Notifications
Clear all

Software Blocker

27 Posts
14 Users
0 Likes
5,336 Views
(@chioma)
Posts: 15
Active Member
Topic starter
 

Please, where can I download a free software write blocker?

Regards

 
Posted : 13/07/2010 3:31 pm
(@jonathan)
Posts: 878
Prominent Member
 

There's a link to a free USB software write blocker and other free tools on this page which I put together. As with anything, use at your own risk.

http//www.forensiccontrol.com/fcresources.php

 
Posted : 13/07/2010 3:50 pm
(@chioma)
Posts: 15
Active Member
Topic starter
 

Thanks a million!

 
Posted : 13/07/2010 4:56 pm
(@patrick4n6)
Posts: 650
Honorable Member
 

And by "use at your own risk" he means "validate all your tools", whether free or commercial.

 
Posted : 13/07/2010 6:40 pm
(@jonathan)
Posts: 878
Prominent Member
 

And by "use at your own risk" he means "validate all your tools", whether free or commercial.

Precisely.

 
Posted : 13/07/2010 9:46 pm
(@chioma)
Posts: 15
Active Member
Topic starter
 

Thanks all. I will.

 
Posted : 13/07/2010 9:53 pm
bshavers
(@bshavers)
Posts: 210
Estimable Member
 

I'm always cautious with software write blockers for several reasons, mostly because you don't really know if it is 'on' or 'off' until afterward. Since these applications rely upon registry settings, you have to make sure the version of the software write blocker you use will work on the Windows OS version AND service pack. Also, most of these apps tend to block all USB devices on the system, so if you are imaging from USB Drive 1, you will only be able to image to your C\ drive (the FBI ACES software write blocker allows you to choose which USB ports to block, but this is not for non-LE use).

If you don't have a hardware write blocker, I'd recommend using a forensic boot disk (Linux or Windows) so you can make sure you don't have inadvertent writes to your USB drive. Plus, you can choose which drives you want RO and those you want RW. And for the most part, you can still use your forensic tools with the boot disk (whether you use Linux apps or Windows apps, most work on both boot disks).

 
Posted : 14/07/2010 8:57 am
(@douglasbrush)
Posts: 812
Prominent Member
 

Following the train of thought on the thread…are you looking to do SW WB on a Windows system that is up and running or via bootdisk?

How are you set-up? Booting the suspect system and using the hardware bus on that? Or are you removing the suspect drive and imaging in a separate system?

Also F-Response is a great software write blocker for multiple environments over a network connection. It can be used over existing hardware and connections or via a cross over cable.

Also you could use EnCase in a LinEn boot environment on the suspect machine with a cross over cable to your examination machine. You can image in EnCase without a dongle in acquisition mode.

There are many ways to skin a cat but probably even more ways to image a hard drive.

 
Posted : 14/07/2010 9:11 am
4Rensics
(@4rensics)
Posts: 255
Reputable Member
 

Just a little note on this subject as I had some trouble getting one for my 64bit Windows 7 Manchine. The only one I could find was DSi USB Write Blocker, however its does more of a blanket block and blocked everything, even mem card readers, so unlike some you can't point to specific ports. Dunno if this is a good or bad thing \

Don't know if there are any others out there for x64 machines, but took us ages to find this one and this was the only one that really worked for out needs.

Just thought I'd says for future forum readers, if your looking for 64bit machine blockers.

 
Posted : 14/07/2010 12:32 pm
(@jonathan)
Posts: 878
Prominent Member
 

….my 64bit Windows 7 Manchine.

Very macho set-up you've got there!

The only one I could find was DSi USB Write Blocker, however its does more of a blanket block and blocked everything, even mem card readers, so unlike some you can't point to specific ports. Dunno if this is a good or bad thing \

It's a good thing, working as advertised. I've used it on my laptop to image from a USB attached suspect disk to an attached e-SATA target disk, worked fine.

Having said this, I would always choose a hardware write blocker over a software write blocker; less chance of human error if anything.

 
Posted : 14/07/2010 12:51 pm
Page 1 / 3
Share: