Join Us!

Manufacture of a ha...
 
Notifications
Clear all

Manufacture of a hardware write blocker ...  

  RSS
azrael
(@azrael)
Senior Member

Hi All,

I wonder if anyone might be able to help me ? I've seen plenty of advice in the forums regarding which write blockers are everyones favourite - that's great, but I'd really like to get a good understanding of how these hardware ( I get the software ones ) write blockers really work.

Is anyone aware of _any_ schematics for manufacturing a write blocker ? It doesn't have to be IDE … SCSI or USB would be acceptable, just to get a better understanding of the way that the hardware ones actually function.

Many thanks in advance,

Azrael -)

Quote
Posted : 29/11/2006 6:14 pm
az_gcfa
(@az_gcfa)
Active Member

In order to get a good understanding I think you need to check out http//www.t13.org/#Docs_2006 . This does not address WB per-say but the ATA specification. I think you need to understand how the controller and hard drive talk first.

If your intention is to build your own WB for use in forensics. Good Luck! Personally, I think your time would be better spent by just spending the $200 and buy an IDE write blocker. Too many potential legal headaches for me, but that is just my opinion!

ReplyQuote
Posted : 30/11/2006 7:31 am
azrael
(@azrael)
Senior Member

check out http//www.t13.org/#Docs_2006 .

Thanks, that is a fantastic set of resources. I'll do as you suggest and go through these to start with … D

If your intention is to build your own WB for use in forensics. Good Luck! Personally, I think your time would be better spent by just spending the $200 and buy an IDE write blocker. Too many potential legal headaches for me, but that is just my opinion!

The exercise is academic in nature, one of my lecturers suggested that it would be unwise to rely on something which you are unable to explain the functionality of from first principles. I'm just getting started really, and whilst I can fully understand the workings of software writeblockers, I'm a bit of a hardware novice. As these seem to be the de-facto standard in the industry I feel obliged to learn more !

I'm not sure if I will progress as far as actually putting one together, although right now, I rather like the thought of it …

And it would make for an interesting appendix to my next piece of course work … P

Many Thanks for your time,

Azrael

ReplyQuote
Posted : 30/11/2006 2:58 pm
az_gcfa
(@az_gcfa)
Active Member

In that case, I think you will discover that today's hardware WB's are a combination of hareware and software/firware devices.

I image you could design a gated circuit path for each command set for a pure hardware solution? Would require a big PCB. I stopped tracking electronic components capabilities 20+ years ago – technology was moving too fast for me to stay current.
Heck it takes me weeks to replace the blown resistors and capacitors on my old VP6 motherboards.

Good Luck! Should prove interesting!.

ReplyQuote
Posted : 30/11/2006 10:36 pm
azrael
(@azrael)
Senior Member

I'm comming back to this again having considered what has been said above …

Time is something that I never seem to have enough of … ?

My current plan is to go for a hardware/software solution making use of an 8051 development board like

http//www.pjrc.com/store/dev_pcb_assem.html

with their hints and tips for connecting an IDE drive

http//www.pjrc.com/tech/8051/ide/index.html

I think that this should allow for coding on the development board that can be shown to exclude the write commands allowing only for reading.

I can see a couple of pros and cons to this solution

Pro

It seems simple enough lol

It has a possibility of 50 IO lines, so the 24 ( sixteen data and eight control ) on IDE are easily accomodated and expanding to other connections may be possible without excessive re-engineering/expense.

$79 seems pretty cheap to me, even in comparison to a real one -)

Cons

It is slow. ( 2GB will take 24 hours to image ) (

It is SLOW. ( At best estimate ! )

It doesn't actually PREVENT writes, it merely doesn't implement them (?)

I'd be very interested to hear what anyone else thinks, also I'd be interested to hear if anyone knows of any other development boards that may provide a quicker interface.

All the Best to Everyone.

ReplyQuote
Posted : 24/03/2007 11:16 pm
BitHead
(@bithead)
Community Legend

I think that if you use a homegrown/homebuilt solution and have to go to court it will be an uphill battle to prove that your device is sufficient. It may work and it may be every bit as good as a commercial device, but having to defend software and hardware in court never seems to end.

ReplyQuote
Posted : 25/03/2007 12:04 am
azrael
(@azrael)
Senior Member

It is an interesting, if irrelevant ( as stated previously - this is an academic exercise), point.

