Testing Write Blockers James R Lyle CFTT Project NIST/ITL/SDCT November 06, 2006.

Slides:



Advertisements
Similar presentations
Chapter 13: I/O Systems I/O Hardware Application I/O Interface
Advertisements

OPERATING SYSTEMS Lecturer: Szabolcs Mikulas Office: B38B
Chapter 5 Input/Output 5.1 Principles of I/O hardware
The Modern Control Boot Disk. 2 What do we mean by a Modern control boot disk? In your previous lectures you learned about the original DOS control boot.
COEN 252 Computer Forensics Hard Drive Geometry. Drive Geometry Basic Definitions: Track Sector Floppy.
A Strategy for Testing Hardware Write Block Devices James R Lyle National Institute of Standards and Technology.
Write Blocking CSC 485/585.
Operating System Structures
Jim Lyle National Institute of Standards and Technology.
Deleted File Recovery Tool Testing Results Jim Lyle NIST 2/21/13AAFS -- Washington 1.
Creating Deleted File Recovery Tool Testing Images Jim Lyle National Institute of Standards and Technology.
Lecture 11: Operating System Services. What is an Operating System? An operating system is an event driven program which acts as an interface between.
Disclaimer Certain trade names and company products are mentioned in the text or identified. In no case does such identification imply recommendation.
Motherboard, BIOS and POST The external data bus connects devices on the motherboard together. Everything is also connected to the address bus. These busses.
14 May 2010Montana Supreme Court Spring Training Conference 1 Verification of Digital Forensic Tools Jim Lyle Project Leader: Computer Forensic Tool Testing.
Forensic Tool Testing Results Jim Lyle National Institute of Standards and Technology.
Unit 6- Operating Systems.  Identify the purpose of an OS  Identify different operating systems  Describe computer user interaction with multiple operating.
1 DOS with Windows 3.1 and 3.11 Operating Environments n Designed to allow applications to have a graphical interface DOS runs in the background as the.
Operating System Organization
Operating Systems.
Word Processing, Web Browsing, File Access, etc. Windows Operating System (Kernel) Window (GUI) Platform Dependent Code Virtual Memory “Swap” Block Data.
Graphic File Carving Tool Testing Jenise Reyes-Rodriguez National Institute of Standards and Technology AAFS - February 19 th, 2015.
Mobile Device Forensics Rick Ayers. Disclaimer  Certain commercial entities, equipment, or materials may be identified in this presentation in order.
Computer Forensics Tool Catalog: Connecting Users With the Tools They Need AAFS –February 21, 2013 Ben Livelsberger NIST Information Technology Laboratory.
Quirks Uncovered While Testing Forensic Tool Jim Lyle Information Technology Laboratory Agora March 28, 2008.
Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.
NIST CFTT: Testing Disk Imaging Tools James R. Lyle National Institute of Standards and Technology Gaithersburg Md.
Internal components, Backing Storage, Operating Systems Software
 FILE S SYSTEM  DIFFERENT FILE SYSTEMS  FILE SYSTEM COMPONENTS  FILE OPERATIONS  LOG STRUCTERD FILE SYSTEM  FILE EXAMPLES.
hardware and operating systems basics.
Operating Systems Networking for Home and Small Businesses – Chapter 2 – Introduction To Networking.
By Donald Wood CSS 350. Overview Forensic tools are an important part of the computer forensic investigator’s ability to perform his/her job. Imaging.
Operating Systems  A collection of programs that  Coordinates computer usage among users  Manages computer resources  Handle Common Tasks.
Operating Systems Advanced OS - E. OS Advanced Evaluating an Operating System.
Ben Livelsberger NIST Information Technology Laboratory, CFTT Program
Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.
How Hardware and Software Work Together
Windows 7 Firewall.
Operating Systems JEOPARDY Computer Repair NetworkOS OS Tasks ConceptsComponentsMisc
Guide to Linux Installation and Administration, 2e1 Chapter 2 Planning Your System.
C HAPTER 2 Introduction to Windows XP Professional.
Disclaimer Certain trade names and company products are mentioned in the text or identified. In no case does such identification imply recommendation or.
File System Management File system management encompasses the provision of a way to store your data in a computer, as well as a way for you to find and.
Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3.
The Operating System ICS3M.  The operating system (OS) provides a consistent environment for other software programs to execute commands.  It gives.
Class ID: Renesas Electronics America Inc. © 2012 Renesas Electronics America Inc. All rights reserved. Implementing Bootloaders on Renesas MCUs.
COEN 252 Computer Forensics Hard Drive Geometry. Drive Geometry Basic Definitions: Track Sector Floppy.
IST 222 Day 3. Homework for Today Take up homework and go over Go to Microsoft website and check out their hardware compatibility list.
1.4 Hardware Review. CPU  Fetch-decode-execute cycle 1. Fetch 2. Bump PC 3. Decode 4. Determine operand addr (if necessary) 5. Fetch operand from memory.
Computer Software Types Three layers of software Operation.
A+ Guide to Managing and Maintaining Your PC Fifth Edition Chapter 2 How Hardware and Software Work Together.
Feb/18/2014 Mazen Alzyoud Early Term Exam Review.
Chapter 8: Installing Linux The Complete Guide To Linux System Administration.
It consists of two parts: collection of files – stores related data directory structure – organizes & provides information Some file systems may have.
2: Operating Systems Networking for Home & Small Business.
9NL Ayomi Hasenclever.  You cant touch a software  It is stored in a computer or laptop  Allows the hardware to do something useful, without the software.
Defining, Measuring and Mitigating Errors for Digital Forensic Tools Jim Lyle, Project Leader NIST Computer Forensics Tool Testing Feb 25, 2016AAFS - Las.
1 Chapter 2: Operating-System Structures Services Interface provided to users & programmers –System calls (programmer access) –User level access to system.
Introduction to Operating Systems Concepts
Operating System & Application Software
Chapter Objectives In this chapter, you will learn:
Maintaining Windows Server 2008 File Services
Computing Fundamentals
Digital Forensics Dr. Bhavani Thuraisingham
Chapter 2: Operating-System Structures
Introduction to Operating Systems
Modern PC operating systems
Operating Systems: A Modern Perspective, Chapter 3
Chapter 2: Operating-System Structures
Presentation transcript:

Testing Write Blockers James R Lyle CFTT Project NIST/ITL/SDCT November 06, 2006

Nov 06, 2006Techno Forensics at NIST2 DISCLAIMER Certain trade names and company products are mentioned in the text or identified. In no case does such identification imply recommendation or endorsement by the National Institute of Standards and Technology, nor does it imply that the products are necessarily the best available for the purpose.

Nov 06, 2006Techno Forensics at NIST3 Project Sponsors  NIST/OLES (Program management)  National Institute of Justice (Major funding)  FBI (Additional funding)  Department of Defense, DCCI (Equipment and support)  Homeland Security (Technical input)  State & Local agencies (Technical input)  Internal Revenue, IRS (Technical input)

Nov 06, 2006Techno Forensics at NIST4 Talk Outline  Software Write Blocking  Hardware Write Blocking

Nov 06, 2006Techno Forensics at NIST5 Protection Goals  Prohibit any changes to a hard drive  Prohibit changes by a malicious program  Prohibit accidental change (blunder)  Prohibit change by operating system  Prohibit damage to a drive

Nov 06, 2006Techno Forensics at NIST6 Protection Strategies  Standardized & validated procedures  No Protection software or device  Trusted OS & trusted tools  Software write block program  Hardware write block device

Nov 06, 2006Techno Forensics at NIST7 Software Write Blocking  Blocking strategies  Interrupt 0x13 command set  Command usage observations  NIST test results for RCMP HDL & Pdblock

Nov 06, 2006Techno Forensics at NIST8 Software Blocking Tools  BIOS based interrupt 0x13 DOS TSR  Driver based (e.g., Windows filter stack)  Built in to OS: Windows XP service pack 2

Nov 06, 2006Techno Forensics at NIST9 Write Block Strategies  Block unsafe commands, allow everything else +Always can read, even if new command introduced -Allows newly introduced write commands  Allow safe commands, block everything else +Writes always blocked - Cannot use newly introduced read commands

Nov 06, 2006Techno Forensics at NIST10 Interrupt 0x13 Commands  256 possible command codes  Common BIOS has about 20 defined  Many obsolete or discontinued commands  Many commands defined for add on products see

Nov 06, 2006Techno Forensics at NIST11 Hard Drive BIOS Access

Nov 06, 2006Techno Forensics at NIST12 SWB Tool Operation

Nov 06, 2006Techno Forensics at NIST13 Test Harness Operation

Nov 06, 2006Techno Forensics at NIST14 Phoenix BIOS 4.0

Nov 06, 2006Techno Forensics at NIST15 Observations of 0x13 Usage I

Nov 06, 2006Techno Forensics at NIST16 Observations of 0x13 Usage II

Nov 06, 2006Techno Forensics at NIST17 Comments on 0x13  Only two unsafe commands were in use  Other unsafe commands unlikely to be used  Format: 05, 06, & 07  Diagnostic: 0E, 0F, 12, 13, & 14  Write long: 0B

Nov 06, 2006Techno Forensics at NIST18 RCMP HDL & Pdblock

Nov 06, 2006Techno Forensics at NIST19 Write Blocking Hardware  Blocking device actions  ATA standards  Observed ATA commands  Device behaviors for two devices

Nov 06, 2006Techno Forensics at NIST20 CPU Device Send I/O CMD to Device Return result to CPU BUS1 BUS 2 PROTOCOL ANALYZER Monitor Bus Traffic BUS HWB Testing HWB

Nov 06, 2006Techno Forensics at NIST21 Write Blocker Actions  The device forwards the command to the hard drive.  The blocking device substitutes a different command to the hard drive. The is the case if the blocking device uses different bus protocols for communication with the host and hard drive.  The device simulates the command without actually forwarding the command to the hard drive.  If a command is blocked, the device may return either success or failure for the blocked operation. However, returning failure may sometimes cause the host computer to lock up for some commands issued by some operating systems.

Nov 06, 2006Techno Forensics at NIST22 ATA Standards

Nov 06, 2006Techno Forensics at NIST23 Using a Protocol Analyzer

Nov 06, 2006Techno Forensics at NIST24 ATA Write Commands

Nov 06, 2006Techno Forensics at NIST25 Other Unsafe ATA Cmds

Nov 06, 2006Techno Forensics at NIST26 Commands Issued by BIOS

Nov 06, 2006Techno Forensics at NIST27 Write Commands Issued by OS (Unix)

Nov 06, 2006Techno Forensics at NIST28 Write Commands Issued by OS (MS)

Nov 06, 2006Techno Forensics at NIST29 Blocking Devices vs Writes  Action by device X and device Y on observed write commands

Nov 06, 2006Techno Forensics at NIST30 Blocking Devices vs Reads  Actions against observed read commands for two devices: X & Y  Device Y replaces read multiple with read DMA

Nov 06, 2006Techno Forensics at NIST31 Results for an ATA Device The tested device allowed only the following commands: 20=READ W/ RETRY 24=READ SECTOR EXT 25=READ DMA EXT 27=RD MAX ADR EXT 37=SET MAX ADR EXT (volatile) 70=SEEK 91=INIT DRV PARAMS B1=Device Config C8=Read DMA F8=RD NATV MAX ADD F9=SET MAX ADDRESS (volatile) On power on the device issues the following commands to the protected drive: EC=IDENTIFY DRIVE EF=SET FEATURES C6=SET MULTPLE EF=SET FEATURES C6=SET MULTPLE MOD Note that the identify device command is blocked if issued by the host, but the device returns the values obtained at power on.

Nov 06, 2006Techno Forensics at NIST32 Another ATA Device  Although no commands were allowed by the write blocker that could change user or operating system data, some unsupported or atypical commands were allowed. Some examples are: CommandComment Down load microcode (0x92)This command allows reprogramming of hard drive firmware. While this could change drive behavior, the information to do so is drive model specific and not generally available. Format Track (0x50)This command is not defined in the current ATA hard drive specifications (ATA-4, through ATA-7). The command was defined in ATA-1, ATA-2 and ATA-3, however all three specifications have been withdrawn. The command could be used to erase information on an older drive that supports the instruction, but could not be used to change the content of any user or operating system data stored on a drive. SMART write (0xB0,D6)This command records information in a device maintenance log, not part of the data area where data files and operating system data is stored. Vendor Specific commandsThese are undocumented commands specific to a given model of hard drive. CFA Erase Erase (0xC0)This command applies to Compact Flash devices, not hard drives. SATA Write FPDMA (0x61)This command is noted by the protocol analyzer, but the command is only valid for Serial ATA (SATA) devices.

Nov 06, 2006Techno Forensics at NIST33 Notable Blocker Behaviors  allow the volatile SET MAX ADDRESS, block if non-volatile  cached the results IDENTIFY DEVICE  substituted READ DMA for READ MULTIPLE  allowed FORMAT TRACK  Depending on OS version, might no be able to preview NTFS partition

Nov 06, 2006Techno Forensics at NIST34 Contacts Jim LyleDoug White Barbara Guttman Sue Ballou, Office of Law Enforcement Standards

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.