Thumbscrew: Software USB Write Blocker
Thumbscrew is my attempt at a poor man's USB write blocker. When used it allows you to quickly enable or disable writing to all USB mass storage devices on your Windows system. In other words, you can use it to make a USB flash drive, hard drive or IDE / SATA drive in an enclosure read only. However, I make no guarantees as to its forensic validity. Still, if your poor and you want to play around with making forensic images of thumb drives and other USB mass storage devices it may come in handy. You will see one of two icons in your system tray to indicate whether or not USB mass storage devices are set to be read only:
Simply click on the icon and choose the menu item to toggle write access. All Thumbscrew really does is flip a bit in the registry at:
- Another popular write blocker is the WieBeTech UltraDock. This is a handy sized forensic write blocker that can easily fit into a “go bag” and be taken places with you. I utilize this particular write blocker routinely and have found it to be very reliable.
- SAFE Block v.1.0 SAFE Block is a software write blocker computer forensics tool for the Windows 2000/XP operating systems. SAFE Block facilitates the quick and safe acquisition and/or analysis of any disk or flash medi attached directly to your workstation.
- Thumbscrew: Software USB Write Blocker. Thumbscrew is my attempt at a poor man's USB write blocker. When used it allows you to quickly enable or disable writing to all USB mass storage devices on your Windows system. In other words, you can use it to make a USB flash drive, hard drive or IDE / SATA drive in an enclosure read only.
Software Write Block. The Software Write Blocker download is quite an easy process. This software works on the basis of the principle of access interface with the hard drive on the host computer by using a physical interface. This software makes use of its own set of access protocols and commands. It is tested properly before implementing. In this article we’re going to talk about different types of software write blockers. Linux write blockers. Unfortunatelly, we can tell you nothing about this type of write blockers. A lot of examiners think that they are useless, because one of default Linux features is mounting drives in “read only” mode.
HKEY_LOCAL_MACHINESystemCurrentControlSetControlStorageDevicePoliciesWriteProtect
Thumbscrew has a few limitations:
1. I can't guarantee it's 100% forensically sound. Buy a proven USB hardware write blocker if you want to be sure.
2. USB mass storage devices that are already mounted as writeable will stay writeable until they are removed and reinserted. The same applies if you turn off read only protection while a USB mass storage device is active, it will become writable and stay that way until removed and reinserted.
Hope someone finds this program useful.
Let’s say we're using some flavor of Linux and we mount a partition using following command:
The partition is supposed to be read-only so that the OS and user cannot write to the disk without changing the mount
permissions.
From the ForensicsWiki:
Write blockers are devices that allow acquisition of information on a drive without creating the possibility of accidentally damaging the drive contents. They do this by allowing read commands to pass but by blocking write commands, hence their name.
This seems to me that it is just to prevent accidental flags. The page also says that there are additional features to some write-blockers, such as slowing the disk down to prevent damage. But for this let’s assume it is just a simple one that can only block writing.
If you can just mount a disk in read-only mode, what is the point of buying something such as a write blocker? Is this just to help prevent things such as an accidently mount command with write permissions (user error, which cannot be permitted in some instances, i.e. criminal cases), or am I missing some more of the in-depth features of how filesystems work?
Note: I am aware that some SSDs shuffle data continuously, I am not sure whether to include them in the question or not. It seems like that would make it much more complicated.
JakeGould4 Answers
The Journal of Digital Forensics, Security and Law has an excellent article A STUDY OF FORENSIC IMAGING IN THEABSENCE OF WRITE-BLOCKERS that analyses forensics capture both with and without write blockers. From the journal:
Best practices in digital forensics demand the use of write-blockers when creating forensic images of digital media, and this has been a core tenet of computer forensics training for decades. The practice is so ingrained that the integrity of images created without a write-blocker are immediately suspect.
Merely mounting a file system can cause read/writes. Many modern filesystems, from ext3/4 and xfs to NTFS, all have a journal that maintains metadata about the filesystem itself. If power is lost, incomplete shutdown, or a number of reasons, this journal is automatically read and written back to file structures across the drive to maintain consistency of the filesystem itself. This may happen during the mount process, whether or not the file-system is read-write.
For example, from the ext4 documentation the ro
mount option will...
Mount filesystem read only. Note that ext4 will replay the journal (and thus write to the partition) even when mounted 'read only'. The mount options 'ro,noload' can be used to prevent writes to the filesystem.
Although these driver level changes do not affect the content of files, it is a forensics standard to take cryptographic hashes of evidence upon collection in order to maintain a chain of custody. If one can show that the hash, ie sha256, of currently held evidence matches what was collected, then you can prove beyond reasonable doubt that the drive's data has not been modified during the analysis process.
Digital evidence can be cited as evidence in nearly every crime category. Forensic investigators need to be absolutely certain that the data they obtain as evidence has not been altered in any way during the capture, analysis, and control. Attorneys, judges and jurors need to feel confident that the information presented in a computer crime case is legitimate. How can an investigator ensure for certain that his or her evidence is accepted in court?
According to the National Institute of Standards and Technology (NIST), the investigator follows a set of procedures designed to prevent the execution of any program that might modify the disk contents. http://www.cru-inc.com/data-protection-topics/writeblockers/
A write blocker is necessary, because if any bit changes for any reason—OS, driver-level, file-system level or below—then the hashes of the collected vs analysed system will no longer match, and the drive's admissibility as evidence may be questioned.
The write-blocker is thus both a technical control against the possibility of low-level changes, and a procedural control to provide assurance that no changes were made, regardless of user or software. By removing the possibility of changes, it supports hashes to be used to show that analysed evidence matches collected evidence, and prevents many potential evidence handling problems and questions.
The JDFSL article's analysis shows that without a write-blocker, changes were made to the drives they tested. However, on the contrary side - the individual data files hashes would still be intact, so arguments for the soundness of evidence collected without a write blocker exist, but are not considered best-industry-practice.
You can't be sure. @jakegould covers a ton of the legal and technical reasons, so I'm focusing on the operational reasons.
Firstly, you never mount a drive like that, you image an entire device. Your core premise, that you can use filesystem permissions is wrong. You're going to use some flavour of DD or a specialised acquisition tool that should include working read only by default.
Forensics is all about being absolutely sure you've not tampered with the evidence at any stage, and that you can provide a verified copy of the drive with no changes made to it. (In fact, unless you need to do live forensics, you only touch a suspect hard drive once to image it).So in addition to your acquisition tool being read only, it acts as a second line of defence against messing up.
The write blocker does certain things.
- It shifts the burden of proving that the drive was in fact read only
- In a more idiotproof way - It becomes part of your 'acquisition' rig/process
- with the device guaranteed to do so by the manufacturer - which is something you want in your evidence/incident log.
In a sense it slots into the process of evidence collection and there's one less thing for your frail human self to mess up.In addition to verification that the source drive isn't written to, it might save you if you mix up source and destination.
In short it takes out one possible major weak point. You don't have to think about 'did I mount the drive readonly' or 'did I swap my source and destination in dd?'
You hook it in, and you don't need to worry if you overwrote your evidence.
You state this:
If you can just mount a disk in read-only mode, what is the point of buying something such as a write blocker?
Let’s—at a high, non-technical level—logically look at how data for evidence would be collected. And the key to all of this is neutrality.
You have a suspect of… Something in a legal or potentially legal case. Their evidence must be presented as neutral as possible. In the case of physical documents you can just take the printed materials and physically store them in a safe place. For data? The nature of computer systems inherently has an issue of data manipulation in play.
Best Software Write Blockers
While you state you could just logically mount the volume as “read only” who are you? And how can someone who is not you—like a court or investigator—trust your skills, systems and expertise? Meaning what makes your system so special some background process cannot suddenly pop up on the system and start indexing it the second you plug it in? And how will you monitory that? And heck, what about file metadata? MD5’s on files are useful… But if one character of metadata changes in a file guess what? The MD5 changes.
What it comes down to is in the great scheme of things your personal technical skills have no bearing on the ability for you to present data as neutrally as possible to investigators, courts or others.
Enter a write blocker. This is not a magically device. It clearly blocks data writing on a base level and what else? Well, that’s all it does and that is all it should ever do (or not do).
Nist Software Write Blockers
A write blocker is a neutral piece of hardware made by another company to industry accepted standard that performs one task and one task well: Prevent data writes.
To an investigator, court or others the use of a write blocker basically states, “I am a computer professional who understands data forensics and understands the need for data integrity when providing others information I am charged with gathering. I am using a physical device we all agree prevents writes to access this data to show everyone that yes, this is the evidence you need to do what you need to do.”
So the point of “buying something such as a write blocker” is to buy a tool that is universally recognized by people all over the world as a valid tool for neutral data access and collection. And that if someone else—who is not you—were to access the data with a similar write blocker, they too would get the same data in return.
Another real world example is video camera evidence. Now yes, there is a risk of video evidence being tampered with. But let’s say you witnessed a crime and saw the suspect and know that they did it. In a court, your integrity as a witness will be eviscerated by the defense as they seek to defend their client. But let’s say in addition to your eyewitness report the police get video footage of the crime happening. That impartial, unblinking eye of a neutral image capturing device lays to rest most doubts of your claims. Meaning, a “robot” thing that is not a human but can record data will backup the prosecutions case against the defense and not just your word/trust.
The reality is the world of law and legality really comes down to solid, tangible and—pretty much—irrefutable physical evidence. And a write blocker a tool that ensures physical data evidence is as clean as possible.
JakeGouldJakeGouldThe reason write blockers are used, is because criminals could have put trap processes that destroy evidence upon a event (could be incorrect password attempt, no reach to a specific server, attempt to access a fake file or whatever).
Any trap processes can basically attempt to remount the device in read-write too.
The only way to be sure is to use a hardware device. Some hardware writeblockers have a switch that allows the writeblocking function to be disabled, but the main important thing, is that software can never affect hardware if the hardware is not programmed to react to software signals.
The same tought can be applied to USB memories, why some USB memories does have a physical writeprotect switch.
Sometimes the investigator needs to be able to boot the suspect’s OS, that is why the investigator needs to be wary of any trap processes.
The investigation process vary between different countries because of different responsibility laws. In some countries, mere possession of certain files is illegal, it’s your responsibility to keep your computer secured, and you cannot blame the illegal files on a virus.
And in another country, it might be that possession of the file is illegal, but evidence needs to be presented that it was the suspect who placed the files and not a virus.
In the second case, the investigator might need to boot the computer to see whatever is starting up at boot in autostart/run/runonce.
In other words, criminals are by nature malicious, thus anything that could challenge the evidence’s validity in Court needs to be protected at all Costs. Also, if the criminal have put a trap that automatically destroys evidence, it will in many cases NOT be “destruction of evidence”, as opposed to manually deleting something. It could be a disaster if writes is allowed through.
A isolated hardware process is very much more secure than a software process, so writeblockers are used by investigators to secure their material from destruction, ins the same way security professionals use smart cards and tokens to prevent their secrets from being compromised.
JakeGould