I was finally able to get a software write blocker installed on my laptop! If you read my previous post, I am using a Windows 7 laptop and was going to install Document-Solutions’ DSi USB Write-Blocker. This was the only software write blocking application that indicated it was tested, or designed, for the Windows 7 (32 bit and 64 bit) OS. (Note: On 06-20-2011, I learned the ACESLE web site now offers software write blocking for Windows Vista and Windows 7, 32 bit and 64 bit.)
I am also a Helix Pro user. It would be nice if they would continue to update the product (personal comment). Oh well…Anyway. From the Helix Pro. manual is the following validation process. I used this validation process to test the DSi USB Write Blocker software. I also added a step, which included accessing the device at the physical level with a hex editor.
From the Helix Pro. manual: “This process is based on the National Center for Forensic Science (NCFS) 5 step validation process for testing write protection devices (Erickson, 2004). It was originally designed to test the Windows XP SP2 USB software write blocker, but has been adapted to test any hardware and/or software write blockers.
Step #1 – Prepare the media
a) Attach the storage media you will be testing with to your forensic workstation
in write-enabled mode.
b) Wipe the media - validate that this has been successful.
c) Format the media with a file format of your choosing.
d) Copy an amount of data to the media.
e) Delete a selection of this data from the media.
f) On the desktop of your forensic workstation create 3 folders. Call these Step-1, Step-2 and Step-5.
g) Image the media into the Step-1 folder and note the MD5 hash.
Step #2 – Testing the media
a) Remove and then replace the testing media into your forensic workstation.
b) Copy some data to the media.
c) Deleted a selection of this data from the media.
d) Image the media into the Step-2 folder and note the MD5 hash.
e) Validate that this hash value is ''different'' to that produced in Step #1.
Step #3 – Activate the write blocking device
a) Remove the media from your forensic workstation.
b) Attach and/or activate the write protection device.
c) Follow any specific activation procedures for the specific blocker.
Step #4 – Test the write blocking device
a) Insert the media into your forensic workstation.
b) Attempt to copy files onto the media.
c) Attempt to delete files from the media.
d) Attempt to format the media.
Step #5 – Check for any changes to the media
a) Image the media into the Step-3 folder and note the MD5 hash.
b) Validate that this MD5 hash is the ''same'' as the MD5 hash from Step #2.”
Prepare the media:
Step 1a: I attached a 2GB SanDisk 2GB USB thumb drive device to my laptop.
Step 1b & 1c: I used the application DiskWipe, downloaded at http://www.diskwipe.org to sterilize my USB media. After formatting the USB device, I confirmed the usable partition was zeroed out using a hex editor.
Step 1d: Four files, totaling 81.2MB, were copied to the newly formatted thumb drive.
Step 1e: One file was deleted, leaving three file consuming a total of 28.3MB of storage space on the thumb drive.
Step 1f & 1g: I created the required folders on my desktop and created a forensic copy of the thumb drive using FTK Imager. The MD5 hash value: 8c494803b54c8a72c67a8ee2aedc7d38.
Testing the media:
Step 2a: The thumb was properly ejected from the laptop. After approximately 15 seconds, the thumb drive was connected to the laptop using a different USB port than before.
Step 2b: Four more files were copied to the thumb drive, for a total of seven files on the thumb drive. The seven files occupy 41.5MB of storage space on the thumb drive.
Step 2c: Six files were deleted from the thumb drive. Currently only one file remains on the thumb drive, occupying 22.4MB of storage space on the thumb drive.
Step 2d: I created a forensic copy of the thumb drive using FTK Imager. The MD5 hash value: 8a69859fdc18c0d0d0e280a4b44a626d.
Step 2e: The MD5 hash value in Step 2d is different from the MD5 hash value in Step 1g.
Activate the write blocking device
Step 3a: I properly ejected the thumb drive from the laptop.
Step 3b and 3c: Having previously installed DSi USB Write Blocker software, I launched the USB write blocking software from Digital Solution, Inc. I then Enabled the software, which makes Windows Registry changes.
Test the write blocking device
Step 4a: The USB thumb drive was again connected to the laptop.
Step 4b: I attempted to copy three files to the USB thumb drive. I received the following error message during the copy process of the first file. I continued to receive this error window after several attempts of selecting the ‘Try Again’. Finally I selected ‘Skip’, only to receive this same error window for the second file I had attempted to copy to the thumb drive. After selecting ‘Skip’ for the second file, I received this same error message for the third file attempting to being copied to the thumb drive.
Step 4c: I attempted to delete a file from the thumb drive by highlighting the file, then depressing the ‘Delete’ button. The file was not deleted nor was I presented with an error message. I next tried to right mouse click on the file, but was not presented with the ‘Delete’ option from the menu. Finally, I tried to drag the file to the ‘Recycle Bin’. This also did not deleted the file from the thumb drive.
Step 4d: I attempted to format the thumb drive
but received the following error message.
I was unable to complete the format operation.
Check for any changes to the media
Step 5a & 5b: I re-imaged the device with the USB write blocker software still enabled. I was presented with the following MD5 hash value: 8a69859fdc18c0d0d0e280a4b44a626d.
I compared this hash value with the results from Step 2d and discovered the two hash values were the same. This indicates the DSi USB write blocker software worked as designed. The DSi USB write blocker software prevented disk access during several different types of disk operations.
As indicated earlier, DSi makes Windows Registry changes to prevent disk access at the logical level. But what about at the physical level? Does DSi’s changes prevent physical disk access?
I installed and registered a copy of Hex Editor Neo, Professional Edition. By registering the product(paying for a license), I now am able to use Hex Editor Neo’s physical disk access feature. The free version of Neo did not offer physical access, just logical access. I found this true with other hex editors as well. The demo version of the hex editor only allowed logical access, but paying for a license would allow physical access to the device, if the software supported this feature.
I accessed the USB physical device. By default, the application opens the physical device as read-only.
I unchecked the Read-Only box.
I navigated to offset 0x003b8680 and changed this offset from 0x00
to 0xff. I was able to save my changes, even with the USB write blocker enabled. I re-imaged the device using FTK Imager. The MD5 hash was: bd79c8350de71d6f73306a1d0b716c99.
When the DSi USB Write Blocker software is enabled and I attempted to make changes at the logical level, the DSi USB Write Blocker software prevented the Operating System from accessing the device.
When I accessed the device at the physical level using a hex editor, I was able to make changes to the device without any problems.
The DSi USB Write Blocker operated as designed. Users of this and other software write blocking products need to remember the registry settings will prevent logical access, but not physical access.
Your comments are always welcome.