Welcome back to the Computer Forensics Path. In this course, we're talking about creating a forensic image. In Module 3 of this course, we're going to talk about write blockers. Now, hardware write blockers, which are the ones you really want to try to use, they have firmware to prevent writes. So there's built-in firmware inside the hardware write blockers. This firmware does not depend on our operating system or a BIOS to block writes. It is independent of our operating system. It is effective in modern Windows and other operating systems. Software write blockers by contrast, they do work in a Dos environment with the intercept 13 of the BIOS command for the writes, but they will not work in a modern Windows environment. They can be effective in stopping writes to USB ports. You always want to test these write blockers because I've downloaded quite a few of them and tested them, and some of them simply just don't work, or they don't work on a particular drive that you're trying to use them on. They're not reliable for the most part and we'll talk more about that. Now, there are some paid software write blockers that will work in modern Windows and they're listed up here. There is Safe Block, which will work in a modern Windows system, and there is FastBloc SE, which is an add-on module to EnCase. EnCase is an examination software. Now there are some software write blockers that will work on USB ports, I have two of them listed up here. There are more out there and I would recommend again, testing and validating whatever you download to make sure it is going to work before you use it on any type of evidence. But we have Thumbscrews and USB write blocker for all Windows, and as the name says, it work is in a Windows environment. Always test a software write blocker before you use it on evidence, I cannot say that enough. We're going to do a demo of a write blocker validation. If you would like to follow along the items you're going to need, are, you're going to need the program called Thumbscrews and a USB device. The URL for Thumbscrews is in the slide. Remember go ahead and download it, and then you'll have to extract it, it's a zip file. Start Thumbscrews before connecting the USB device. Because how this particular piece of software works, is it will not block the USB devices you already have plugged into your computer. Once you turn it on, it only blocks new USB connections. So make sure that you activate it before you connect the USB device. If you have a small-capacity USB device, that's what we want to use, the smaller the better because it goes faster. Let's get started with our software, USB Write Blocker validation. The first thing we're going to need to do, is download USB Write Blocker for all Windows, the URL should be in your class handout or it is in the video. Once you've navigated to the site, go ahead and click ''Download''. Make sure you're downloading USB Write Blocker All Windows. The download will start in a couple of seconds. Once the download's complete, it's going to be a zip file, so go ahead and save it wherever you'd like to. Once you've saved it, go ahead and extract it. I'm going to use 7-Zip. I would recommend using 7-Zip to extract it. I'm just going to extract it here. Once it extracts, you'll see a file USB_Write_Blocker_All_Windows.bat. It's a batch file and that's what we're going to use. Go ahead and double-click on that and it will open. Once it opens, it's very simple to use. If we want to turn it on, what you do is you type a one, then "Enter", and then it'll prompt you to type ''Enter'' one more time. To turn it off, you simply type a two, "Enter", and then it will also prompt you to type ''Enter'' one more time. To exit, simply type the number 3 and "Enter". We're going to go ahead and turn it on. I'm going to type a one, "Enter", and it's going to tell you, it's going to make a change to your registry. That's how it prevents the writes. Then you have to type ''Enter'' again to continue. Now, it will tell you the USB write blocker is on. At this point is when we're going to plug our test thumb drive, our test USB device in. Do not plug the USB device in before you turn this on. If you do, it will not work. Now that it's on, we're going to plug in our USB device. We can see when we plug in the USB device, these are the files that are on my USB device. Now I want to bring up FTK Imager because we are going to hash this device. But before we do that, notice the drive letter is M. Bring up Disk Management because we want the actual disk number, not just the logical volume. My logical volume is going to be M. My physical disk is Disk 13. When I create this hash value, I want to hash the physical disk, not the logical volume. Whatever yours is, it'll probably be different than it is on my computer, but make a note of the drive letter for the volume and the number of the physical disk you're going to be looking for when we use FTK Imager. Now go ahead and launch FTK Imager. I'm going to go to ''File'', ''Add Evidence Item''. We're going to use a physical drive, click "Next". From the drop-down box, select your USB device. Mine was Physical Drive 13, yours could be different, and then we're going to click "Finish". Now, we can take a look at what we have here. When I look at the root of the volume, I can see the same files I saw on Windows Explorer. I want to hash this physical disk. I'm going to highlight the physical disk. Do not highlight the logical volume, you'll get a different hash value. Make sure you're highlighting the physical drive. Click "File", "Verify Drive Image", then it will start working. Now it is hashing our physical disk, and because my test drive is small, which is what you want for your test devices, it goes very quickly. It gives you the physical drive number, how many sectors, an MD5 hash value, a SHA1 hash value, and it also notes that it did not find any bad sectors. This is called the pre-hash, and we're going to do this before we attempt to write to the drive. Now you need to document your pre-hash because Imager will not save this information for you. I like to use the snipping tool. You can do a screenshot, however you want to do it, but make sure you document it. I'm just going to save this as usb_testdrive_pre-hash. I'll just leave it on my desktop for now. Now I'm going to go ahead and minimize that. I'm going to close this. I'm going to remove my evidence item and I'm going to close FTK Imager. The reason I'm doing that is I don't want Imager to read from a cache file, I want it to re-hash my drive when I'm done. So go ahead and close FTK Imager. Now we're going to bring up Windows Explorer and try to write to our test drive. I have Windows Explorer. This is my test drive, USB Test Drive M. My volume label is USB Test Drive. I'd recommend using a volume label that you're going to recognize. Let's try to make some changes here. I'm going to write, this is a USB software writeblock validation. It doesn't really matter what you write. What we're trying to do here is show that we cannot write to the drive. I'm going to try to save it to the drive. I immediately get a message that says I can't save to this particular drive. Now you'd also want to document this. I'm just going to use a screenshot to do that. It won't let me do that so I'm going to cancel. Close that file. Don't save. Now let me try to delete something. Well, it doesn't even give you the option to delete. I'm going to try a Control-X to delete. I want to cut it. It won't let me do that. Bring up a post-hash here. I'll try to edit it, close it, and it is not saving it. We can try it again. I'll draw again. Save a copy. I'm going to try to save it to M, and again it's telling me I can't save to drive M. I could save that somewhere else, but I cannot write to the right protected drive. It is right protecting my USB test drive which is what it's supposed to do. I'll just close that, and if I reopen it, you can see it did not save the changes. Let me try to add something to it. I'll just bring up anything and I'll just try to add this PDF. Copy to test drive and it's telling me my disk is write-protected, that I cannot add any data to this. Let me go ahead and take another screenshot. When you're doing this, you do want to document what you did. You tried to write to it, you tried to erase something, you tried to alter something, and you were unable to do so. Now that I've tried to alter data on the drive or tried to write to that drive, I'm going to go ahead and bring up FTK Imager again, and I'm going to add the driver again. So File, Add Evidence Item. We're looking for a physical drive. I'm going to select my USB drive minus physical drive 13. Yours will probably be different. Click "Finish" and I can take a look just to make sure I'm looking at the same drive, and I see the files that we saw on Windows Explorer. Now make sure you highlight Physical Drive. I'm going to go to File, Verify Drive/Image. It has completed. Once it's completed, I'm going to compare my results. This would be considered your post-hash. We do a pre-hash and a post-hash. Let me bring up my pre-hash and I'm going to look at the hash values and they do in fact match. Now what you would do here is I go and click "New" and I would take a snapshot of this, and I would save it File, Save As, and I'm going to call this my "USB test drive post-hash." I'm just going to leave it as desktop and save it. Now what you would want to do is you would want to take all the documentation and put it into a single report, PDF. Whoever you want to save that documentation, you'd want to make sure you wrote the date and time that you did this, and you'd want to keep a record of all your validations so that if you're ever going into court, civil, criminal, or just an internal hearing, whatever type of investigation you're doing, you could show documentation that you did in fact validate your software before you used it on the original evidence. With a software right blocker, I would validate it before each use. With the hardware write blocker, you do not have to do that. Now I've done that and I'm done. I want to go ahead and eject my USB drive. Remember to eject your USB drive. Hang on just a second. You're going to have to remove the evidence item and close FTK Imager before you're able to eject that drive. Now I want to eject my drive before I turn off USB write blocker. I've ejected my drive. Now I want to go ahead and turn off USB write blocker. To do that, we're going to type the Number 2 to disable, and we're going to type "Enter", and it's going to again prompt you that it is going to make a change to your registry, I'm going to click "Yes" and now we must press "Enter" again or any key to continue, and now USB write blocker is turned off. In our next module, we're going to talk about creating and validating forensic images. End of demonstration.
