Document 7420839
Download
Report
Transcript Document 7420839
Testing Write Blockers
James R Lyle
CFTT Project
NIST/ITL/SDCT
November 06, 2006
DISCLAIMER
Certain trade names and company
products are mentioned in the text or
identified. In no case does such
identification imply recommendation
or endorsement by the National
Institute of Standards and
Technology, nor does it imply that
the products are necessarily the best
available for the purpose.
Nov 06, 2006
Techno Forensics at NIST
2
Project Sponsors
NIST/OLES (Program management)
National Institute of Justice (Major funding)
FBI (Additional funding)
Department of Defense, DCCI (Equipment
and support)
Homeland Security (Technical input)
State & Local agencies (Technical input)
Internal Revenue, IRS (Technical input)
Nov 06, 2006
Techno Forensics at NIST
3
Talk Outline
Software Write Blocking
Hardware Write Blocking
Nov 06, 2006
Techno Forensics at NIST
4
Protection Goals
Prohibit any changes to a hard drive
Prohibit changes by a malicious
program
Prohibit accidental change (blunder)
Prohibit change by operating system
Prohibit damage to a drive
Nov 06, 2006
Techno Forensics at NIST
5
Protection Strategies
Standardized & validated procedures
No Protection software or device
Trusted OS & trusted tools
Software write block program
Hardware write block device
Nov 06, 2006
Techno Forensics at NIST
6
Software Write Blocking
Blocking strategies
Interrupt 0x13 command set
Command usage observations
NIST test results for RCMP HDL &
Pdblock
Nov 06, 2006
Techno Forensics at NIST
7
Software Blocking Tools
BIOS based interrupt 0x13 DOS TSR
Driver based (e.g., Windows filter stack)
Built in to OS: Windows XP service
pack 2
Nov 06, 2006
Techno Forensics at NIST
8
Write Block Strategies
Block unsafe commands, allow everything
else
+ Always can read, even if new command
introduced
- Allows newly introduced write commands
Allow safe commands, block everything else
+ Writes always blocked
- Cannot use newly introduced read commands
Nov 06, 2006
Techno Forensics at NIST
9
Interrupt 0x13 Commands
256 possible command codes
Common BIOS has about 20 defined
Many obsolete or discontinued
commands
Many commands defined for add on
products see
http://www.ctyme.com/rbrown.htm
Nov 06, 2006
Techno Forensics at NIST
10
Hard Drive BIOS Access
Application program
issue int 0x13 cmd
BIOS interrupt 0x13
issue cmd to drive
return
Disk drive
& controller
Nov 06, 2006
Techno Forensics at NIST
11
SWB Tool Operation
Application program
issue int 0x13 cmd
SWB tool
block
return
allow
BIOS interrupt 0x13
issue cmd to drive
return
Disk drive
& controller
Nov 06, 2006
Techno Forensics at NIST
12
Test Harness Operation
Test harness
query result
issue int 0x13 cmd
SWB tool
block
return
allow
interrupt 13 monitor
block
tally
query
allow
BIOS interrupt 0x13
issue cmd to drive
return
Disk drive
& controller
Nov 06, 2006
Techno Forensics at NIST
13
Phoenix BIOS 4.0
Categorization of Interrupt 0x13 Phoenix BIOS 4.0 Commands
Category
Code
Command
Control
00h
Reset
Information
01h
Get last status
Read
02h
Read sectors
Write
03h
Write sectors
Information
04h
Verify sectors
Configuration
05h
Format Cylinder
Information
08h
Read Drive Parameters
Configuration
09h
Initialize Drive Parameters
Read
0Ah
Read Long Sector
Write
0Bh
Write Long Sector
Control
0Ch
Seek Drive
Control
0Dh
Alternate drive reset
Information
10h
Test drive ready
Configuration
11h
Recalibrate drive
Configuration
14h
Controller diagnostic
Information
15h
Read drive type
