A software write blocker, such as ForensicSoft’s SAFE Block XP, is a software tool designed to monitor and control all access and preventing writes to storage devices on the computer on which the tool is installed. Software write blocking is utilized by forensic examiners, incident response and security professionals, attorneys, litigation support personnel and anyone else needing to preserve the integrity of digital evidence to be used in legal proceedings.

Software write blocking is accomplished in different ways depending on the complexity of the operating system. In the early days of the field of Computer Forensics, software write blocking was accomplished through DOS tools including RCMP HDL, PDBlock, and a few others. These DOS tools accomplished write blocking by controlling access to disks via interrupt 0x21 and 0x13 requests. Software write blockers used on DOS Control Boot Disks were the industry standard for data protection of computers to be seized/imaged/searched for over a decade until DOS become too slow and lacked application and driver support needed by forensic examiners.

As the forensic industry moved on to “complex OSs” such as Windows and Linux, software write blocking ceased to exist for almost 10 years due to the fact that write protecting the complex OS was much more complicated. In complex operating systems, software write blocking is accomplished through the use of specially designed disk controller drivers and/or filter drivers that monitor and control all system read/write commands, rather than through the blocking of Int 0x13 and 0x21 requests. This is explained by NIST in their Software Write Block Tool Specification and Test Plan here: http://www.cftt.nist.gov/documents/SWB-STP-V3_1a.pdf

ForensicSoft’s SAFE Block XP is the first and only commercially available software write blocker for a complex operating system that is application independent and protects all storage devices on all interfaces, including IDE (PATA), SATA, SCSI, SAS, Fibre Channel, USB, IEEE1394 and all others.

A software write blocker, such as SAFE Block, performs the same basic function as hardware write-blocker counterparts. The main difference is that software write blocking uses a software application installed on your forensic workstation to prevent the workstation from writing to attached disks, as opposed to hardware write blocking which uses software burned onto a controller chip inside a “forensic bridge” device that physically connects between your evidence disk and your forensic workstation.

Both options block write commands from being passed to a protected disk. However, there are significant differences between the two approaches. A few of the most notable include the following:

1. SAFE Block is software and therefore takes up no physical space in your already full investigator kit.
2. It requires no power hence you cannot misplace or accidently forget to bring a power adaptor into the field during an investigation.
3. SAFE Block allows for data acquisition at speeds up to 10 times faster than that of hardware write-blockers (the software write-blocker does not require device interface bridging from one interface technology to another, which is often a significant data I/O bottleneck).
4. You only need one piece of software to block EVERY interface (IDE (PATA), SATA, eSATA, SCSI, USB, IEEE1394 and more).
5. This single piece of software also blocks rarer interfaces such as SAS and Fibre Channel (all connection types).
6. SAFE Block allows you to multi-task blocking and processing as many concurrent disks as you wish without the need to purchase 10 SATA hardware write blockers to block 10 SATA drives at once.
7. SAFE Block provides detection of and access to HPA and DCO areas of IDE disks without the need for additional utilities.
8. SAFE Block costs a fraction of the cost of hardware write blockers.

Our software write blocker (SAFE Block) and Windows forensic boot disk environment (SAFE) each block the following directly attached interfaces:

• EIDE
• IDE (PATA)
• SATA
• eSATA
• SCSI
• SAS
• Fibre Channel
• USB
• Firewire (IEEE 1394)
• Compact Flash I/II/MD
• Smart Media/xD
• MS/PRO/Duo/PRO Duo
• SD/Mini/MMC/RS/Plus/Mobile
• Hardware RAID (using any of the above mentioned interfaces)

Yes. ForensicSoft and the University of Rhode Island have both tested the performance of our write-blocker against the write-blocker test suite published by the National Institute of Standards and Technology (NIST). ForensicSoft’s SAFE Block passed 100% of NIST’s test as seen in the report here:

http://dfc.cs.uri.edu/research/SAFEBlock_Correctness.pdf

Many of our customers have also conducted extensive validation testing of SAFE Block using the published NIST test plan or their own internal plan. SAFE Block and the SAFE Windows boot disk have been submitted to both NIST CFTT and DC3 for independent and public validation testing.

