A software write blocker, such as ForensicSoft SAFE Block, is a software tool designed to monitor and control all access and prevent writes to storage devices attached to a computer. Software write blocking is utilized by forensic examiners, incident response and security professionals, attorneys, litigation support personnel and anyone else needing to preserve the integrity of digital evidence to be used in legal proceedings.
Software write blocking is accomplished in different ways depending on the complexity of the operating system. In the early days of the field of Computer Forensics, software write blocking was accomplished through DOS tools including RCMP HDL, PDBlock, and a few others. These DOS tools accomplished write blocking by controlling access to disks via interrupt 0x21 and 0x13 requests. Software write blockers used on DOS Control Boot Disks were the industry standard for data protection of computers to be seized/imaged/searched for over a decade until DOS become too slow and lacked application and driver support needed by forensic examiners.
As the forensic industry moved on to complex OSs such as Windows and Linux, software write blocking ceased to exist for almost 10 years due to the fact that write protecting the complex OS was much more complicated. In complex operating systems, software write blocking is accomplished through the use of specially designed disk controller drivers and/or filter drivers that monitor and control all system read/write commands, rather than through the blocking of Int 0x13 and 0x21 requests. This is explained by NIST in their Software Write Block Tool Specification and Test Plan here.
ForensicSoft SAFE Block is the first and only commercially available Windows software write blocker, for a complex operating system that is application independent and protects all storage devices on all interfaces, including IDE (PATA), SATA, SCSI, SAS, Fibre Channel, USB, IEEE1394 and all others.
A software write blocker, such as SAFE Block, performs the same basic function as hardware write-blocker counterparts. The main difference is that software write blocking uses a software application installed on your forensic workstation to prevent the workstation from writing to attached disks, as opposed to hardware write blocking which uses software burned onto a controller chip inside a forensic bridge device that physically connects between your evidence disk and your forensic workstation.
Both options block write commands from being passed to a protected disk. However, there are significant differences between the two approaches. A few of the most notable include the following:
Our software write blocker (SAFE Block) and Windows To Go environment (SAFE Block To Go) blocks EVERY storage interface, including the following interfaces and technologies:
In the US, neither Federal nor State courts accredit anything, including computer forensic software. There is a vast misconception, due mostly to marketing strategies of certain computer forensic software companies, that by having the name of a tool mentioned by a testifying witness and therefore memorialized in the court transcript that somehow the court approves/accredits/validates/etc. the computer forensic software. The courts do not approve/accredit/validate or otherwise any tools. All the courts do is accept testimony from a witness, or not. It is then up to the jury or judge, depending on the legal proceeding, to decide if they believe the witness and if so how much weight to apply to their testimony. Never does a US court put their stamp of approval on any computer forensic tools.
Within the US, the National Institute of Standards and Technology (NIST) has a component within the Federal agency called the Computer Forensic Tool Testing (CFTT) section. The CFTT publishes specification and test plans that forensic tools, such as Forensic Imaging tools and Write Blockers, must follow. They then perform testing on various tools and publish their findings to inform the industry of the results of their testing of certain tools. NIST is not the only testing/validation body within the US, but the most widely known. Other testing is also done by the DOD Computer Forensics Lab (DCFL). These organizations only validate tools, not accredit. Accreditation is a validation of a teaching program/curriculum and not applicable to a software program.
NIST CFTT publishes their test plan and testing software for software write blockers so that in addition to any testing performed by NIST CFTT, others can also perform their own testing if desired. Information about the CFTT test plans, specifications, etc. can be found here.
Under the more recent NIST Federated Tool Testing program, forensic examiners can now conduct their own tool validation using approved processes and test tools. Practitioners may validate any hardware or software write block tool themselves using the CRU's WriteBlocking Validation Utility as part of the NIST Federated Tool Testing program.
As to track record, our SAFE Block product has been successfully in use by Federal, State, and Local law enforcement, military, law firms, private computer forensic examiners, and many others throughout the world for the past 15 years. SAFE Block is taught and issued as part of SANS Institute's FOR498 Battlefield Forensics course. A small sampling of our customer list is here.. As you will see there are two entities on this page from the UK and you may be able to get some independent feedback from others in your area using our tools.
Lastly, keep in mind that no matter what we tell you or anyone else tells you about our products or any company's products, you should not rely on the word of anyone (especially a software vendor) when validating a computer forensic tool. You must do your own validation testing with a known data set with a known hash value and put the tool to the test, comparing your results with your expected result. Only trust yourself and be able to testify that you know your tool(s) work properly because you personally validated them with a defined test plan an known data.
Yes. In fact, one of the advantages of using ForensicSoft Windows-based boot disks (SAFE) and write-blockers (SAFE Block), are the simple and easy way you can acquire or preview a RAID. In some cases, such as with a NAS device, SAFE Block may be the only possible way an examiner can acquire or preview data from a large multi-disk array or volume.
Using the software write blocking technology available with SAFE Block To Go and SAFE Block, you can access hardware RAID arrays as a single logical disk. When using typical forensic imaging tools such as Encase or FTK, you will be able to image all your disks in the array just as you would a single disk drive. There is no need to connect each disk of the array to its own write-blocker, image it individually, and then hope you can correctly rebuild the array.
For those examiners with RAID rebuilding skills, by using SAFE Block, the examiner can remove numerous hard drives from a NAS or other RAID device and attach them to their forensic workstation and write block them all at once without the need of 3, 10, 14 or more hardware write blocking devices. Then in conjunction with Windows RAID rebuilding tools such as X-Ways Forensics, the examiner can select the correct RAID parameters and virtually build the array on these write protected RAID disks. Once the RAID from the NAS is virtually rebuilt, the examiner can acquire the entire rebuilt array or perform a selective acquisition or any logical files and/or folders, including any deleted files and folders or unallocated space since you are viewing the disk through a forensic tool such as X-Ways Forensics.
This above described method is the ONLY possible way for most examiners to forensically acquire a NAS without modifying data on the disks. If a NAS device is powered on with the drives in the NAS device, the firmware on the NAS device will write to the disks and modify them. So unless the examiner has multiple hardware write blockers (enough for one for each disk in the NAS device), then using SAFE Block or other software write blocking tool is the only forensically sound way to accomplish this.
Not to mention a price of less than few hundred dollars to block all disks with SAFE Block compared with a price of up to $1,000 per hardware write blocker times 10+ disks equals over $10,000 to accomplish this with hardware write blockers.
For those examiners with Windows To Go and SAFE Block To Go, the examiner can simply boot the server or desktop containing a RAID with their Windows To Go boot disk and the examiner can acquire the entire RAID array, no matter what type of RAID or how many disks, or perform a selective acquisition or any logical files and/or folders, including any deleted files and folders or unallocated space since you are viewing the disk through a forensic tool such as X-Ways Forensics.
SAFE Block is currently available for Microsoft Windows XP, Windows Vista, Windows 7, Windows 8.x and Windows 10.x, all in either 32-bit or 64-bit versions. SAFE Block Win8/10 supports both Windows 8 and Windows 10 computers.
Yes, Windows XP (32-bit or 64-bit) and Windows Server 2003 (32-bit or 64-bit) have the same foundation and are both considered Windows version 5.x and therefore, SAFE Block XP will install and run properly on Windows Server 2003.
Yes, Windows Vista (32-bit or 64-bit) and Windows Server 2008 (32-bit or 64-bit) have the same foundation and are both considered Windows version 6.0 and therefore, SAFE Block Vista will install and run properly on Windows Server 2008.
Yes, Windows 7 (64-bit) and Windows Server 2008 R2 (64-bit) have the same foundation and are both considered Windows version 6.1 and therefore, SAFE Block Win7 x64 will install and run properly on Windows Server 2008 R2.
Yes, Windows 8 and 8.1 (64-bit) and Windows Server 2012 and 2012R2 (64-bit) have the same foundation and are both considered Windows version 6.2 and 6.3 respectively and therefore, SAFE Block Win8/10 x64 will install and run properly on Windows Server 2012 and 2012R2.
Yes, Windows 10 (64-bit) and Windows Server 2016 (64-bit) have the same foundation and are both considered Windows version 10.x and therefore, SAFE Block Win8/10 x64 will install and run properly on Windows Server 2016. However, due to different kernel-mode driver signing requirements, you MUST install SAFE Block using our provided instructions and drivers provided on our Support webpage.
Yes, Windows 10 (64-bit) and Windows Server 2019 (64-bit) have the same foundation and are both considered Windows version 10.x and therefore, SAFE Block Win8/10 x64 will install and run properly on Windows Server 2019. However, due to different kernel-mode driver signing requirements, you MUST install SAFE Block using our provided instructions and drivers provided on our Support webpage.
Technically, Yes. However, we do not recommend relying on SAFE Block running within a guest OS (virtual machine) to protect digital evidence that is physically attached to the host OS (physical machine) that is not also running SAFE Block. This warning is due to the fact that the host OS first detects the attached device and then hands-off control of the physical device to the guest OS when you attach it to the virtual machine. This means that before the guest OS and SAFE Block within that guest OS have a chance to write protect any attached media, the device is first handled by a non-write protected host OS that may or may not have already written to the disk.
There are 3 primary ways we have observed the use of TrueCrypt with SAFE Block. SAFE Block will work in certain configurations as explained here.
