Search This Blog

Monday, June 20, 2011

Testing My Software Write Blocker!

I was finally able to get a software write blocker installed on my laptop! If you read my previous post, I am using a Windows 7 laptop and was going to install Document-Solutions’ DSi USB Write-Blocker.  This was the only software write blocking application that indicated it was tested, or designed, for the Windows 7 (32 bit and 64 bit) OS. (Note: On 06-20-2011, I learned the ACESLE web site now offers software write blocking for Windows Vista and Windows 7, 32 bit and 64 bit.)

I am also a Helix Pro user.  It would be nice if they would continue to update the product (personal comment).  Oh well…Anyway.  From the Helix Pro. manual is the following validation process.  I used this validation process to test the DSi USB Write Blocker software.  I also added a step, which included accessing the device at the physical level with a hex editor. 

From the Helix Pro. manual: “This process is based on the National Center for Forensic Science (NCFS) 5 step validation process for testing write protection devices (Erickson, 2004). It was originally designed to test the Windows XP SP2 USB software write blocker, but has been adapted to test any hardware and/or software write blockers.
Step #1 – Prepare the media
a) Attach the storage media you will be testing with to your forensic workstation
in write-enabled mode.
b) Wipe the media - validate that this has been successful.
c) Format the media with a file format of your choosing.
d) Copy an amount of data to the media.
e) Delete a selection of this data from the media.
f) On the desktop of your forensic workstation create 3 folders. Call these Step-1, Step-2 and Step-5.
g) Image the media into the Step-1 folder and note the MD5 hash.
Step #2 – Testing the media
a) Remove and then replace the testing media into your forensic workstation.
b) Copy some data to the media.
c) Deleted a selection of this data from the media.
d) Image the media into the Step-2 folder and note the MD5 hash.
e) Validate that this hash value is ''different'' to that produced in Step #1.
Step #3 – Activate the write blocking device
a) Remove the media from your forensic workstation.
b) Attach and/or activate the write protection device.
c) Follow any specific activation procedures for the specific blocker.
Step #4 – Test the write blocking device
a) Insert the media into your forensic workstation.
b) Attempt to copy files onto the media.
c) Attempt to delete files from the media.
d) Attempt to format the media.
Step #5 – Check for any changes to the media
a) Image the media into the Step-3 folder and note the MD5 hash.
b) Validate that this MD5 hash is the ''same'' as the MD5 hash from Step #2.”

My results:

Prepare the media:

Step 1a: I attached a 2GB SanDisk 2GB USB thumb drive device to my laptop. 

Step 1b & 1c: I used the application DiskWipe, downloaded at  http://www.diskwipe.org to sterilize my USB media.  After formatting the USB device, I confirmed the usable partition was zeroed out using a hex editor.

image

Step 1d:  Four files, totaling 81.2MB, were copied to the newly formatted thumb drive. 

Step 1e:  One file was deleted, leaving three file consuming a total of 28.3MB of storage space on the thumb drive.

Step 1f & 1g: I created the required folders on my desktop and created a forensic copy of the thumb drive using FTK Imager.  The MD5 hash value: 8c494803b54c8a72c67a8ee2aedc7d38.

Testing the media:

Step 2a: The thumb was properly ejected from the laptop. After approximately 15 seconds, the thumb drive was connected to the laptop using a different USB port than before.

Step 2b: Four more files were copied to the thumb drive, for a total of seven files on the thumb drive.  The seven files occupy 41.5MB of storage space on the thumb drive. 

Step 2c: Six files were deleted from the thumb drive.  Currently only one file remains on the thumb drive, occupying 22.4MB of storage space on the thumb drive.

Step 2d: I created a forensic copy of the thumb drive using FTK Imager.  The MD5 hash value: 8a69859fdc18c0d0d0e280a4b44a626d. 

Step 2e: The MD5 hash value in Step 2d is different from the MD5 hash value in Step 1g. 

Activate the write blocking device

Step 3a: I properly ejected the thumb drive from the laptop.

Step 3b and 3c: Having previously installed DSi USB Write Blocker software, I launched the USB write blocking software from Digital Solution, Inc.  I then Enabled the software, which makes Windows Registry changes.

image 

Test the write blocking device

Step 4a: The USB thumb drive was again connected to the laptop.

Step 4b: I attempted to copy three files to the USB thumb drive.  I received the following error message during the copy process of the first file.  I continued to receive this error window after several attempts of selecting the ‘Try Again’.  Finally I selected ‘Skip’, only to receive this same error window for the second file I had attempted to copy to the thumb drive.  After selecting ‘Skip’ for the second file, I received this same error message for the third file attempting to being copied to the thumb drive.

image

Step 4c: I attempted to delete a file from the thumb drive by highlighting the file, then depressing the ‘Delete’ button.  The file was not deleted nor was I presented with an error message.  I next tried to right mouse click on the file, but was not presented with the ‘Delete’ option from the menu.  Finally, I tried to drag the file to the ‘Recycle Bin’.  This also did not deleted the file from the thumb drive.

Step 4d: I attempted to format the thumb drive

image

but received the following error message.

image

I was unable to complete the format operation.

Check for any changes to the media

Step 5a & 5b: I re-imaged the device with the USB write blocker software still enabled.  I was presented with the following MD5 hash value: 8a69859fdc18c0d0d0e280a4b44a626d.

I compared this hash value with the results from Step 2d and discovered the two hash values were the same.  This indicates the DSi USB write blocker software worked as designed.  The DSi USB write blocker software prevented disk access during several different types of disk operations.