SAFE Block is currently available for Microsoft Windows XP 32-bit and Windows XP 64-bit. Other versions of SAFE Block will be launched in the coming months that support Windows Vista 32-bit and 64-bit, and Windows 7 32-bit and 64-bit.

No. SAFE Block XP is designed specifically for the Microsoft XP Operating Systems and will not allow installation on Windows Vista or Windows 7. SAFE Block XP is available for both 32-bit and 64-bit versions of Windows XP. While SAFE Block XP will not install on Windows Vista (or later OS), it will install and run on all Windows 2000 Operating System versions.

Yes, Windows XP (32-bit or 64-bit) and Windows Server 2003 (32-bit or 64-bit) have the same foundation and are both considered Windows version 5.x and therefore, SAFE Block XP will install and run properly on Windows Server 2003.

No, Windows XP and Windows Server 2008 do not have the same foundation. Windows XP is Windows version 5.x and Server 2008 is based on the Vista 6.x OS. Therefore, SAFE Block XP will not install on Windows Server 2008. However, once SAFE Block Vista (32-bit and 64-bit) versions are finalized and released, they will install and run properly on Windows Server 2008 in addition to Windows Vista.

It depends. Our testing has shown that some manufacturers utilize custom software to read/write from/to some internal built-in card/media readers in place of the standard mechanism by which Windows XP writes to a disk. These internal devices do not appear to the host computer as a disk drive or disk subsystem. Externally connected USB flash card readers are all blocked by SAFE Block (and SAFE boot disk).

It is strongly recommended that you perform your own validation testing on your laptop, if using SAFE Block XP to block a built-in internal card/media reader, prior to attempting to protect digital evidence. If using an unknown laptop that you have not had a chance to perform such validation testing, you should use an external USB card reader with SAFE Block XP (and SAFE boot disk) to ensure protection.

Technically, Yes. However, we do not recommend relying on SAFE Block running within a guest OS (virtual machine) to protect digital evidence that is physically attached to the host OS (physical machine) that is not also running SAFE Block. This warning is due to the fact that the host OS first detects the attached device and then “hands off” control of the physical device to the guest OS when you attach it to the virtual machine. This means that before the guest OS and SAFE Block within that guest OS have a chance to write protect any attached media, the device is first handled by a non-write protected host OS that may or may not have already written to the disk.

Yes. Please email sales@forensicsoft.com your requirements including the total number of computers on which you intend to install SAFE Block.

Simple visit us at www.forensicsoft.com and log into your account. From here, you can add a support agreement renewal to your cart, then check out with a credit card as you would for any other purchase.

1. Using your Internet browser, go to www.forensicsoft.com and logon to your Account. Your Account username is your email address. If you have forgotten or lost your password simply click the “Forgot Password” link in the Login section of the home page.
   
   Once you are logged to your Account, click the "MyAccount" link at the top of the page. Then, click on "Get My Products and View My Orders". Next, click "Download Software". This will allow you to download and save the SAFE Block software to your computer. If you logged onto your Account from the computer on which you intend to install and use SAFE Block, then simply save this file to the Desktop or other location. If you intend to use SAFE Block on a different computer than that one you are currently using, save the downloaded file onto a thumb drive so it can be copied to the intended computer.



2. To install SAFE Block software, copy the downloaded file onto the computer where SAFE Block will be used. This downloaded file is the installer program. Run the installer program by double-clicking the downloaded file, named SAFEBlockXTV1_3.exe.
   
   Follow the onscreen instructions in the installation Wizard. During the installation process, you will be prompted for your "License File". Select the option "I need to get a license file" and click Next. On the next screen you will be given a “Machine Code”. This code uniquely identifies the computer licensed to use SAFE Block. On a piece of paper write down this Machine Code (or copy it to your clipboard) and continue following the onscreen instructions to complete the Registration process. At this stage you will temporarily leave the software installation process and switch to a browser for the next steps.



3. To register your license, log back onto your account at www.forensicsoft.com. Navigate to “MyAccount”, “Get My Products and View My Orders,” and then click on the "Register License" button. Enter the "Machine Code" from Step 2 into the field labeled "Registration ID" and "Confirm Registration ID", then click Continue. On the next screen click the button "Get License" which will download your valid license key. You should save your license key to an obvious location like your Desktop (or on a thumb drive) as you will need to find for the final step.
   
   For the final step, go back to the computer on which you are installing the SAFE Block software, and resume the installation process by following the Wizard. When prompted for your valid “License Key”, browse to where you saved the downloaded license key and complete your installation. Your ForensicSoft product will now be installed and registered.

There are 3 primary ways we have observed the use of TrueCrypt with SAFE Block. SAFE Block will work in certain configurations as explained here.

1. SAFE Block does not block the "system" disk due to the fact that your system must be able to write to the pagefile, Windows registry and other system files. Therefore you could encrypt the system disk but never block it with SAFE Block, with or without TrueCrypt.



2. SAFE Block will block physical disks other than the “system” disk. Hence if you use TrueCrypt to create a .tc encrypted container file, and the physical disk on which the container file resides is blocked, then TrueCrypt will automatically mount the .tc file as “read only”. If you unblock the physical disk from within SAFE Block, the .tc file will remain “read only”.



3. When you encrypt a partition with TrueCrypt, it is recommended that you only utilize the drive letter assigned by TrueCrypt and NOT the drive letter assigned by Windows. If you have Windows assigned drive letters and TrueCrypt assigned drive letters, you may run into conflicts between the two software programs in certain circumstances. This will likely cause a conflict with SAFE Block as well.
   
   In general, the mounting of encrypted partitions follows the same policy as described above for encrypted .tc volumes when it comes to TrueCrypt detecting the write protection status of the physical disk on which the encrypted partition resides. This means that if you have a physical disk blocked with SAFE Block and you attempt to mount it with TrueCrypt, TrueCrypt will detect the write blocked status of the disk and will automatically mount the encrypted partition as "read-only".

As a note of caution, if you were to mount either a .tc container file or a TrueCrypt encrypted partition while the disk(s) on which they reside is unblocked by SAFE Block, be cautious about blocking the physical disk AFTER mounting a TrueCrypt volume as "read-write". A TrueCrypt volume mounted on an unblocked disk can be (and is by default) mounted as "read-write", and if you were to then use SAFE Block to block a disk that is mounted and "in-use" by TrueCrypt, SAFE Block would tell you the disk was in use but allow you to "force" the blocking of the disk. If you then blocked the disk while a TrueCrypt volume on it was mounted, Windows would no longer be able to write to the volume and start generating Windows Delayed-Write Failure errors resulting in possible data corruption. Therefore, it is not recommended that you force the blocking of any physical disk that is currently in use by TrueCrypt.

A boot disk is a fully functional operating system contained on removable media including floppy disk, CD/DVD or more recently USB disks. Boot disks are designed to allow a user to boot a computer using the OS on the boot disk, in place of booting from any OS installed on any internal hard disks. A standard boot disk, which is typically used by users such as system administrators for a variety of purposes, is designed to attempts to identify and read from any attached storage devices and in the process makes unintentional writes to the storage devices.

A forensic boot disk is a modified boot disk that is specially designed to not automatically write or attempt to write to any attached storage devices without the user intentionally doing so. Taking a basic forensic boot disk further, a software write blocking tool can be integrated into the forensic boot disk to protect data from accidental modification, in addition to any automatic OS attempts to write to a disk. Most “forensic boot disks” also include a collection of tools and utilities for performing forensic tasks such as hashing, data acquisition, searching, documenting system information, data recovery, and many more.

While many Linux Live CDs have been highly modified and are considered by many to be “forensic boot disks”, the Linux boot disks do not include software write blocking. These Linux boot disks are modified to prevent auto-mounting of detected file systems and mount such file systems in a logical read-only mode. However, they do not prevent the boot disk or the tools contained within from writing to the physical disks, regardless of being mounted read-only, and are therefore not as forensically sound as forensic boot disks that incorporate actual software write blocking. Software write blocking in complex operating systems is accomplished only through the use of specially designed disk controller drivers and/or filter drivers that monitor and control all system read/write commands, as explained by NIST here:
http://www.cftt.nist.gov/documents/SWB-STP-V3_1a.pdf

Our SAFE forensic boot disk (available in CD or USB form) is the only Windows forensic boot disk in the world. The SAFE boot disk is a specially designed version of the Windows PE operating system that incorporates our proven SAFE Block software write blocking technology, making the SAFE boot disk the only “complex OS” forensic boot disk in the world that provides software write blocking.

