Converting an external hard drive enclosure into a write blocker?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey all,
I wanted to find out if there was a method to convert an external  
hard drive enclosure into a "cheap" write blocker device?  I'm not  
looking for something to use from a forensic standpoint.  Basically  
if I want to put a hard drive into an enclosure and pull data/burn  
data to DVD/whatever off of it, but prevent anything from being  
written to the drive, I can do that.

Thanks ahead of time,
Tom
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)

iD8DBQFHOmStZWzkfeDiTw4RAqcdAJ9FZ+QX3tnajnV4yaUPhK/R/xcqogCfV9Br
h+Fb956D4hQWWJ2roctoIT8=
=EOp6
-----END PGP SIGNATURE-----

Tom,
you can mount the storage as read-only - any unix filesystem will
support read-only mount, and provided your root account isnt
compromised, no one can remount it as write. Root cant write to
read-only mounted filesystems without remount either.

mount -r /dev/da2 /readonly in BSD land..

Id say thats the easiest route without buying specialized hardware.

Sorry if this is something you already tried/thought about..

Tom Yarrish wrote:

On Apr 5,  3:35pm, Tom Yarrish wrote:
}
} I wanted to find out if there was a method to convert an external  
} hard drive enclosure into a "cheap" write blocker device?  I'm not  

     The only difference between read and write is the command issued.
You would need an intelligent adapter that sits between the cable
coming into the enclosure and the drive which analyses all commands and
aborts any write commands.

}-- End of excerpt from Tom Yarrish

If your computer is running Windows XP Service Pack 2, see
http://www.accessdata.com/media/en_US/print/papers/wp.USB_Write_Protect.en_us.pdf


Tom Yarrish wrote:

If it is a USB enclosure and you have Windows XP service Pack 2 use
the USB write Protect.

http://www.m2cfg.com/usb_writeblock.htm

Turn write block on before plugging in the drive.

Thanks

Mike

http://irongeek.com/i.php?page=security/thumbscrew-software-usb-write-blocke
r

"If you want to go the cheapest route, use a linux system with auto mounting
disabled and buy some USB or Firewire drive enclosures. If you go this route
make sure you create a documented procedure for acquiring evidence and
follow it every time. You might even go as far as to record the history of
your shell commands as part of your digital case file."- warquel Re:
Forensic write blockers < Reply #1 on: July 05, 2007, 12:28:52 AM >
http://www.ethicalhacker.net/index.php?option=com_smf&Itemid=&topic=1405.msg
5441

Hope this helps!

Kian
White Hat Group

-----Original Message-----
From: listbounce@... [mailto:listbounce@...] On
Behalf Of Tom Yarrish
Sent: Tuesday, November 13, 2007 7:00 PM
To: forensics@...
Subject: Converting an external hard drive enclosure into a write blocker?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey all,
I wanted to find out if there was a method to convert an external  
hard drive enclosure into a "cheap" write blocker device?  I'm not  
looking for something to use from a forensic standpoint.  Basically  
if I want to put a hard drive into an enclosure and pull data/burn  
data to DVD/whatever off of it, but prevent anything from being  
written to the drive, I can do that.

Thanks ahead of time,
Tom
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)

iD8DBQFHOmStZWzkfeDiTw4RAqcdAJ9FZ+QX3tnajnV4yaUPhK/R/xcqogCfV9Br
h+Fb956D4hQWWJ2roctoIT8=
=EOp6
-----END PGP SIGNATURE-----

> you can mount the storage as read-only - any unix filesystem will
> support read-only mount, and provided your root account isnt
> compromised, no one can remount it as write. Root cant write to
> read-only mounted filesystems without remount either.
>
> mount -r /dev/da2 /readonly in BSD land..

Beware, however, that on journaling file systems such as
ReiserFS or EXT3 you might incidentially change the file
system although it is mounted read-only:

http://www.mail-archive.com/reiserfs-list@.../msg20263.html

Cheers,

        Stefan.

--------------------------------------------------------
Stefan Kelm
Security Consultant

Secorvo Security Consulting GmbH
Ettlinger Strasse 12-14, D-76137 Karlsruhe
Tel. +49 721 255171-304, Fax +49 721 255171-100
stefan.kelm@..., http://www.secorvo.de/
PGP: 87AE E858 CCBC C3A2 E633 D139 B0D9 212B

Mannheim HRB 108319, Geschaeftsfuehrer: Dirk Fox

A*nix mount with DD would be my option of choice, but for windows, I
hesitatingly ask could you not modify an IDE cable to make any connected
drive 'read-only' (might require a resistor - not sure if you can just
clip a wire? - maybe some one with better EE skills could answer that?)

On Fri, 16 Nov 2007 22:14:07 EST, Max Gribov said:
> Tom,
> you can mount the storage as read-only - any unix filesystem will
> support read-only mount, and provided your root account isnt
> compromised, no one can remount it as write. Root cant write to
> read-only mounted filesystems without remount either.

Note that most journaled file systems (on Linux, this includes ext3, reiserfs,
jfs, and xfs) will insist on replaying the journal and thus making changes
to the disk, even when mounting as read-only.

