Avoid the Spoliation Factor using this software based write blocker – Lock down a HD/USB/Thumb/etc for imaging, analysis, etc

Ride the Lighting - FOR THE PROPELLER HEADS: SENSEI’S SAFE BLOCK XP TESTING

“We recently completed basic testing on ForensicSoft’s “SAFE Block XP” version 1.1, a software-based write-blocker designed for the Windows XP Operating System. The SAFE Block XP software allows for the read-only acquisition and/or analysis of any storage device attached directly to the workstation, regardless of interface or connection type. The vendor’s website provides a detailed user’s guide documenting the installation, setup and usage of the software, as well as The University of Rhode Island Digital Forensics Center’s evaluation of SAFE Block using the National Institute of Standards and Technology’s (NIST) guidelines for testing software write-blockers.

In testing the software, we conducted three, simple, hard-disk drive imaging comparisons using a stand-alone hardware imager, a hardware write-blocker and SAFE Block XP. All three test scenarios completed without error and resulted in the creation of a unaltered, bit-for-bit forensic image file. SAFE Block XP performed as expected, providing a level of read-write controllability not available by the other methods.

…”

Forensics Software - SAFE Block 1.1

“SAFE Block XP is a software-based write blocker designed for the Windows XP Operating System. SAFE Block XP facilitates the quick and safe acquisition and/or analysis of any disk or flash storage media attached directly to your workstation.

• Are Windows Software Write Blockers Viable? Many in the industry like the ease of use and lower cost of software write blockers - but are they viable for viewing evidence or making forensically sound copies of disks on Windows systems? Yes! The US National Institute of Standards (NIST) has recently tested a less-functional Windows software write blocker available only to U.S. law enforcement. SAFE Block XP V1.1 has also been tested against the NIST test suite and passed all tests. Read more...
• SAFE Block XP Is Simple. SAFE Block XP is a simple Windows GUI interface that allows the user the ability to block and un-block any disk or flash storage device detected by Windows. Devices are listed in a tree by type (USB, SCSI, IDE) and, where appropriate, by controller and channel.
• SAFE Block XP Blocks Multiple Devices. SAFE Block XP provides the ability to simultaneously write block as many disk devices as are connected to a computer without the need for multiple expensive hardware write blocking devices.
• SAFE Block XP Is Application Independent. SAFE Block XP is application independent and works with all forensic acquisition and analysis applications that run on Windows XP.
• SAFE Block XP Is Faster Than Hardware. SAFE Block XP allows for write blocked, Windows-based, disk imaging speeds that are significantly faster than imaging in Windows using commercially available hardware-based write blockers. …

…”

This is not a free/OSS/etc product (list price is $219, free trial available) but given how it’s one of those “if you need you really need it” tools I wanted to mention it.

The convenience of this solution is what struck a cord with me. I’ve used hardware write blockers and they can be a pain. And given the number of media types we can get, well it’s a losing battle. Once you get a IDE one, you need a SATA one, then a USB one, then a … and a… then… etc. This one is just a online purchase/download away vs waiting for hardware to arrive.

This software based product appears to be a viable solution. Sure it gives me the willies a little to think about using a Windows software based write blocker, but given it passed the NIST tests it seems well worth a look at least.

Look guys, you’ve been hearing it and reading about it, you need to get ready for a electronic discovery request (if you haven’t gotten one already). And that is something you REALLY don’t want to screw up. (And just plugging in a drive to see if it has data can sometimes be considered “screwing up’, aka spoliation). Using a write blocker will go a LONG way to inadvertent spoliation.