The SAFE boot disk comes in two versions, Consultant and Enterprise, both of which require a licensed USB dongle for full functionality. The Consultant version requires the USB dongle be present at all times for operation and therefore can only be used to boot a single computer at a time. The Enterprise dongle can be removed after fully booting a computer and therefore allows a user to boot as many computers as desired concurrently, allowing multi-tasking.

All versions of the SAFE boot disk run the same software write blocked version of Windows PE operating system. Within the SAFE boot environment the user has the ability to run most Windows tools and utilities, including EnCase, FTK Imager, X-Ways Forensics, and many other common tools used for Forensics, Security, Data Recovery, Incident Response, and Diagnostics. Supported Windows tools are loaded onto a USB Tools Disk, which SAFE recognizes and makes available within the SAFE Graphical User Interface. SAFE also includes many built-in tools allowing the user to perform basic functions including file management, searching, documentation, and system logging to preserve a record of your session and all attached hardware.

The SAFE boot disk has many benefits over previous boot disk technology relying on Linux or DOS. Because SAFE is Windows-based, it allows for the use of Windows device drivers. Because Windows device drivers exist for all hardware a user may run into, the user is not limited to only detecting and interacting with storage devices and disk controllers that a Linux or DOS boot disk has built into it. In many cases DOS and Linux drivers to not exist and in the case of Linux, many users of Linux boot disks are not familiar with loading device drivers into a Linux boot disk. With SAFE, you simply click the “Add driver” button and provide the desired driver files. Another benefit of running within a Windows OS is that users familiar with Windows can run their favorite Windows tools and not have to learn to use unfamiliar open source or command line tools. SAFE, being Windows based, is also the only forensic boot disk that includes full native read/write support for NTFS and NTFS compressed file systems.

No. SAFE includes a version of Microsoft Windows PE which is loaded into the target computers memory to create the SAFE forensic and diagnostic environment. The Microsoft® Windows® Preinstallation Environment software included with SAFE may be used for booting, forensic procedures (such as hashing, imaging, previewing, searching, scanning, etc.) diagnostics, setup, restoration, installation, configuration, test or disaster recovery purposes only. NOTE: THIS SOFTWARE CONTAINS A SECURITY FEATURE THAT WILL CAUSE END USER’S SYSTEM TO REBOOT WITHOUT NOTICIFICATION TO THE END USER AFTER 72 HOURS OF CONTINUOUS USE.

Yes, both. The purchased and fully-licensed version of our SAFE product comes in CD form, and will allow you to create additional bootable CDs and/or bootable USB disks. As with any bootable disk, you will need to change the BIOS settings of the target computer to boot first from either CD or USB in order for SAFE to boot.

The trial version of the SAFE boot disk is only available in CD form and does not allow creation of the bootable USB disk.

Yes. When you purchase a fully-licensed copy of SAFE, you will be able to create a SAFE bootable USB disk that will allow you to boot any Netbook or similar computer that does not have an optical drive. As with any boot disk, you must remember to set the BIOS settings on the target computer to first boot from USB in order for SAFE to boot.

Since SAFE is based on Windows Vista, Vista controller drivers can be downloaded from the Netbook manufacturer websites, for any new drivers that are not already incorporated into the SAFEE boot disk, and can be loaded “on-the-fly” if your SAFE boot disk does not detect any internal drives.

Yes. As Solid State Drives increase in popularity, there is a growing problem relating to the effective acquisition of data from these drives in a forensically sound manner. The two main issues the typical forensic examiner faces with acquiring data from Solid State Drives is either: 1) pulling the SSD from the subject computer and finding the appropriate drive ribbon cable adapter(s) to attach to their forensic workstation, or 2) booting the subject computer with a boot disk and having the appropriate hard drive controller drivers so their boot disk recognizes the SSD.

ForensicSoft offers an elegant and affordable solution via our SAFE boot disk - which comes in both CD and USB bootable versions for those newer laptops without optical drives. Since the SAFE boot disk is a forensically-sound Windows boot disk, it allows the use of Windows drivers which are available for every Intel-based platform hardware device you will encounter. If the driver is not already built into the SAFE boot disk then you simply click an “Add driver” button at any time and add the driver of your choice on-the-fly. Then simply run the Windows forensic acquisition tool of your choice, whether you are an EnCase, FTK, X-Ways, or other user. So just boot your subject computer with a SAFE boot disk and you will never have to dismantle a laptop and remove a SSD again.

Using SAFE is a great alternative to conventional approaches such as dismantling the laptop, removing the SSD, searching for the correct adapter for your hardware write blocker, or using popular “forensic” Linux CD/USB boot disks and hoping that they have the necessary drivers to access the SSD.

It depends. Our SAFE boot disk is designed specifically for the x86-based computer platform and will therefore boot all of the newer “Intel-based” Apple MACs. The SAFE boot disk will not boot the older “Power-PC” based Apple Macs.

iTunes needs to be able to write to these Apple devices in order to communicate with the device. If your SAFE Block policy settings are set to automatically block all removable disks, then every time you connect these USB devices, they will be blocked upon detection. If you wish to connect the device with iTunes you will need to unblock the device, but understand that iTunes will write to the device.

Yes. In fact, one of the advantages of using ForensicSoft’s Windows-based boot disks (SAFE) and write-blockers (SAFE Block), are the simple and easy way you can acquire or preview a RAID. In some cases, such as with a NAS device, SAFE Block may be the only possible way an examiner can acquire or preview data from a large multi-disk array or volume.

Using the software write blocking technology available with SAFE and SAFE Block, you can access hardware RAID arrays as a single logical disk. When using typical forensic imaging tools such as Encase or FTK, you will be able to image all your disks in the array just as you would a single disk drive. There is no need to connect each disk of the array to its own write-blocker, image it individually, and then hope you can correctly rebuild the array.

For those examiners with RAID rebuilding skills, by using SAFE or SAFE Block XP, the examiner can remove numerous hard drives from a NAS or other RAID device and attach them to their forensic workstation and write block them all at once without the need of 3, 10, 14 or more hardware write blocking devices. Then in conjunction with Windows RAID rebuilding tools such as X-Ways Forensics, the examiner can select the correct RAID parameters and virtually build the array on these write protected RAID disks. Once the RAID from the NAS is “virtually” rebuilt, the examiner can acquire the entire rebuilt array or perform a selective acquisition or any logical files and/or folders, including any deleted files and folders or unallocated space since you are viewing the disk through a forensic tool such as X-Ways Forensics.

This above described method is the ONLY possible way for most examiners to forensically acquire a NAS without modifying data on the disks. If a NAS device is powered on with the drives in the NAS device, the firmware on the NAS device will write to the disks and modify them. So unless the examiner has multiple hardware write blockers (enough for one for each disk in the NAS device), then using SAFE Block or other software write blocking tool is the only forensically sound way to accomplish this.

Not to mention a price of less than $300 to block all disks with SAFE Block compared with a price of up to $1000 per hardware write blocker times 10+ disks equals over $10,000 to accomplish this with hardware write blockers.

There are instances where a SAFE Block license may need to be moved to a different computer than the one to which it was originally registered. You may find yourself needing to transfer a license in the case of decommissioning older workstations, or in the cases of destruction or theft of the workstation.

To transfer a license, you will need to follow the steps below.

1. Send an email to support@forensicsoft.com with the subject of “License Transfer Request";
2. In the email, please provide a statement regarding the nature causing the license move request (e.g. destruction of the workstation containing the originally licensed ForensicSoft product);
3. In the email, please provide a statement that you/your company confirms that the originally licensed ForensicSoft product has been removed, deactivated, destroyed or otherwise rendered inoperable on the original computer, and hence only the newly licensed product will be used (i.e. you and/or your company comply with the ForensicSoft license agreement).
4. Upon receiving a confirmation from the support team that your license has been reset, you will then be instructed to reinstall the software and re-register it following the same procedures as when originally purchased.

No. EnCase 64-bit version cannot be supported on SAFE as it is only a 32-bit environment. If you wish to use EnCase on a tools disk, please create the disk on a 32-bit machine.

At this time SAFE is only able to support up to FTK Imager version 2.6.X. Please ensure you are using a tools disk created with this version or lower.

The Browse for Folder dialog box not working in FTK when imaging a drive is a known issue. As a workaround, you can right-click a folder in SAFE Explorer and choose "Copy as path", then paste the path into the edit box at the bottom of the dialog in FTK.