PDBLOCK: Write Blocking Your Source Drives

 < Day Day Up > 



Even though you have created a controlled boot floppy, it is always a good idea to take extra precautions to ensure that data cannot be inadvertently written to the evidence hard drive. This is usually accomplished with a write-block utility. EnCase has one built into its acquire utility, but it is active only while the acquire program is running.

Tip 

EnCase also has a hardware-based write-block utility called Fast Block that can be purchased at the company’s web site.

If you are using a forensic duplication tool that requires a boot disk, you will need to write protect the source drive. This will block write attempts that would alter the original evidence. One such utility, PDBLOCK (Physical Drive Blocker) from Digital Intelligence, is available at http://www.digitalintel.com. Unlike many similar utilities, this utility handles interrupt 13 extensions, and it allows the user to select which physical drives to protect. Simply executing PDBLOCK write blocks all hard drives by default. Digital Intelligence also offers a version free of charge to law enforcement personnel or agencies called PDB_LITE.

Implementation

You should copy PDBLOCK to your trusted boot disk before you perform a forensic duplication to lock the source drives. Boot using your trusted disk; the command-line usage of PDBLOCK is as follows:

A:\>pdblock.exe     Usage: "PDBLOCK {drives} {/nomsg} {/nobell} {/fail}" to (re)configure     Where:           drives:            NONE, ALL, or list of hard drives to ¬  protect (0-3) i.e. "PDBLOCK 0", "PDBLOCK 013", "PDBLOCK 123", etc (Default is ALL if not specified) /nomsg:     Do not display message when write is blocked /nobell:    Do not ring bell when write is blocked /fail:          Return write failure code to calling program                       (Default is to fake successful write to calling program)     "PDBLOCK" with no options (once loaded) will display help and current ¬  configuration 

This tool is unique in that it can provide audio and visual feedback when a write attempt is detected and blocked. These notifications can also be suppressed if desired. You should execute this utility before you run any of the forensic duplication tools discussed in the following sections.



 < Day Day Up > 



Anti-Hacker Tool Kit
Anti-Hacker Tool Kit, Third Edition
ISBN: 0072262877
EAN: 2147483647
Year: 2004
Pages: 189

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net