Ethical Hacking Training at InfoSec Institute

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Computer Forensics Computer-Forensics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Hardware write-blockers (not the whole anwser)

from [Greg Freemyer] Network Security [Permanent Link]
Subject: Hardware write-blockers (not the whole anwser)
Date: Mon, 27 Dec 2004 11:44:29 -0500 
In response to a previous post about using the hdparm command as a
software write-blocker, a couple people sent private e-mails
suggesting a hardware write-blocker should always be used.

One particular concern was that doing Linux read-only mount of a
filesystem does make small changes to the filesystem and causes the
md5 hash to change.

Below are my thoughts of why this is not really feasible and expresses
my hope that linux software write-blockers be implemented:

=====
I agree that mounting a drive read-only from Linux has the opportunity
to modify the original.

The fact that linux does so is a bug, and is recognized by at least
one filesystem support team as such. (XFS from SGI).

Still the bug has existed in various versions of the linux kernel for
various filesystems at various times, so I agree it is definately best
practice to not mount subject drives.

OTOH, I do not think I will ever have all the write-blockers necessary
to successfully image (and protect) ATA, SATA, SCSI, SAS, FC, USB,
Firewire, Flash, etc.

Further, I have no idea how to image a truly complex hardware RAID
like the Compaq Smart Array series one disk at time.  The RAID
segments are dynamic and moved around between the drives as drives are
added/deleted.  Only by using the existing RAID controller can one
hope to get a coherent image.

For these more complex setups, I prefer to boot to Linux and perform a
read-only dd/md5sum images if we can.

I'm currently depending on my skills (quite extensive) with Linux to
ensure I do not make a mistake and inadvertently modify the subject
drive (or logical volume in hardware RAID).

It is my hope is that Linux will eventually have low-level software
write-blockers that will prevent even buggy kernel code from modifying
the subject drive under analysis.


From my rather limited understanding of the Linux 2.6 Kernel, there

are only 3 fundamental storage types supported: Traditional IDE, Newer
ATA, and SCSI.  Most of the newer systems are being mapped into the
SCSI architecture.

If that is true, it may be possible for as few as 3 software
write-blocker modules to be developed.

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
[More with this subject...]


<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Two hash, Christopher Brown
Next by Date:  RE: Two hash, Barry J. Grundy
Previous by Thread:  Re: mactimes, Aubrey Beesley
Next by Thread:  Re: Hardware write-blockers (not the whole anwser), subscribe
Indexes:  [Date] [Thread] [Top] [All Lists]