
"Simplicity is the ultimate sophistication." 
 
  

thefuf
Senior Member
 

Re: Software Write Blocker Box

Post Posted: Sep 24, 16 15:05

so i'm writing a simple GUI for dcfldd


There is no need to include an imaging tool in the write blocker. Are you trying to make an imager instead?

Also, dcfldd is a bad choice, it will likely misalign sectors in the destination after a bad sector is encountered in the source. This was confirmed by NIST (PDF) (and by me after the source code review). Also, dcfldd may run into an infinite loop in some situations. Use dc3dd instead!

I know software write blockers have to be tested and hardware write blockers are safer but if i can make it really simple, like a single purpose machine, i believe it can work.

Do you trust software write blockers?


That depends. Some forensic live distributions reportedly include a write blocker, but, in fact, they aren't.  
 
  

jaclaz
Senior Member
 

Re: Software Write Blocker Box

Post Posted: Sep 24, 16 15:26

Well, as a matter if fact "hardware" write blockers like the Tableau and similar are actually "dedicated hardware and dedicated software" write blockers, the sheer fact that they have a firmware and that it is (usually) upgradeable shows their essential nature of "software" hardware Shocked blockers.
www.forensicfocus.com/...2/#6566642

What you are doing is however different, it is a "plain" dcfldd, the issues (if any) will likely come from *anything* outside it, like the kernel drivers and similar, i.e. the actual Linux distro in itself.

As an example (not necessarily your case, of course) there was a small glitch found in OSFclone (seemingly unrelated topic):
www.forensicfocus.com/...c/t=14057/
See also:
www.forensicfocus.com/...c/t=12056/

Maybe you want to procure yourself anyway one of these newish and rather convenient hardwares:
www.forensicfocus.com/...c/t=10557/
www.forensicfocus.com/...5/#6583575
and experiment with it.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 


Last edited by jaclaz on Sep 24, 16 15:34; edited 1 time in total
 
  

calimelo
Senior Member
 

Re: Software Write Blocker Box

Post Posted: Sep 24, 16 15:31

Thank you both.
_________________
"Simplicity is the ultimate sophistication." 
 

Page 1 of 1