I am attempting to use the Windows Operating System as the main OS for my computer forensic needs. However, this particular OS does not offer a safe forensic environment without some assistance. For this safe forensic environment to occur, I need to have some type of write blocking device (hardware or software) to prevent Windows from ‘touching’ and getting its dirty little finger prints all over my media.
Since this blog is about low cost Windows forensic options, hardware write blockers will not be discussed. Why…Because they are rather expensive (money wise) and thus do not fit into this blog’s topic. It is my belief you get what you pay for, so if you find a hardware write blocking device for say…$10.00, well…you get my drift. And yes, I know, the same can also be said about software write blockers as well. No matter what product you use, you NEED to validate the product and determine it is operating as designed!
My mobile forensic acquisition machine is a Sony Viao laptop computer with Windows 7 installed (32-bit) and 3GB of RAM. I have a couple of available USB 2.0 ports and a FireWire 400 port. I use AccessData’s FTK Imager (http://accessdata.com/support/adownloads) as my acquisition tool. Its free, I just need to provide AccessData with my email address to download their product.
What software write blocking solutions are out there? Hmmmm…Back in the day I used a product called ‘WriteBlocker XP (WBXP) Version 6.10’ from the https://acesle.org web site. This tool was tested by the National Institute of Justice and found to operate as designed. (http://www.nij.gov/pubs-sum/220222.htm) However, I no longer have access to this site, and as previously stated, am I using Windows 7, not XP.
I found this white paper on AccessData’s web site (http://accessdata.com/media/en_us/print/papers/wp.USB_Write_Protect.en_us.pdf) discussing how to modify the Windows XP (SP2) Registry to write protect USB devices. When modifying the Windows Registry, PLEASE be careful. The paper clearly explains the modification process and even offers a free tool from the National Center of Forensic Science to automate this process. The NCFS also lists a five step validation process so you can test your handy work. Even though this is for an XP box, I could modify my Windows 7 Registry and then validate the results, to see if this would be an option.
Another tool brought to my attention is from Document-Solutions, Inc., called DSi USB Write-Blocker (http://document-solutions.biz/downloads/?did=9). This tool also makes Windows Registry changes, and provides a nice little icon in the System Tray to let the user know when the DSi Write-Blocker is enabled or disabled. According to the Document Solutions web site, their utility is compatible with the following operating systems.
- Windows XP (w/SP2 and Higher, 32bit & 64bit)
- Windows Vista (32bit & 64bit)
- Windows 7 (32bit & 64bit)
Another tool I was not aware of is from Mid Michigan Computer Forensics Group (http://www.m2cfg.com/usb_writeblock.htm). The program is called: M2CFG USB WriteBlock. This tool modifies the Windows Registry on a Windows XP (SP2) computer. There is no mention on the web site if the USB write blocker application has been tested on newer Windows operating systems. Based on the web site, the M2CFG USB WriteBlock does not initially meet my Windows 7 OS requirements. Further testing will be needed to see if it is compatible with Windows 7.
Need a USB blocker for the corporate environment? Check out http://www.netwrix.com/usb_blocker_freeware.html. Notice I said blocker, not write blocker. There is a difference. This application is for the corporate environment. The free version is for the small office environment. One of its many uses that I see is the prevention of Intellectual Property theft. The application will prevent USB devices from being recognized by the OS when plugged into the employee’s computer workstation. For what I want to do, this is not the application for me, but worth mentioning.
The last software USB write blocker application I am aware of is called Thumbscrew. This application can be downloaded at http://www.irongeek.com/i.php?page=security/thumbscrew-software-usb-write-blocker. The author openly warns everyone downloading his application that the program is not 100% forensically sound. This application, like the others, modifies to the Windows Registry to accomplish read-only, or write blocker, status.
Once you have made you selection as to which of the above software write blocking applications you want to try, validate, validate, validate, on a test device BEFORE using the application in the field.
I am going to install and test Document-Solutions’ DSi USB Write-Blocker. I will let you know how it goes!