Question-difference...
 
Notifications
Clear all

Question-difference between hardware and software blockers

10 Posts
4 Users
0 Likes
1,510 Views
(@maniak)
Posts: 5
Active Member
Topic starter
 

Hello everyone,
I'm new here so I started read the oldest post and the oldest articles from this forum/site to the newest and I still do but…

I have a question about USB write blokers.

Some people say that they used software blockers and it's ok, some other says that they only use hardware write blockers, so is it equal at the end ? I mean is they protect source dev against accidental write with the same efficiency ?

The hardware blokers do the good job but how about software write blockers ? The drive should be in read-only mode and ignore / fail out write requests but as I readed on this forum some users says that it's not true in 100% because OS Windows still write sth data on the attached device and I am a little confused about that ?
Next thing is that some device for e.x. SD cards has a small hardware switch to enable write block, so if yes is this way to write block is comparable with "normal" hardware blokers like tableau TH8 ?

BTW I couldn't just test/try it because at now I don't have a hardware usb write bloker.
BTW2 I hope that is the most appropriate forum for my question )

 
Posted : 28/01/2015 2:57 am
(@a-nham)
Posts: 32
Eminent Member
 

Basically, it is best practice to use a hardware write block, when it is possible. That is because it lowers the already quite low chance that the write block failing and writing to disk (lower cause you should already be familiar with your own hardware). There is nothing wrong with software based write blocks and in some cases you will be limited to using that (such as with ultrabooks). The most important thing is testing, verifying, and knowing how your equipment works, before going in.

The reason some chose to swear by hardware based write blockers is because of the nature of software write blocking technology. From what I understand, software write blocks usually work by causing an interrupt on the BIOS; however, for some BIOSes do not receive that interrupt as a write-block and writing still occurs, accidentally I hope. That is, of course, not to say hardware write blocks are perfect. They may still write to your device; however, you should know of what and where they write, from you testing. This makes the change to evidence, at least, justifiable in court.

 
Posted : 28/01/2015 6:37 am
steve862
(@steve862)
Posts: 194
Estimable Member
 

Hi,

I would also say hardware write blocking is best practice wherever possible. Whenever I do use software write blocking for USB I always do a test with a similar USB device and take a screenshot for my notes. Again good practice and offers peace of mind for about 30 seconds work.

Disk write blocking versus using a Linux boot CD is a little different. That's to do with write blocking the disk versus write blocking the file-system(s) on the disk.

Steve

 
Posted : 28/01/2015 3:17 pm
(@thefuf)
Posts: 262
Reputable Member
 

Disk write blocking versus using a Linux boot CD is a little different. That's to do with write blocking the disk versus write blocking the file-system(s) on the disk.

What do you mean? What Linux distributions do a write block?

 
Posted : 28/01/2015 4:07 pm
steve862
(@steve862)
Posts: 194
Estimable Member
 

Hi,

Normal distributions don't but there are lots of forensic options like Spada, Helix, Paladin and DEFT. These don't mount the file systems of the internal disk(s) or mount them as read only.

I probably should have been clear I meant these and not stuff like Ubuntu. Sorry for any confusion caused.

Steve

 
Posted : 28/01/2015 5:01 pm
(@thefuf)
Posts: 262
Reputable Member
 

Hi,

Normal distributions don't but there are lots of forensic options like Spada, Helix, Paladin and DEFT. These don't mount the file systems of the internal disk(s) or mount them as read only.

I probably should have been clear I meant these and not stuff like Ubuntu. Sorry for any confusion caused.

Steve

Latest versions of Helix3 Pro, PALADIN and DEFT, for example, automount NTFS on internal disks read-write during the boot.

 
Posted : 28/01/2015 6:17 pm
steve862
(@steve862)
Posts: 194
Estimable Member
 

thefuf,

In relation to your point about DEFT, Paladin etc I assume you are referring to the conversation had here about bootable distros -

http//www.forensicfocus.com/Forums/viewtopic/t=12056/postdays=0/postorder=asc/start=0/

All I was trying to convey in this post was the difference between write blocking a disk and write blocking the file system(s) on that disk.

Steve

 
Posted : 29/01/2015 7:23 pm
(@thefuf)
Posts: 262
Reputable Member
 

All I was trying to convey in this post was the difference between write blocking a disk and write blocking the file system(s) on that disk.

Ok, but I doubt that many forensic Live CDs actually provide a way to mount a file system truly read-only.

 
Posted : 29/01/2015 10:06 pm
(@maniak)
Posts: 5
Active Member
Topic starter
 

Thank You all guys for Your answers, it has been very helpful for me. So I must buy a new hardware USB write blocker.

btw If You must use a software USB blocker did You use only some linux dist or You have Your favourite apps under the windows OS or You have some script to simply modify registry value ?

 
Posted : 31/01/2015 11:08 pm
(@a-nham)
Posts: 32
Eminent Member
 

I would say it is ideal to have a hardware write blocker and to use it when possible; however, it definitely does not have to be a brand new one, just make sure you test it on multiple hard drives and multiple OSes before actual deployment.

The answer to your second question is, if you prefer Windows for acquisition, there is WinFE. Its basically Windows Portable with a few registry changes for software write blocking (so you guess with super close). However, unlike the Linux acquisition distros, you need to build/compile it, before testing it.

 
Posted : 01/02/2015 6:19 am
Share: