Join Us!

What Can Happen if ...
 
Notifications
Clear all

What Can Happen if Write Block is Not Enabled?  

  RSS
JustLearningForensics
(@justlearningforensics)
New Member

What are all the scenarios - issues - problems -
or perhaps lack of problems

that can occur (or not) if write-block is not employed during a forensic onsite triage?

trying to gain an understanding of the risk imposed on the E01 - on the overall forensics - if no-write block employed

it would be good to get a basket of possible issues/outcomes that would be the result of no-write block or failed write-block
during onsite triage

i will get the ball rolling with a hypothetical

LEA enters and conducts triage
devices seized and sent to field office
resulting E01 - during expert forensic review for defense - observes timestamps consistent with some live preview on said device
- applications are launched including uTorrent
- uTorrent file is created during onsite preview
- and cloud services also register entry into their spaces from that device
- handful of thumbnails - with dimensionless data (no date, time) are observed
- search terms in windows - also dimensionless (no date, time) are observed
is there any data integrity left with the above device image?

if write-block is not enabled for short periods of time - or short failures - can the data integrity be preserved?
how important do contemporaneous reports become in lieu of write-block or failed write-block?
how critical is write-block? and without it, is the resulting forensics output utterly useless?
Do you have a case or story that was directly impacted by write-block?

thanks

Quote
Posted : 30/03/2020 10:59 pm
bshavers
(@bshavers)
Active Member

Sometimes
—write blocking is impossible
—write blocking is impractical

ReplyQuote
Posted : 31/03/2020 6:29 am
minime2k9
(@minime2k9)
Active Member

It very much depends on what triage is being used for.

We use it a lot for monitoring of registered s*x offenders, who are required to make their devices available for examination.
As this is not based on any kind of intel that an offence has taken place, merely enforcing a court order (SHPO or similar), it i has a different level of requirement. If it becomes relevant, it would be seized and taken as an exhibit and treated as such from that point.

If you are talking about for a warrant based on intel, then probably more stringent on the write blocking.

ReplyQuote
Posted : 31/03/2020 8:46 am
tracedf
(@tracedf)
Active Member

Without write-block, you are going to make some changes to the drive/device. But, it's not always possible to avoid making any changes. The goal should be to avoid making changes to the greatest extent possible. If you are working on a removable hard drive from a computer that is not currently turned on, then you should always use a write-blocker. In other situations, you may want to make some changes in order to capture the maximum amount of evidence. For example, you might load a program to capture RAM from a running computer. Or, you might be required to confirm the presence of such-and-such relevant evidence before taking the computer with you. In another circumstance, you might need to boot to a live distribution to recover data from a hard drive that is not removable.

The risk, when not using a write blocker, is that you'll change evidence in ways that hinder your investigation. For example, you might update last access timestamps or create new thumbnails by browsing pictures. You might even make a mistake and destroy evidence by accidentally deleting or overwriting a file. If you need to proceed without a write-blocker, it is important to understand what you are doing, limit your activity to what is necessary, and document each step you take so your work can be reviewed later.

ReplyQuote
Posted : 31/03/2020 4:21 pm
trewmte
(@trewmte)
Community Legend

Here is a useful pdf discussion document produced in 2003/2004 about possible failure of Software Writer Blockers you might find interesting, if you haven't read it before

http//mykeytech.com/SoftwareWriteBlocking2-4.pdf

Also see Software Write Blockers thread here at Forensic Focus 2005
https://www.forensicfocus.com/Forums/viewtopic/t=559/

ReplyQuote
Posted : 03/04/2020 6:12 am
thefuf
(@thefuf)
Active Member

Here is a useful pdf discussion document produced in 2003/2004 about possible failure of Software Writer Blockers you might find interesting, if you haven't read it before

http//mykeytech.com/SoftwareWriteBlocking2-4.pdf

Also see Software Write Blockers thread here at Forensic Focus 2005
https://www.forensicfocus.com/Forums/viewtopic/t=559/

The article states

A properly designed hardware media protection device, however, allows no changes to the media even if it has a failure. You can certify a controllable device but not a dynamic system.
[…]
Given the uncontrollable nature of the systems we use, the safest and least expensive route is to use hardware media protection.

Thus, a second link to disprove that is also needed https://github.com/msuhanov/Linux-write-blocker/blob/master/research/2017-01_Write_blockers.pdf

ReplyQuote
Posted : 03/04/2020 10:14 am
jaclaz
(@jaclaz)
Community Legend

Also
https://www.forensicfocus.com/Forums/viewtopic/t=11739/

jaclaz

ReplyQuote
Posted : 03/04/2020 10:16 am
JustLearningForensics
(@justlearningforensics)
New Member

Here is a useful pdf discussion document produced in 2003/2004 about possible failure of Software Writer Blockers you might find interesting, if you haven't read it before

http//mykeytech.com/SoftwareWriteBlocking2-4.pdf

Also see Software Write Blockers thread here at Forensic Focus 2005
https://www.forensicfocus.com/Forums/viewtopic/t=559/

The article states

A properly designed hardware media protection device, however, allows no changes to the media even if it has a failure. You can certify a controllable device but not a dynamic system.
[…]
Given the uncontrollable nature of the systems we use, the safest and least expensive route is to use hardware media protection.

