Using a Write Blocker to View a Hard Drive without Modification

By January 20, 2011Articles

Hard drives are used throughout the e-Discovery process both as a potential source of electronically stored information (ESI) and as a medium to transport data. Even a simple e-Discovery project may involve one or more hard drives changing custody a few times.

Let’s assume that you received an external hard drive from a forensic examiner in connection with ongoing litigation. Naturally, the first thing you would want to do would be to plug it in, take a look at its contents and gather information such as the amount and type of data contained on the hard drive before you plan your next steps. You are well aware that you must not modify the contents of the hard drive as this would cause spoliation of electronic evidence. Did you know that the mere act of plugging a hard drive into your computer to view its contents without a write blocker is usually enough to modify its contents?

Consider the following scenarios:

  • Browsing a folder that contains images using Windows Explorer in thumbnail view could cause Ms Windows to create a thumbnail cache file (Thumbs.db) in that folder, unless the “Do not cache thumbnails” option was chosen.
  • Similarly, last access times of files that were previewed using Windows Explorer would be updated.
  • Opening a file to view its contents (e.g. opening an Excel spreadsheet in Ms Excel) would change the file system last access time metadata.
  • Opening certain file types could cause additional temporary files to be created in a folder. For example, opening an Ms Word document called “Sample.doc” would cause an additional hidden temporary file called “~$Sample.doc” to be created in the same folder. This additional file would normally be deleted when Ms Word is closed, however it could be left behind if Ms Word terminates abnormally.[1]
  • Opening certain file types (e.g. mounting a Personal Storage Table (PST) file in Ms Outlook), would change the binary contents, and consequently hash values of the files.
  • If the host computer was infected with computer viruses or malware, the attached hard drive could also get infected.
  • Some anti-spyware/anti-malware software could cause the last access times of files that they scan to be updated.

There are numerous other ways that drive contents and/or file metadata can be altered inadvertently. The simplest and yet most powerful strategy against modifying the contents of a hard drive is to use a write blocker so that it can be read from, but cannot be written to. There are two main methods of write blocking a hard drive:

Hardware Write Blockers:

A hardware write blocker (also referred to as a forensic bridge) is a device that sits between the host computer and hard drive to be connected to the system. Most hardware write blockers support multiple interfaces and allow the end user to connect IDE and SATA internal hard drives or USB and FireWire external hard drives to a host system.

The write blocker allows the host computer to read from the target drive but blocks all write requests. Two popular hardware write blocker manufacturers are Tableau and WiebeTech. These hardware write blockers are fairly inexpensive and can be used very easily. Well worth the investment.

The NIST has developed a test plan for evaluating hardware write blockers. The test plan and various test reports can be found at http://www.cftt.nist.gov/hardware_write_block.htm

Software Write Blockers:

There are also various software applications that provide write blocking functionality. While using a software write blocker sounds more practical and affordable, it comes with associated risks. Most software write blockers are not 100% forensically sound and have limitations. For example, Ms Windows Service Pack 2 and higher allows USB ports to be write blocked using a registry hack. While this simple method may work in most cases, it is effective only on USB devices that are connected after the change was made. In other words, a USB device that was connected before the registry hack will remain writeable until it is removed and reinserted.

More advanced software write blockers that come with their own kernel mode device drivers are also available. The NIST provides evaluation criteria and results for such software on their website http://www.cftt.nist.gov/software_write_block.htm.

[1] Description of how Word creates temporary files – http://support.microsoft.com/kb/211632

Arman Gungor

About Arman Gungor

Arman Gungor is a certified computer forensic examiner (CCE) and an adept e-Discovery expert with over 21 years of computer and technology experience. Arman has been appointed by courts as a neutral computer forensics expert as well as a neutral e-Discovery consultant. His electrical engineering background gives him a deep understanding of how computer systems are designed and how they work.