As a note of caution, if you were to mount either a .tc container file or a TrueCrypt encrypted partition while the disk(s) on which they reside is unblocked by SAFE Block, be cautious about blocking the physical disk AFTER mounting a TrueCrypt volume as "read-write". A TrueCrypt volume mounted on an unblocked disk can be (and is by default) mounted as "read-write", and if you were to then use SAFE Block to block a disk that is mounted and "in-use" by TrueCrypt, SAFE Block would tell you the disk was in use but allow you to "force" the blocking of the disk. If you then blocked the disk while a TrueCrypt volume on it was mounted, Windows would no longer be able to write to the volume and start generating Windows Delayed-Write Failure errors resulting in possible data corruption. Therefore, it is not recommended that you force the blocking of any physical disk that is currently in use by TrueCrypt.
iTunes needs to be able to write to these Apple devices in order to communicate with the device. If your SAFE Block policy settings are set to automatically block all removable disks, then every time you connect these USB devices, they will be blocked upon detection. If you wish to connect the device with iTunes you will need to unblock the device, but understand that iTunes will write to the device.
Yes. Please email sales@forensicsoft.com your requirements including the total number of computers on which you intend to install SAFE Block.
There are instances where a SAFE Block license may need to be moved to a different computer than the one to which it was originally registered. You may find yourself needing to transfer a license in the case of decommissioning older workstations, or in the cases of destruction or theft of the workstation.
To transfer a license, you will need to follow the steps below.
Yes, SAFE Block always maintains a perpetual log in c:\Program Files\SAFE Block\ called transaction.txt, which lists all detected devices and their block/unblock status, as well as any manual unblocking/blocking where you choose to change the status of a disk.
First, you need a high-speed certified Windows To Go USB drive. We recommend a minimum capacity of 64GB. We recommend either Spyrus or SuperTalent WTG certified USB drives. Next, you need the installation DVD or ISO of the Windows OS you will use to build Windows To Go and need to extract the install.wim file from the \Sources\ folder of the DVD or ISO. Using the PowerShell scripts and readme.txt instructions on our Support Page, you will use scripts to create either a dual-boot or single OS WTG USB boot disk. Once you deploy WTG using the provided scripts, you will boot your WTG and setup Windows To Go as you desire with all your favorite forensic and triage tools. Finally, you will install SAFE Block Win10 To Go (x64 or x86) and turn your WTG OS into a forensically sound boot disk.
Yes. The Windows To Go USB drive that you will create and on which you will install SAFE Block To Go, is a full version of Windows 10 and will run every Windows forensic software product you own. Your only limitation as to what Windows forensic software you install and run on your Windows To Go USB drive is the size of the USB drive you choose to use. While we have seen some use a 32GB USB Windows To Go drive, the OS fills it up quickly and you will likely have to pick and choose what you install on it so you have some free disk space to allow the portable OS to operate efficiently. Hence, we recommend a 64GB Windows To Go USB drive or larger to ensure you have room for the OS and all of your standard forensic tools.
No. The field use possibilities with SAFE Block To Go are far beyond any previous portable Triage OS or imaging tool and you should consider not limiting yourself. You may wish to consider the use of a variety of searching, imaging, triage, data recovery, and other software where you will be able to perform pretty much any process you want on any machine (servers, laptops, desktops, Intel-based tablets, etc.) all while having every internal and external attached disk completely write-blocked by SAFE Block Win10 To Go.
Additionally, your can use your Windows To Go USB to boot your own forensic workstations and attach any and all evidence drives you wish, with every one being completely protected by SAFE Block Win10 To Go at all times. Use your WTG boot disk as your forensic workstation on any machine at any time. You will never need any other write blocker again!
Yes, SAFE Block To Go supports all drives and controllers supported by Windows 10. Drivers for most major SCSI, SAS, SATA and Fiber Channel controllers will already be built into your Windows To Go OS, such as DELL PERC RAID controllers, allowing you to boot servers and see all attached RAID drives as their native single RAID volumes as presented by the hardware RAID controller. This will allow you to image or triage RAID volumes as a single storage volume without the need to image an individual disk and deal with RAID rebuilding. In the event you run into a server or drive controller for which Windows 10 does not already have a built-in driver, you can download the Windows 10 x64 driver directly from the controller manufacturer and install it into your Windows To Go OS on-the-fly during runtime. The more machines of all kinds that you boot with your Windows To Go disk, the more capable you make the disk as it dynamically builds its driver library. You can/should install BootCamp drivers into your disk so that you have full driver support for all Mac computers.
Yes. To ensure you have full driver support for all Mac computers on your Windows To Go disk, you can obtain the BootCamp Windows Support Software from Apple and then install or update individual from that package in Windows Device Manager. We do NOT recommend installing the entire BootCamp package in Windows To Go, as we have seen some of the legacy components cause issues due to not meeting Microsoft's kernel-mode driver signing requirements. In the event you run into a server or drive controller for which Windows 10 does not already have a built-in driver, you can download the Windows 10 x64 driver directly from the controller manufacturer and install it into your Windows To Go OS on-the-fly during runtime. The more machines of all kinds that you boot with your Windows To Go disk, the more capable you make the disk as it dynamically builds its driver library.