Saturday, January 3, 2015

EDC - Write blocker Verification

Within forensics protecting your original media is of the highest importance. Being able to verify that your write blocker is functioning is a requirement for all laboratories, office practitioners, and wandering semi-nomadic analysts.

  • How do you know your write blocker is functioning? 
  • When was the last time it was verified as functional? 

Downside of all this is it can be fairly time consuming to perform a verification on your write blocker. For one write blocker you end up performing a minimal of two hashings of the media for the simplest verification process.  A single pass hash of a modern hard drive can take hours, multiply that by two and that machine is down for the day. If your agency or organization has a more rigorous process, then it can be a much larger time sink.

Additional down sides:

  • Hard drives are heavy.
  • Hard drives are fragile. 

What are the solutions to making this process quicker.

  • Use a faster hard drive.
  • Use a smaller hard drive. 

Solution: Don't use a hard drive. Use flash media.

  • Flash media is fast. 
  • Flash media is small and portable.
  • Flash media is much more sturdy than a physical platter hard drive.

I have as part of my portable kit the following solution:

  1. Compact flash to SATA adapter.
  2. Compact flash to IDE adapter.
  3. Several small CF Cards 1GB

Transcend 1GB 133x compact flash card

CF card with SATA adapter attached to write blocker.

CF card with IDE adapter attached to write blocker.

Pictured above is the elapsed time from hashing the media captured just before hitting 100%.  A 1GB card took approximately one minute to hash. If you are hashing twice, then two minutes plus some change for your attempts to change the media. If you have to verify the 10 built-in write blockers in the machines in your lab, plus the four portable write blocker kits, what was once a grueling slog through the verification process has become a simple task. 

When I started to use this solution for testing I was using both compact flash media and SD card media. It worked fine at the time. Eventually, I rebuilt my kit and purchase new adapters. I started to have problems with the length of time it as taking to hash. Inexplicably this quick short procedure suddenly be came a long painful process, sometimes stalling out. So I stopped using the kit and switched back to the platter based hard drives for a while. A couple of write blocker firmware upgrades later, and a retooling of the kit, and I'm back to using it.

With the latest iteration of my kit I've gone to only using CF flash cards.  A compact flash card  is an ATA device with an ATA controller and ATA compatible electrical interface.  Commands should be simply passed through, with the adapter mainly being passive. An SD card SATA or IDE adapter has to translated the instructions from the ATA protocol/interface to the SD card protocol/interface. 

Simply put, a CF card speaks native hard drive and the SD card requires a translator.

As always, verify and validate your tools. There are many different adapter vendors out there, some have worked for me others have tried my patience until the product was stress tested in an aggressive manner. 

No comments:

Post a Comment