Manufacture of a hardware write blocker ...

In order to get a good understanding I think you need to check out http//www.t13.org/#Docs_2006 . This does not address WB per-say but the ATA specification. I think you need to understand how the controller and hard drive talk first.

If your intention is to build your own WB for use in forensics. Good Luck! Personally, I think your time would be better spent by just spending the $200 and buy an IDE write blocker. Too many potential legal headaches for me, but that is just my opinion!

check out http//www.t13.org/#Docs_2006 .

Thanks, that is a fantastic set of resources. I'll do as you suggest and go through these to start with … D

If your intention is to build your own WB for use in forensics. Good Luck! Personally, I think your time would be better spent by just spending the $200 and buy an IDE write blocker. Too many potential legal headaches for me, but that is just my opinion!

The exercise is academic in nature, one of my lecturers suggested that it would be unwise to rely on something which you are unable to explain the functionality of from first principles. I'm just getting started really, and whilst I can fully understand the workings of software writeblockers, I'm a bit of a hardware novice. As these seem to be the de-facto standard in the industry I feel obliged to learn more !

I'm not sure if I will progress as far as actually putting one together, although right now, I rather like the thought of it …

And it would make for an interesting appendix to my next piece of course work … P

Many Thanks for your time,

Azrael

In that case, I think you will discover that today's hardware WB's are a combination of hareware and software/firware devices.

I image you could design a gated circuit path for each command set for a pure hardware solution? Would require a big PCB. I stopped tracking electronic components capabilities 20+ years ago – technology was moving too fast for me to stay current.
Heck it takes me weeks to replace the blown resistors and capacitors on my old VP6 motherboards.

Good Luck! Should prove interesting!.

I'm comming back to this again having considered what has been said above …

Time is something that I never seem to have enough of … ?

My current plan is to go for a hardware/software solution making use of an 8051 development board like

http//www.pjrc.com/store/dev_pcb_assem.html

with their hints and tips for connecting an IDE drive

http//www.pjrc.com/tech/8051/ide/index.html

I think that this should allow for coding on the development board that can be shown to exclude the write commands allowing only for reading.

I can see a couple of pros and cons to this solution

Pro

It seems simple enough lol

It has a possibility of 50 IO lines, so the 24 ( sixteen data and eight control ) on IDE are easily accomodated and expanding to other connections may be possible without excessive re-engineering/expense.

$79 seems pretty cheap to me, even in comparison to a real one -)

Cons

It is slow. ( 2GB will take 24 hours to image ) (

It is SLOW. ( At best estimate ! )

It doesn't actually PREVENT writes, it merely doesn't implement them (?)

I'd be very interested to hear what anyone else thinks, also I'd be interested to hear if anyone knows of any other development boards that may provide a quicker interface.

All the Best to Everyone.

I think that if you use a homegrown/homebuilt solution and have to go to court it will be an uphill battle to prove that your device is sufficient. It may work and it may be every bit as good as a commercial device, but having to defend software and hardware in court never seems to end.

It is an interesting, if irrelevant ( as stated previously - this is an academic exercise), point.

If it comes to standing in court and being able to explain, step by step the functioning of the device, and being able to demonstrate that it meets the standards required ( for example by testing it against the NIST guidelines ), or saying that I implicitly trust someone else's implementation tested against the same standards, that I have no operational knowledge of, I don't know which would hold more water.

I suppose it depends upon your level of expertise as to the questions that are asked of you, my developing of such a device, would no doubt be more questionable than the presentation of such evidence in court by someone more experienced and well known than I. Even though the device in question may well be funtionally identical.

This argument seems irrelevant for something like a write-blocker, which is in common useage and readily available. However should I develop something which is less common, I should be able to stand in court and defend the functionality of it. Which is, ultimately, the aim for this exercise, that, irregardless of the manufacturer of a write-blocking device, that I can verify that it is possible, know how it works, and explain, if necessary, on a basic level to a court the reasons behind its use and its funtionality.

Thanks for your concern to stop me from shooting myself in the foot though -)

Some of the best ideas start out as academic exercises. And they often turn into successful commercial endeavors.

Unfortunately it does not always come down to the ability to explain something, it comes down to the ability of the court (or jury) to understand what you are explaining. Hex is apparently a concept that I am unable to explain well.

-)

I must admit that I'm comming to this all only through studies ( directed and self targeted ) at the moment, I don't do any real Forensic work, and this leaves me with a very biased, theoretical, idealistic idea of the way that things actually work ! oops

I guess it is a little less "neat" in reality when you need to explain such concepts to people who have no need or desire to know how their PC works, or may not even own one. ?

I have experience of trying to explain similarly seemingly simple concepts to people who have been leaders in their various academic fields ( Computational Fluid Dynamics & Medical Research at various times ) who can't grasp them at all.

I have a great deal of sympathy and respect for all of the Forensic Experts here that go and make a case sufficent to get the conviction.

Kind Regards.

Disable the write command on the IDE bus, its relatively simple (using inverters), alternatively if using software you need to write a low level driver which hooks or redirects Int 13 and/or various windows API - a lot of research is need for that but there's plenty out there.