Write-Protection Villanova University Department of Computing - - PowerPoint PPT Presentation

write protection
SMART_READER_LITE
LIVE PREVIEW

Write-Protection Villanova University Department of Computing - - PowerPoint PPT Presentation

Nov 10, 2023 173 likes •297 views

Write-Protection Villanova University Department of Computing Sciences D. Justin Price Fall 2014 Write-Block Devices Blocks all commands sent to the storage device that would modify data. Two Philosophies of Implementation

slide-1
SLIDE 1

Villanova University – Department of Computing Sciences – D. Justin Price – Fall 2014

Write-Protection

slide-2
SLIDE 2

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014

Write-Block Devices

  • Blocks all commands sent to the storage device

that would modify data.

  • Two Philosophies of Implementation
  • Write Failure
  • The device returns a write failure to the OS.
  • Write Success
  • The device returns a successful write to the OS

but does not actually modify any data.

slide-3
SLIDE 3

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014

  • Pros

– Easy to Install – Easy to Implement – Less Expensive

  • Cons

– Cross-Platform Compatibility – Tool may not function at the lowest level

Software Based

slide-4
SLIDE 4

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014

  • 3rd Party Utilities:

– BlackBag Technologies SoftBlock (OS X) – In-house Tools (Project or Research Idea?)

  • Linux / OS X:

– mount –t ntfs-3g –ro /dev/sda1 /mnt/hd

  • Windows USB Write-Protection

– HKLM\SYSTEM\CurrentControlSet\Control \StorageDevicePolicies – “WriteProtect” Key:

  • 0 = Read/Write;
  • 1 = Read Only

Software Based

slide-5
SLIDE 5

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014

  • Pros

– Independent of the Operating System – Portable – Scalable

  • Cons

– Expensive

Hardware Based

slide-6
SLIDE 6

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014

Hardware Based

  • Various Hardware Vendors:

– http://www.csc.villanova.edu/~dprice/fall2014/resources.html

slide-7
SLIDE 7

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014

Wiebetech Ultradock v5

Write-Block Indicator Error Indicator Disk Access Indicator HPA or DCO Indicator

slide-8
SLIDE 8

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014

Wiebetech Ultradock v5 - S.M.A.R.T Data

slide-9
SLIDE 9

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014

Wiebetech Ultradock v5

slide-10
SLIDE 10

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014

Host Protected Area (HPA)

  • ATA disk standards provide means of reserving disk space.
  • Implemented through the hard drive’s firmware.
  • Introduced in the ATA-4 Standard.
  • Legitimate Uses Include:
  • OEMs will use as a way to restore their devices to factory default

(factory baseline).

  • Recovery and diagnostic software
  • Monitoring vendors
  • Limiting the size of a hard drive installed in an external enclosure.
  • Nefarious Uses Include:
  • Hide data from investigators
  • Storage area of rootkits
slide-11
SLIDE 11

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014

Device Configuration Overlay (DCO)

  • ATA disk standards provide means of restricting disk space.
  • Implemented through the hard drive’s firmware.
  • Introduced in the ATA-6 Standard.
  • Legitimate Uses Include:
  • Configuring different hard drives from different manufactures

to “report” the same number of available sectors.

  • Nefarious Uses Include:
  • Hide data from investigators
  • Storage area of rootkits