If it comes to standing in court and being able to explain, step by step the functioning of the device, and being able to demonstrate that it meets the standards required ( for example by testing it against the NIST guidelines ), or saying that I implicitly trust someone else's implementation tested against the same standards, that I have no operational knowledge of, I don't know which would hold more water.

I suppose it depends upon your level of expertise as to the questions that are asked of you, my developing of such a device, would no doubt be more questionable than the presentation of such evidence in court by someone more experienced and well known than I. Even though the device in question may well be funtionally identical.

This argument seems irrelevant for something like a write-blocker, which is in common useage and readily available. However should I develop something which is less common, I should be able to stand in court and defend the functionality of it. Which is, ultimately, the aim for this exercise, that, irregardless of the manufacturer of a write-blocking device, that I can verify that it is possible, know how it works, and explain, if necessary, on a basic level to a court the reasons behind its use and its funtionality.

Thanks for your concern to stop me from shooting myself in the foot though -)

ReplyQuote
Posted : 25/03/2007 12:40 am
BitHead
(@bithead)
Community Legend

Some of the best ideas start out as academic exercises. And they often turn into successful commercial endeavors.

Unfortunately it does not always come down to the ability to explain something, it comes down to the ability of the court (or jury) to understand what you are explaining. Hex is apparently a concept that I am unable to explain well.

ReplyQuote
Posted : 25/03/2007 12:55 am
azrael
(@azrael)
Senior Member

-)

I must admit that I'm comming to this all only through studies ( directed and self targeted ) at the moment, I don't do any real Forensic work, and this leaves me with a very biased, theoretical, idealistic idea of the way that things actually work ! oops

I guess it is a little less "neat" in reality when you need to explain such concepts to people who have no need or desire to know how their PC works, or may not even own one. ?

I have experience of trying to explain similarly seemingly simple concepts to people who have been leaders in their various academic fields ( Computational Fluid Dynamics & Medical Research at various times ) who can't grasp them at all.

I have a great deal of sympathy and respect for all of the Forensic Experts here that go and make a case sufficent to get the conviction.

Kind Regards.

ReplyQuote
Posted : 25/03/2007 3:40 am
thedigitalthinker
(@thedigitalthinker)
New Member

Disable the write command on the IDE bus, its relatively simple (using inverters), alternatively if using software you need to write a low level driver which hooks or redirects Int 13 and/or various windows API - a lot of research is need for that but there's plenty out there.

ReplyQuote
Posted : 26/09/2007 1:36 am
omer15
(@omer15)
New Member

@az_gcfa Please can you share with me the full details of a software and hardware write blocker and how can i be able to make both for my final year project please

ReplyQuote
Posted : 18/05/2020 7:29 pm
Rich2005
(@rich2005)
Active Member
Posted by: @azrael

It is an interesting, if irrelevant ( as stated previously - this is an academic exercise), point.

If it comes to standing in court and being able to explain, step by step the functioning of the device, and being able to demonstrate that it meets the standards required ( for example by testing it against the NIST guidelines ), or saying that I implicitly trust someone else's implementation tested against the same standards, that I have no operational knowledge of, I don't know which would hold more water.

I suppose it depends upon your level of expertise as to the questions that are asked of you, my developing of such a device, would no doubt be more questionable than the presentation of such evidence in court by someone more experienced and well known than I. Even though the device in question may well be funtionally identical.

I think you're fast running into the practical reality that it's impossible to be an expert in everything and yet a digital forensics expert/examiner will often be expected to be an expert in everything (in the digital world).

This is where language becomes key, and a bad examiner would over-stress things with certainty (of which there isn't), but a better one would use more qualifying statements, to indicate the lack of certainty, and attempt to weight their emphasis fairly.

I like to think of the forensics practitioner as much like a GP in many ways. They're not the specialist surgeon, they don't develop the drugs, they don't develop the needles, they don't develop the chemicals or substances needed to make the drugs or needles, they don't have certainty about every disease/ailment, but they have a good broad knowledge allowing them to diagnose and treat people. You wouldn't expect them to know everything about every drug/tool they use, how they were made and engineered, about every disease/ailment to 100% certainty, and so on and so forth. They're still respected and perform a valuable function (and will on-occasion testify in court).

This post was modified 4 days ago 3 times by Rich2005
ReplyQuote
Posted : 25/05/2020 7:48 am
Share: