HARDWARE WRITE BLOCKING

You should have some means of assuring that you are not altering the subject’s hard drives and/or other media when creating images. The traditional way to do this is to use a hardware write blocker. In many cases hardware write blockers are protocol (SATA, IDE, SCSI, etc.) specific.

Hardware write blockers tend to be a little pricey. A cheaper model might cost upwards of US$350. Because they are expensive, you might not be able to afford a set of blockers for all possible protocols. If you can only afford one blocker I recommend you buy a SATA unit as that is by far what the majority of systems will be using. A relatively inexpensive blocker is shown in Figure 4.2. If you find yourself doing a lot of Linux response in data centers a SCSI unit might be a good choice for a second blocker.

FIGURE 4.2

A Tableau SATA write blocker.

There are a few cheaper open-source options available, but they tend to have limitations. One such option is a microcontroller-based USB write blocker which I developed and described in a course on USB forensics at PentesterAcademy.com

(http://www.pentesteracademy.com/course?id=16). I do not recommend the use of this device for large media, however, as it is limited to USB 2.0 full speed (12 Mbps). I may port this code to a new microcontroller that is capable of higher speeds (at least 480 Mbps) at some point, but for the moment I recommend the Udev rules method described later in this chapter.