SOFWARE WRITE BLOCKING

Today 28 March 2024 is?#day16?on the way to becoming?#dfir??.

One of the foundations of forensic examinations of digital media is preserving the integrity of the media during the collection and acquisition processes. Typically, hard drives are connected to hardware write blockers, which prevent write commands from being sent to the media. Not everyone has access to or can afford a hardware write blocker. As a result, software write blockers are used. Starting with Windows XP, Service Pack 2, a user can add a Registry entry to block write access to devices connected to USB ports.

While dead box forensics is a common activity in many labs, there is often a requirement to capture volatile data before removing a hard drive for processing. During live forensics or live acquisitions, there is limited interaction with suspect media so data such as the contents of RAM can be acquired. All interactions with the system are documented so an examiner’s methods can be identified and defensible. After volatile data is collected, media can be connected to a write blocker for acquisition. In some instances, a computer cannot be powered down or the media cannot be removed for imaging. In these situations, a boot disk (either a USB flash drive or a CD/DVD) is used and that software acts as both an imaging tool and a write blocker.

Microsoft

Tools:

Product: RegEdit

Manufacturer: Microsoft Corporation

Web site: https://msdn.microsoft.com/en-us/library/windows/desktop/ms724871(v=vs.85).aspx

Workbook

https://www.amazon.com/Digital-Forensics-Workbook-Hands-Activities/dp/1517713609?SubscriptionId=0ENGV10E9K9QDNSJ5C82&tag=&linkCode=xm2&camp=2025&creative=165953&creativeASIN=1517713609

Instructions:

1.?Open a command prompt on a Windows computer.

2.?At the command prompt type the following command to launch the Registry Editor and press the “Enter” key: regedit

3.?When the Registry Editor launches, navigate to the following key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\

4.?Right-click on “Control,” select “New,” and then select “Key.”

5.?Type the name “StorageDevicePolicies” (without spaces and without quotes) and press the “Enter” key.

6.?Right-click on the white/blank window pane on the right.

7.?From the pop-up menu, select “New” and then “DWORD (32-bit) Value.”

8.?Change the name from “New Value #1” to “WriteProtect” (without spaces and without quotes) and?press the Enter key.

9.?Double-click on the value and change the value from 0 to 1.

10.?Click the “OK” button. Digital Forensics Workbook

11.?Close the Registry Editor.

12.?Insert a new flash drive into the USB port on the computer and test the ability to read/write to the?device.