Write-Protection Villanova University – Department of Computing Sciences – D. Justin Price – Fall 2014
Write-Block Devices • Blocks all commands sent to the storage device that would modify data. • Two Philosophies of Implementation • Write Failure • The device returns a write failure to the OS. • Write Success • The device returns a successful write to the OS but does not actually modify any data. Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
Software Based • Pros – Easy to Install – Easy to Implement – Less Expensive • Cons – Cross-Platform Compatibility – Tool may not function at the lowest level Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
Software Based • 3 rd Party Utilities: – BlackBag Technologies SoftBlock (OS X) – In-house Tools (Project or Research Idea?) • Linux / OS X: – mount –t ntfs-3g –ro /dev/sda1 /mnt/hd • Windows USB Write-Protection – HKLM\SYSTEM\CurrentControlSet\Control \StorageDevicePolicies – “WriteProtect” Key: • 0 = Read/Write; • 1 = Read Only Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
Hardware Based • Pros – Independent of the Operating System – Portable – Scalable • Cons – Expensive Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
Hardware Based • Various Hardware Vendors: – http://www.csc.villanova.edu/~dprice/fall2014/resources.html Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
Wiebetech Ultradock v5 Write-Block Indicator Error Indicator Disk Access Indicator HPA or DCO Indicator Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
Wiebetech Ultradock v5 - S.M.A.R.T Data Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
Wiebetech Ultradock v5 Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
Host Protected Area (HPA) • ATA disk standards provide means of reserving disk space. • Implemented through the hard drive’s firmware. • Introduced in the ATA-4 Standard. • Legitimate Uses Include: • OEMs will use as a way to restore their devices to factory default (factory baseline). • Recovery and diagnostic software • Monitoring vendors • Limiting the size of a hard drive installed in an external enclosure. • Nefarious Uses Include: • Hide data from investigators • Storage area of rootkits Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
Device Configuration Overlay (DCO) • ATA disk standards provide means of restricting disk space. • Implemented through the hard drive’s firmware. • Introduced in the ATA-6 Standard. • Legitimate Uses Include: • Configuring different hard drives from different manufactures to “report” the same number of available sectors. • Nefarious Uses Include: • Hide data from investigators • Storage area of rootkits Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
Recommend
More recommend