You'd really want to have some other utility that captures the journal
datastream before you do the mount, and then a utility to reverse-apply
the changes. In some cases, this may not be doable, as the journal doesn't
record what the status was *before* the event - for instance, a file permission
change event may only have the *new* value listed, so you can't roll it back.

There's also another issue - if you *do* create a "mount without journal
replay", you're quite likely going to screw things up gloriously, as the
whole *point* of the journal is to gloss over inconsistent data that hasn't
been fully synced to disk.  You don't replay the journal, you may find some
parts of the filesystem (those that are affected by live journal entries)
won't be accurate, or may even crash the system.  Of course, there's a very
high probability that "the files that the hacker was working on when we
pulled the plug" are *exactly* the pieces most likely to be zorkumblattum
if you don't replay the journal....

And I won't even get into the forensics-relevant semantics of ext3's
data=journaled/ordered/writeback options, other than to note that they *do*
have forensics implications....

The easiest thing to do is to use a bridge whose firmware can be  
modified to take a different action upon the issuance of a write (or  
write-related) command.  Operating systems will react differently  
depending upon whether the device returns an error code, success code,  
or remains quiet.  The bottom line is that you need to intercept  
packetized commands - write enable is not based off of a pin pulled  
high or low. For more information, check out the ATA/ATAPI5 documents  
from the T13 working group.

- Matt


On Nov 20, 2007, at 11:11 AM, Terry Roebuck wrote:

> A*nix mount with DD would be my option of choice, but for windows, I  
> hesitatingly ask could you not modify an IDE cable to make any  
> connected drive 'read-only' (might require a resistor - not sure if  
> you can just clip a wire? - maybe some one with better EE skills  
> could answer that?)

Well this is a little one sided.

When you are preserving a hard disk you want a snapshot in the moment
it was seized. This would mean that you should not do any alteration
after that point and I'll ask you to consider two cases that will show
you where I come from.

1. The journal replay may overwrite some chunks of data you may want
to have linked the way they were. I.e. somebody did "rm -rf /" the
moment the agents were serving a no know warrant (and if they turned
off the machine the files will be still linked).

2. The kernel of the system you are running may have a bug that may
result in a different behavior than the system being investigated. (or
vice versa the system may had "special patches" applied that might
cause your data replay to corrupt data.
Even further think about a patch that ignores certain records of the
journal file and those records when applied by a "unpatched kernel"
unlink certain files (or overwrite them with random data).
You should also do separate analysis on the journal itself to
determine what contents it contains.
Having said all that I do not reject the ability to present as a
separate evidence replayed journal (*and note you did that*) to the
investigators/court.

Regards,
Krassi

On Apr 12,  4:47am, Terry Roebuck wrote:
}
} A*nix mount with DD would be my option of choice, but for windows, I
} hesitatingly ask could you not modify an IDE cable to make any connected
} drive 'read-only' (might require a resistor - not sure if you can just
} clip a wire? - maybe some one with better EE skills could answer that?)

     As I pointed out sometime in the last couple of weeks when this
question was first asked, the difference between read and write is the
command sent to the drive.  There is nothing you can do to the cable to
stop writing that won't also stop reading.  You have to have an
intelligent device that will monitor the commands sent to the drive and
abort any write commands.

}-- End of excerpt from Terry Roebuck

A*nix read only mount would be my option of choice, but for windows, I
hesitatingly ask could you not modify an IDE cable to make any connected
drive 'read-only' (might require a resistor - not sure if you can just
clip a wire? - maybe some one with better EE skills could answer that?)

Stefan Kelm wrote:

--

Terry Roebuck
Dept. of Computer Science
http://www.cs.usask.ca/people/faculty.shtml
University of Saskatchewan
306 966 2532 (office)
306 966 4884 (dept office)
terry.roebuck@...

Tableau makes good write blockers for many different types of
connections.

-----Original Message-----
From: listbounce@... [mailto:listbounce@...]
On Behalf Of Matthew Pepe
Sent: Saturday, November 24, 2007 8:24 PM
To: Terry Roebuck
Cc: forensics@...
Subject: Re: Converting an external hard drive enclosure into a write
blocker?

The easiest thing to do is to use a bridge whose firmware can be
modified to take a different action upon the issuance of a write (or
write-related) command.  Operating systems will react differently
depending upon whether the device returns an error code, success code,
or remains quiet.  The bottom line is that you need to intercept
packetized commands - write enable is not based off of a pin pulled high
or low. For more information, check out the ATA/ATAPI5 documents from
the T13 working group.

- Matt


On Nov 20, 2007, at 11:11 AM, Terry Roebuck wrote:

> A*nix mount with DD would be my option of choice, but for windows, I
> hesitatingly ask could you not modify an IDE cable to make any
> connected drive 'read-only' (might require a resistor - not sure if
> you can just clip a wire? - maybe some one with better EE skills could

> answer that?)

Greetings,

First off, use a hardware write blocker if you really want to be  
certain nothing is going back to the drive.

Then, you can cover all the bases quite neatly by making multiple  
forensic copies of the evidence disk. Allow one to mount "normally".  
Mount one with a write blocker. Mount one with a different kernel.  
Mount one .... Etc. Compare and contrast ...

-David

On Nov 24, 2007, at 9:49 PM, Krassimir Tzvetanov wrote: