Forensic Data Acquisition – Hardware Write Blockers


Hello everyone. Today we’re going to be
talking about write blockers, and this week we were talking about acquisition
and acquiring data. And one of the things we have to do is make sure we do not
modify the suspect disk. We do not want to change anything on the original
suspect disk. So we have here an external write blocker and this a tableau
forensic write blocker. And I can see on the left-hand side here I can this is
the side that I connect to my forensic work station or the computer that I have
and I see that it supports different versions of firewire, USB 2.0 – which i
know is going to be relatively slow – and then also eSata so here. eSata is probably going to be one of the
faster connections so i’m probably going to want to use the eSata connection to
connect to my forensic work station if I can. So just some of the connectors on
the side here we see different types of firewire. This is the port or the
connector for power coming into the write blocking device because it has
to have power to work. So we have power coming into the write blocking device
and then we choose one of these connectors that we want to connect back
to our forensic workstation it can be USB but that will be relatively slow
fire wire which some computers don’t support anymore and then I have eSATA
and like I said that’s probably going to be one of the faster ways to connect so
I i can see whenever I actually plug this in I have a couple different identifiers is
here we have a power button to actually turn the device on so does the device
have power can we detect the device the actual
suspect device that were connecting to it can we detect the host that we’re
connecting to is Right blocking actually enabled right and is their activity
going on so is there any activity or activity from the host to the device and
I want to haven’t shown you yet but on this side we have connectors for the
actual they called device so the suspect device will go on this side and this is a connector for
SATA right so this supports SATA connectors and this is actually the
power for the SATA connector and here i have one of the connectors for SATA or
SATA disk so i can see that this would be like an internal SATA disk and these
are the connectors that this is for power and this is for the actual data
transmission so i can connect the SATA connector to the right blocker like this ok so now i have basically coming in a
SATA connector that would connect to for example hard drive and I have a SATA
connector going through connecting to the right blocker and then connecting
out to my forensic work station and the idea is that my forensic work station
should be able to connect to this see the hard drive like like a normal hard
drive but not be able to write anything to the hard drive it can only read from
the hard drive and not right back to it so here i have a hard drive and this is
a SATA hard drive so it should be internal it’s an internal hard drive and
I can tell it’s sad because this connector this is basically the the .
for data this is the point for power so this is a basically a normal internal
SATA hard drive this is a hard disk drive not a solid state disk and again
we’re dealing with with hard drives we never want to touch the circuitry do not
put your hands directly on anything green you see I’m holding everything
basically from the sides the sides are usually the point where you want to hold
these devices so i can see that it’s adam so we have our our write blocker
here and i have my SATA connector already plugged in or connected up so I
want to connect my hard drive hope this gets on camera I want to
connect my hard drive basically like this and now we have if you can see it
we have our hard drive our suspect hard drive it will receive power and transmit
data to our write blocker are write blocker will be connected back to our
forensic work station and this device will prevent us writing or changing any
data on the hard disk so what were able to do now is acquire all of the data
from this hard disk without having to worry about any changes to the hard disk
now you did see before there are some few indicator lights for example power
device detect host detect right block we definitely want to make sure what if we
plug the right blocker in to begin with that hosts detect is is lit up and i
usually what you what you should do is have a test hard drive that you can
connect up and make sure that right block is actually enabled make sure that
the right block light is on make sure the device detect light is on
with your test hard drive first you do not want to use the suspect hard
drive to begin with you want to use your test hard drive first once you know that you’re right blockers
working ok then you can connect every you can disconnect and connect back up
the suspect hit disk and start working with the suspect disk ok so this is my
SATA my SATA write blocker i also have another write blocker here tableau makes
quite a few different types and basically have the same lights or
indicator lights again this one also has a menu for older things we have power
over here and on one side we have USB on the other side we have USB so in this
case this is a USB write blocker because a lot of discs we get might be USB hard
drives I’m so in this is basically the same
concept we have this write blocker we will put the device and this is USB 3.0
we know it’s going to be relatively quick we have the device on this side we
can just plug in the suspect device in this case the USB
stick and then out on the other side this connects back to our host our host
computer now in this case because I’m dealing with a flash disk this is USB
sticks are usually or our flash the right blocker will block my forensic
work station from writing any changes to this disc however this has a controller inside of
it and some changes are possible because of the way that flash memory works so we
have to be careful about that if we for example get a different hash value after
we acquire this disk image and it could be because of the internal workings of
the flash drive or it could be because ar-ar-ar write blocker was done in an
inappropriate are incorrectly or maybe it’s bad or something so definitely make
sure before you actually use suspect discs with your right blockers you
always test the disc to make sure that it is working as you expected to work
and then also think about the media you’re using if you’re using something
like flash will how does flash storage work how does hard this how to hard
describes work and what are the chances of the data changing based on something
either you’ve done or the way that they just work normally so that’s it for external right blockers
next we’ll talk about how to acquire data from these discs directly

3 Replies to “Forensic Data Acquisition – Hardware Write Blockers”

  1. Are write blockers always used within law enforcement? If I'm self teaching forensics is it worth to invest in to one? Awesome video as always. 🙂

  2. Hi DFIR.Science, Did you get a Digital Forensics degree before your started working in this field? Certificates required?

Leave a Reply

Your email address will not be published. Required fields are marked *