Thus, a second link to disprove that is also needed https://github.com/msuhanov/Linux-write-blocker/blob/master/research/2017-01_Write_blockers.pdf

GOOD RESOURCES AND LINKS TO PDF HERE - #HANDSHAKE!

ReplyQuote
Posted : 05/04/2020 12:44 am
CCFI
 CCFI
(@ccfi)
New Member

A write blocker (hardware or software) can give you a completely false sense of security and will not work in all cases.

I have recently examined and downloaded the data records from a password protected bank card skimmer for a Police unit.

They had a go at examining it and tried to download the data using a USB cable, the download program that came with it, and the default access password of "0000" and they discovered that the password had been changed so they could not access the bank card data in it.

When they brought it to me to crack the password they said that they had used a USB write blocker to protect it when they attempted to examine it.

Now, think about that.

In order to download data from a USB connected device such as a skimmer you need to send it a command and it needs to give you a response.

If your write blocker was working as you thought it was, the command you send it would not be received by the device and it obviously would not give you a response.

Write blockers don't work as a "one device solves all" protection and using a write blocker gave no protection in this case.

And when you send a USB device like a skimmer a "D" for "Download" how do you know that the skimmer does not see "D" as the command to "Delete"?

Do not rely on a write blocker in all cases.

ReplyQuote
Posted : 05/04/2020 10:06 pm
JustLearningForensics
(@justlearningforensics)
New Member

Without write-block, you are going to make some changes to the drive/device. But, it's not always possible to avoid making any changes. The goal should be to avoid making changes to the greatest extent possible. If you are working on a removable hard drive from a computer that is not currently turned on, then you should always use a write-blocker. In other situations, you may want to make some changes in order to capture the maximum amount of evidence. For example, you might load a program to capture RAM from a running computer. Or, you might be required to confirm the presence of such-and-such relevant evidence before taking the computer with you. In another circumstance, you might need to boot to a live distribution to recover data from a hard drive that is not removable.

The risk, when not using a write blocker, is that you'll change evidence in ways that hinder your investigation. For example, you might update last access timestamps or create new thumbnails by browsing pictures. You might even make a mistake and destroy evidence by accidentally deleting or overwriting a file. If you need to proceed without a write-blocker, it is important to understand what you are doing, limit your activity to what is necessary, and document each step you take so your work can be reviewed later.

does the write-block also kill internet connections? what happens to internet connections and data transfers as write-block is engaged/started/initiated on the machine?

ReplyQuote
Posted : 16/04/2020 1:50 am
tracedf
(@tracedf)
Active Member

does the write-block also kill internet connections? what happens to internet connections and data transfers as write-block is engaged/started/initiated on the machine?

With a hardware write-blocker, you don't use it on a running machine. You remove the hard drive while the machine is off and connect it to the write blocker.

With software write-blockers, you are generally booting the computer from a USB drive that contains the forensic software you want to use. For example, if I wanted to image a Windows laptop without removing the hard drive (or where it wasn't removable), I could boot to a USB drive that contains a Linux distribution and mount the laptop's hard drive in read-only mode; the copy of Windows that is stored on the hard drive would not be running.

There are triage/incident response tools that run on live systems. These tools *may* limit the changes they make to the system (e.g. by accessing files through a driver to avoid modifying timestamps) but the system is still running and making other changes. Some tools, that are meant for security incident response, may allow you to quarantine a machine to block all incoming/outgoing network traffic other that what is needed to run the tool; the purpose of this is to prevent a hacker from continuing to make changes and reach other machines on the network while you investigate.

ReplyQuote
Posted : 16/04/2020 3:31 am
bshavers
(@bshavers)
Active Member

The question "How critical is Write-Block during onsite triage?" needs qualifiers to answer accurately.

Every scenario is independent from another. What is 'critical' in one scenario may not be in another. Case objectives, device configurations, and conditions onsite affect the decision-making of whether to write block or not, and if you can write block at all.

–Is the computer off?
—–Then you can "triage" in a write-protected mode using a forensically sound boot OS (Linux or Windows). Decryption key needed if the device is encrypted or else you won't have access to the data.
—–Of if the drive is accessible to a physical write protect device, triage via a forensic workstation with the drive attached through a hardware write blocker. You'll still need the key if the drive is encrypted.

–Is the computer on?
—–Do you need the RAM? You can't write protect if you do.
—–Is it encrypted and you don't have the key? You'll have to image while its running (live) without write protection.
—–Is someone's life or limb at risk and you need intel now? Best to get the intel and not worry about write protection.

There is a sliding scale of what is reasonable as it relates to write protecting evidence. On one hand, if a storage device is easily accessible (removable as an example), not encrypted (or you have the decryption key), and time is not of the essence, then write blocking the drive to triage is probably most reasonable. However, if you are onsite of a child that has been lured away, and the computer is running, I would hope you would not even consider writing blocking the device, since that would mean (1) shutting it down, (2) losing RAM, and most importantly, (3) wasting valuable and potentially life saving time.

ReplyQuote
Posted : 16/04/2020 4:17 am
Share: