What two different options are available for write blockers and how do these options work
In a forensics investigation, a software write-blocker can be very helpful. But which vendors offer the best blockers? Security management expert Mike Rothman explains what to look for. Show
We are currently evaluating the use of software write-blockers. What vendors would you recommend in this space and what should we look for? A software write-blocker is used in forensics investigations to stop the writing of new data to the drive in question. That drive could be a traditional disk drive or a USB/flash memory drive. This is important due to chain-of-custody and evidence-admissibility requirements. A computer forensics investigator must be able to prove that the disk was not tampered with once the investigation began, in order to ensure the legitimacy of the data gathered during the investigation. In terms of vendors, it all depends on what tasks need to be accomplished. Obviously, the software should not only block writing to disk, but it also would be helpful to be able to pull the results of the tool into a case management system (like Guidance Software Inc.'s EnCase product line). It's also important that the vendor be able to point to where the tool has been used successfully in legal proceedings, since admissibility is usually a matter of precedent. A few open source options are starting to appear (search Google for "software write-blockers" to get the latest list), and there are a few utilities like PDBLOCK and RCMP HDL available. NIST is starting to do detailed evaluations of these tools, as well as of hardware write-blockers, which might also be helpful. More
information:
This was last published in August 2008 Dig Deeper on Security operations and management
Related Q&A from Mike RothmanHow to prevent software piracyPirated software is still a major concern nowadays. Uncover how to prevent software piracy and protect your organization's intellectual property. Continue Reading What are the roles and responsibilities of a liaison officer?While liaison officer responsibilities vary depending on the company they work for, their strong organizational and communications skills make them ... Continue Reading What's the best career path to get CISSP certified?The CISSP certification can be a challenge to obtain. Mike Rothman unveils how to get on the right education and career tracks in order to get CISSP ... Continue Reading What are the 2 types of write blocking?Software versus hardware write blockers
The main difference between the two types is that software write blockers are installed on a forensic computer workstation, whereas hardware write blockers have write blocking software installed on a controller chip inside a portable physical device.
How many types of write blockers are there?There are primarily two different types of write blockers. The first type is hardware write blockers. Usually, these devices sit between an evidence drive and a forensic workstation. The second type is a software write blocker, and sometimes it's built into a computer forensics suite, like EnCase or FTK.
How do software write blockers work?Software write blockers are installed on a forensic workstation. According to NIST's specification on software Write Blocker, a software write blocker tool operates by monitoring and filtering drive I/O commands sent from an application or OS through a given access interface.
What is write blocker?Definition(s): A device that allows investigators to examine media while preventing data writes from occurring on the subject media. A tool that prevents all computer storage media connected to a computer from being written to or modified.
|