Information
41h
Check extensions present
Read
42h
Extended read
Write
43h
Extended write
Information
44h
Verify sectors
Control
47h
Extended seek
Information
48h
Get drive parameters
Nov 06, 2006
Techno Forensics at NIST
14
Observations of 0x13 Usage I
Cmd
02
03
08
42
42
43
00
02
03
04
08
0A
41
42
43
48
Nov 06, 2006
CmdName
ReadSectors
WriteSectors
ReadDriveParms
ExtRead
ExtRead
ExtWrite
Reset
ReadSectors
WriteSectors
VerifySectors
ReadDriveParms
ReadLong
CheckForExtensions
ExtRead
ExtWrite
GetDriveParms
Program
Norton Disk Editor
Norton Disk Editor
Norton Disk Editor
DOS COPY
Norton Disk Editor
DOS COPY
SafeBack 3.0
SafeBack 3.0
SafeBack 3.0
SafeBack 3.0
SafeBack 3.0
SafeBack 3.0
SafeBack 3.0
SafeBack 3.0
SafeBack 3.0
SafeBack 3.0
Sum Of Count
Techno Forensics at NIST
6
6
5
36
2
223
21
85368
62416
14
34
1
16
939146
812666
14
15
Observations of 0x13 Usage II
Cmd
00
02
08
41
42
43
48
00
02
08
41
42
43
48
Nov 06, 2006
CmdName
Reset
ReadSectors
ReadDriveParms
CheckForExtensions
ExtRead
ExtWrite
GetDriveParms
Reset
ReadSectors
ReadDriveParms
CheckForExtensions
ExtRead
ExtWrite
GetDriveParms
Program
Encase 3.22
Encase 3.22
Encase 3.22
Encase 3.22
Encase 3.22
Encase 3.22
Encase 3.22
Encase 4.14
Encase 4.14
Encase 4.14
Encase 4.14
Encase 4.14
Encase 4.14
Encase 4.14
Sum Of Count
Techno Forensics at NIST
6
2148
23
14
657722
1280151
14
6
2020
23
14
654989
1274995
14
16
Comments on 0x13
Only two unsafe commands were in use
Other unsafe commands unlikely to be
used
Format: 05, 06, & 07
Diagnostic: 0E, 0F, 12, 13, & 14
Write long: 0B
Nov 06, 2006
Techno Forensics at NIST
17
RCMP HDL & Pdblock
Command
Format Track
Format Track With Bad
Sectors
Format Cylinder
Initialize Drive Parameters
ESDI Diagnostic (PS/2)
ESDI Diagnostic (PS/2)
Controller RAM Diagnostic
Drive Diagnostic
Controller Diagnostic
Reset
Seek Drive
Alternate Drive Reset
Recalibrate Drive
Extended Seek
Get Last Status
Verify Sectors
Read Drive Parameters
Test Drive Ready
Read Drive Type
Check Extensions Present
Verify Sectors
Get Drive Parameters
Read Sectors
Read Long Sector
Extended Read
Write Sectors
Write Long Sector
Extended Write
Undefined
Nov 06, 2006
Code
Category
Spec 0.4 0.5 0.7 0.8 PDB PDL
05h
06h
Configuration
Configuration
B
B
B
B
B
B
B
B
B
B
B
B
B
B
07h
09h
0Eh
0Fh
12h
13h
14h
00h
0Ch
0Dh
11h
47h
01h
04h
08h
10h
15h
41h
44h
48h
02h
0Ah
42h
03h
0Bh
43h
other
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Control
Control
Control
Control
Control
Information
Information
Information
Information
Information
Information
Information
Information
Read
Read
Read
Write
Write
Write
Miscellaneous
B
B
B
B
B
B
B
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
B
B
B
B
B
A
A
B
A
B
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
B
B
A
A
B
A
A
B
A
B
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
B
B
B
A4
B
A
A
B
B
B
B
A
A
A
A
B
A
A
A
A
B
A
A
A
A
A
A
B
B
B
B
B
B
B
B
B
B
B
A
A
A
B
B
A
A
A
A
A
A
A
A
A
A
A
B
B
B
B
B
A
A
B
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
B
B
B
A3
B
A
A
B
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
B
B
B
A3
Techno Forensics at NIST
18
Write Blocking Hardware
Blocking device actions
ATA standards
Observed ATA commands
Device behaviors for two devices
Nov 06, 2006
Techno Forensics at NIST
19
HWB Testing
BUS1
CPU
BUS
BUS 2
HWB
Send I/O CMD to Device
PROTOCOL
ANALYZER
Device
Monitor Bus Traffic
Return result to CPU
Nov 06, 2006
Techno Forensics at NIST
20
Write Blocker Actions
The device forwards the command to the hard drive.
The blocking device substitutes a different command
to the hard drive. The is the case if the blocking
device uses different bus protocols for
communication with the host and hard drive.
The device simulates the command without actually
forwarding the command to the hard drive.
If a command is blocked, the device may return either
success or failure for the blocked operation.
However, returning failure may sometimes cause the
host computer to lock up for some commands issued
by some operating systems.
Nov 06, 2006
Techno Forensics at NIST
21
ATA Standards
Last Draft Standard Before Final Version
ATA-1 X3T10/791D Revision 4c
ATA-2 X3T10/0948D Revision 4c
ATA-3 X3T13 2008D Revision 7b
ATA/ATAPI-4 T13/1153D Revision 18
ATA/ATAPI-5 T13/1321D Revision 3
ATA/ATAPI-6 T13/1410D Revision 3
ATA/ATAPI-7 V1 T13/1532D Revision 4b
Nov 06, 2006
Approximate Publication Data
1994
March 18, 1996
January 27, 1997
August 19, 1998
February 29, 2000
October 30, 2001
April 21, 2004
Techno Forensics at NIST
22
Using a Protocol Analyzer
Sent from Host
20=READ W/ RETR
LBA=A003000
30=WRITE W/ RETRY
LBA=000000
20=READ W/ RETR
LBA=F013000
20=READ W/ RETRY
LBA=A00C400
C4=READ MULTIPLE
LBA=000C400
20=READ W/ RETRY
LBA=F01C400
20=READ W/ RETRY
LBA=A00C700
C7=READ DMA QUEUED
LBA=000C700
20=READ W/ RETRY
LBA=F01C700
20=READ W/ RETRY
LBA=A00C800
C8=Read DMA
LBA=000C800
20=READ W/ RETRY
LBA=F01C800
20=READ W/ RETRY
LBA=A00C900
C9=RD DMA W/O RETR
LBA=000C900
20=READ W/ RETRY
LBA=F01C900
Nov 06, 2006
Allowed by Blocker
20=READ W/ RETR
LBA=A003000
20=READ W/ RETR
20=READ W/ RETRY
C8=Read DMA
20=READ W/ RETRY
20=READ W/ RETRY
LBA=F013000
LBA=A00C400
LBA=000C400
LBA=F01C400
LBA=A00C700
20=READ W/ RETRY
20=READ W/ RETRY
C8=Read DMA
20=READ W/ RETRY
20=READ W/ RETRY
LBA=F01C700
LBA=A00C800
LBA=000C800
LBA=F01C800
LBA=A00C900
20=READ W/ RET RY
LBA=F01C900
Techno Forensics at NIST
23
ATA Write Commands
1
N
N
N
N
N
N
N
N
N
N
N
S
S
S
S
S
S
S
S
S
S
Nov 06, 2006
2
N
N
N
N
N
N
N
N
N
N
N
S
S
S
S
S
S
S
S
S
S
3
N
N
N
N
N
N
N
N
N
N
N
N
S
S
S
S
S
S
S
S
S
4
N
N
N
N
N
N
N
N
N
N
S
N
N
N
N
S
S
S
S
S
S
5
N
N
N
N
N
N
N
N
N
N
S
N
N
N
N
N
N
S
S
S
S
6
N
N
N
N
N
S
S
S
S
S
S
N
N
N
N
N
N
S
S
S
S
7
S
S
S
S
S
S
S
S
S
S
S
N
N
N
N
N
N
S
S
S
S
Cmd
3Ah
CEh
3Eh
3Dh
3Bh
34h
3Fh
39h
36h
35h
CCh
E9h
33h
32h
3Ch
31h
CBh
E8h
30h
C5h
CAh
Name
WRITE STREAM DMA EXT
WRITE MULTIPLE FUA EXT
WRITE DMA QUEUED FUA EXT
WRITE DMA FUA EXT
WRITE STREAM EXT
WRITE SECTOR(S) EXT
WRITE LOG EXT
WRITE MULTIPLE EXT
WRITE DMA QUEUED EXT
WRITE DMA EXT
WRITE DMA QUEUED
WRITE SAME
WRITE LONG (w/o retry)
WRITE LONG (w/ retry)
WRITE VERIFY
WRITE SECTOR(S)
WRITE DMA
WRITE BUFFER
WRITE SECTOR(S)
WRITE MULTIPLE
WRITE DMA
Techno Forensics at NIST
24
Other Unsafe ATA Cmds
1
N
N
N
N
S
N
N
S
N
N
N
N
Nov 06, 2006
2
N
N
N
S
S
N
N
S
N
N
N
N
3
N
N
N
S
S
S
S
S
N
N
N
S
4
S
S
S
S
N
S
S
S
S
N
N
S
5
S
S
S
S
N
S
S
S
S
N
N
S
6
S
S
S
S
N
S
S
S
S
S
N
S
7
S
S
S
S
N
S
S
S
S
S
S
N
CMD
C0h
CDh
38h
92h
50h
F3h
F4h
EFh
F9h
37h
B0h
B0h/D6h
Command Name
CFA ERASE SECTORS
CFA WRITE MULTIPLE WO ERASE
CFA WRITE SECTORS WO ERASE
DOWNLOAD MICROCODE
FORMAT TRACK
SECURITY ERASE PREPARE
SECURITY ERASE UNIT
SET FEATURES
SET MAX ADDRESS
SET MAX ADDRESS EXT
SMART WRITE LOG
SMART WRITE LOG SECTOR
Techno Forensics at NIST
25
Commands Issued by BIOS
Host and BIOS
Dell Phoenix 4.0 Rel 6.0
Dell Phoenix 4.0 Rel 6.0
Micron Phoenix 4.0 Rel 6.0
Nexar Award V4.51PG
Dell Phoenix 4.0 Rel 6.0
Micron Phoenix 4.0 Rel 6.0
Nexar Award V4.51PG
Dell Phoenix 4.0 Rel 6.0
Micron Phoenix 4.0 Rel 6.0
Nexar Award V4.51PG
Dell Phoenix 4.0 Rel 6.0
Micron Phoenix 4.0 Rel 6.0
Nexar Award V4.51PG
Dell Phoenix 4.0 Rel 6.0
Micron Phoenix 4.0 Rel 6.0
Nexar Award V4.51PG
Dell Phoenix 4.0 Rel 6.0
Micron Phoenix 4.0 Rel 6.0
Nexar Award V4.51PG
Nov 06, 2006
Cmd
10=RECALIBRATE
90=EXEC DRIVE DIAG
90=EXEC DRIVE DIAG
90=EXEC DRIVE DIAG
91=INIT DRV PARAMS
91=INIT DRV PARAMS
91=INIT DRV PARAMS
C6=SET MULTPLE MOD
C6=SET MULTPLE MOD
C6=SET MULTPLE MOD
E3=IDLE
E3=IDLE
E3=IDLE
EC=IDENTIFY DRIVE
EC=IDENTIFY DRIVE
EC=IDENTIFY DRIVE
EF=SET FEATURES 03=Set Transfer Mode
EF=SET FEATURES 03=Set Transfer Mode
EF=SET FEATURES 03=Set Transfer Mode
Techno Forensics at NIST
26
Write Commands Issued by OS
(Unix)
Host/OS
FreeBSD5.2.1
FreeBSD5.2.1
FreeBSD5.2.1
RH7.1
RH7.1
RH7.1
RH9PD.1
RH9PD.1
RH9PD.1
Nov 06, 2006
Src
Boot
Boot
Shutdown
Boot
Login
Shutdown
Boot
Login
Shutdown
Count
196
1
104
759
166
297
763
186
402
Cmd
CA=Write DMA
30=WRITE W/ RETRY
CA=Write DMA
CA=Write DMA
CA=Write DMA
CA=Write DMA
CA=Write DMA
CA=Write DMA
CA=Write DMA
Techno Forensics at NIST
27
Write Commands Issued by OS
(MS)
Host/OS
W98DS3
W98DS3
W98DS3
W98DS3
W98dsbd
W98dsbd
Win2KPro
Win2KPro
Win2KPro
Win98SE
Win98SE
WinNT4.0
WinNT4.0
WinNT4.0
WinXPPro
WinXPPro
Nov 06, 2006
Src
Boot
Boot
Login
Shutdown
Boot
Boot
Boot
Login
Shutdown
Boot
Shutdown
Boot
Login
Shutdown
Boot
Shutdown
Count
55
58
22
76
10
48
424
277
269
65
90
452
520
102
967
272
Cmd
CA=Write DMA
30=WRITE W/ RETRY
30=WRITE W/ RETRY
30=WRITE W/ RETRY
30=WRITE W/ RETRY
CA=Write DMA
CA=Write DMA
CA=Write DMA
CA=Write DMA
30=WRITE W/ RETRY
30=WRITE W/ RETRY
C5=WRITE MULTIPLE
C5=WRITE MULTIPLE
C5=WRITE MULTIPLE
CA=Write DMA
CA=Write DMA
Techno Forensics at NIST
28
Blocking Devices vs Writes
Action by device X and device Y on observed write
commands
ATA 1-7
1 2 3 4 5 6 7 C X Y S Cmd
Name
S S S S S S S W B B S 30h
WRITE SECTOR(S) (w/ retry)
S S S S S S S W B B S C5h
WRITE MULTIPLE
S S S S S S S W B B S CAh
WRITE DMA (w/ retry)
N N N S S S S W B B S E7h
FLUSH CACHE
Nov 06, 2006
Techno Forensics at NIST
29
Blocking Devices vs Reads