As indicated earlier, DSi makes Windows Registry changes to prevent disk access at the logical level.  But what about at the physical level?  Does DSi’s changes prevent physical disk access?

I installed and registered a copy of Hex Editor Neo, Professional Edition.  By registering the product(paying for a license), I now am able to use Hex Editor Neo’s physical disk access feature.  The free version of Neo did not offer physical access, just logical access.  I found this true with other hex editors as well.  The demo version of the hex editor only allowed logical access, but paying for a license would allow physical access to the device, if the software supported this feature.

I accessed the USB physical device.  By default, the application opens the physical device as read-only. 

Untitled

I unchecked the Read-Only box.

I navigated to offset 0x003b8680 and changed this offset from 0x00

image

to 0xff.  I was able to save my changes, even with the USB write blocker enabled.  I re-imaged the device using FTK Imager.  The MD5 hash was: bd79c8350de71d6f73306a1d0b716c99.

Conclusions:

When the DSi USB Write Blocker software is enabled and I attempted to make changes at the logical level, the DSi USB Write Blocker software prevented the Operating System from accessing the device.

When I accessed the device at the physical level using a hex editor, I was able to make changes to the device without any problems.

The DSi USB Write Blocker operated as designed.  Users of this and other software write blocking products need to remember the registry settings will prevent logical access, but not physical access.

Your comments are always welcome.

Saturday, March 26, 2011

Where can I find a cheap ($$$$) write blocker?

I am attempting to use the Windows Operating System as the main OS for my computer forensic needs. However, this particular OS does not offer a safe forensic environment without some assistance.  For this safe forensic environment to occur, I need to have some type of write blocking device (hardware or software) to prevent Windows from ‘touching’ and getting its dirty little finger prints all over my media.

Since this blog is about low cost Windows forensic options, hardware write blockers will not be discussed.  Why…Because they are rather expensive (money wise) and thus do not fit into this blog’s topic.   It is my belief you get what you pay for, so if you find a hardware write blocking device for say…$10.00, well…you get my drift.  And yes, I know, the same can also be said about software write blockers as well.  No matter what product you use, you NEED to validate the product and determine it is operating as designed!

My mobile forensic acquisition machine is a Sony Viao laptop computer with Windows 7 installed (32-bit) and 3GB of RAM.  I have a couple of available USB 2.0 ports and a FireWire 400 port.  I use AccessData’s FTK Imager (http://accessdata.com/support/adownloads) as my acquisition tool.  Its free, I just need to provide AccessData with my email address to download their product.

What software write blocking solutions are out there?  Hmmmm…Back in the day I used a product called ‘WriteBlocker XP (WBXP) Version 6.10’ from the https://acesle.org web site.  This tool was tested by the National Institute of Justice and found to operate as designed.  (http://www.nij.gov/pubs-sum/220222.htm)  However, I no longer have access to this site, and as previously stated, am I using Windows 7, not XP.

I found this white paper on AccessData’s web site (http://accessdata.com/media/en_us/print/papers/wp.USB_Write_Protect.en_us.pdf) discussing how to modify the Windows XP (SP2) Registry to write protect USB devices.  When modifying the Windows Registry, PLEASE be careful.  The paper clearly explains the modification process and even offers a free tool from the National Center of Forensic Science to automate this process.  The NCFS also lists a five step validation process so you can test your handy work.  Even though this is for an XP box, I could modify my Windows 7 Registry and then validate the results, to see if this would be an option.

Another tool brought to my attention is from Document-Solutions, Inc., called DSi USB Write-Blocker (http://document-solutions.biz/downloads/?did=9).  This tool also makes Windows Registry changes, and provides a nice little icon in the System Tray to let the user know when the DSi Write-Blocker is enabled or disabled.  According to the Document Solutions web site, their utility is compatible with the following operating systems.
  • Windows XP (w/SP2 and Higher, 32bit & 64bit)
  • Windows Vista (32bit & 64bit)
  • Windows 7 (32bit & 64bit)
This tool has potential since it appears to be Windows 7 compatible.

Another tool I was not aware of is from Mid Michigan Computer Forensics Group (http://www.m2cfg.com/usb_writeblock.htm).  The program is called: M2CFG USB WriteBlock. This tool modifies the Windows Registry on a Windows XP (SP2) computer.  There is no mention on the web site if the USB write blocker application has been tested on newer Windows operating systems.  Based on the web site, the M2CFG USB WriteBlock does not initially meet my Windows 7 OS requirements.  Further testing will be needed to see if it is compatible with Windows 7.

Need a USB blocker for the corporate environment?  Check out http://www.netwrix.com/usb_blocker_freeware.html.  Notice I said blocker, not write blocker.  There is a difference.  This application is for the corporate environment.  The free version is for the small office environment.  One of its many uses that I see is the prevention of Intellectual Property theft.  The application will prevent USB devices from being recognized by the OS when plugged into the employee’s computer workstation.  For what I want to do, this is not the application for me, but worth mentioning.

The last software USB write blocker application I am aware of is called Thumbscrew.  This application can be downloaded at http://www.irongeek.com/i.php?page=security/thumbscrew-software-usb-write-blocker.  The author openly warns everyone downloading his application that the program is not 100% forensically sound. This application, like the others, modifies to the Windows Registry to accomplish read-only, or write blocker, status.

Once you have made you selection as to which of the above software write blocking applications you want to try, validate, validate, validate, on a test device BEFORE using the application in the field.

I am going to install and test Document-Solutions’ DSi USB Write-Blocker.  I will let you know how it goes!