Software Write Blocking

The Problem

When a digital forensics professional investigates a piece of storage media they must use "write blocking" to ensure that the media is not altered during the investigation. The state of the practice is to use hardware write blockers. These devices are very expensive and are awkward since they require physical connections and a different connector for each type of interface (IDE, SCSI, USB, etc). Furthermore, disk imaging using hardware write blockers is slowed considerably due to protocol translations that the device must perform.

Solution

Our Software Write Blocker Team developed a technique that performs sound write blocking within the Windows operating systems. The URI software write blocking tool installs in the Windows driver stack providing robust write blocking for all applications. It provides automatic write blocking of all directly-attached media, including IDE (PATA & SATA), SCSI, FC, SAS, USB, and IEEE1394. This includes the ability to simultaneously write block as many disk devices as are connected to a computer without the need for multiple expensive hardware write blocking devices. The user controls automatic write blocking policies for fixed and/or removable disks. The user can have write blocking tool remember each fixed device's blocked or un-blocked status for ease of use on media repeatedly used on a workstation/laptop. The tool uses a simple Windows GUI interface that allows the user the ability to block and un-block any disk or flash storage device detected by Windows. Devices are listed in a tree by type (USB, SCSI, IDE) and, where appropriate, by controller and channel. Our tests show the the URI software write blocker on a Windows workstation allows for write blocked, Windows-based, disk imaging speeds that are significantly faster than imaging in Windows using commercially available hardware-based write blockers. In terms of "forensic soundness", the US National Institute of Standards (NIST) tested an original Windows software write blocker available only to U.S. law enforcement. URI's software write blocker was tested against the NIST test suite and passed all tests as described in our Technical Reports.

Results

The results of this research have been transitioned to ForensicSoft Inc, which markets it as the SAFE Block software write blocker.

Support

This research is partially supported by the National Institute of Justice.