Actions against observed read commands for two
devices: X & Y
Device Y replaces read multiple with read DMA
1 2 3 4 5 6 7C X
SSSSSSSRA
SSSSSSSRA
SSSSSSSRA
Nov 06, 2006
Y S
B S
C8h S
A S
ATA 1-7
Cmd
Name
40h READ VERIFY SECTOR(S)
C4h READ MULTIPLE
C8h READ DMA
Techno Forensics at NIST
30
Results for an ATA Device
The tested device allowed only the following commands:
20=READ W/ RETRY
24=READ SECTOR EXT
25=READ DMA EXT
27=RD MAX ADR EXT
37=SET MAX ADR EXT (volatile)
70=SEEK
91=INIT DRV PARAMS
B1=Device Config
C8=Read DMA
F8=RD NATV MAX ADD
F9=SET MAX ADDRESS (volatile)
On power on the device issues the following commands to the protected drive:
EC=IDENTIFY DRIVE
EF=SET FEATURES
C6=SET MULTPLE
EF=SET FEATURES
C6=SET MULTPLE MOD
Note that the identify device command is blocked if issued by the host, but the device returns the values obtained at power on.
Nov 06, 2006
Techno Forensics at NIST
31
Another ATA Device
Although no commands were allowed by the write blocker that could change user or operating system data, some unsupported or atypical
commands were allowed. Some examples are:
Command
Comment
Down load microcode (0x92)
This command allows reprogramming of hard drive firmware. While this could change drive
behavior, the information to do so is drive model specific and not generally available.
Format Track (0x50)
This command is not defined in the current ATA hard drive specifications (ATA-4, through
ATA-7). The command was defined in ATA-1, ATA-2 and ATA-3, however all three
specifications have been withdrawn. The command could be used to erase information on an
older drive that supports the instruction, but could not be used to change the content of any
user or operating system data stored on a drive.
SMART write (0xB0,D6)
This command records information in a device maintenance log, not part of the data area
where data files and operating system data is stored.
Vendor Specific commands
These are undocumented commands specific to a given model of hard drive.
CFA Erase Erase (0xC0)
This command applies to Compact Flash devices, not hard drives.
SATA Write FPDMA (0x61)
This command is noted by the protocol analyzer, but the command is only valid for Serial
ATA (SATA) devices.
Nov 06, 2006
Techno Forensics at NIST
32
Notable Blocker Behaviors
allow the volatile SET MAX ADDRESS, block
if non-volatile
cached the results IDENTIFY DEVICE
substituted READ DMA for READ MULTIPLE
allowed FORMAT TRACK
Depending on OS version, might no be able
to preview NTFS partition
Nov 06, 2006
Techno Forensics at NIST
33
Contacts
Jim Lyle
www.cftt.nist.gov
[email protected]
Doug White
www.nsrl.nist.gov
[email protected]
Barbara Guttman
[email protected]
Sue Ballou, Office of Law Enforcement
Standards
[email protected]
Nov 06, 2006
Techno Forensics at NIST
34