Why are write blockers needed when there is mount with read-only?

Let’s say we're using some flavor of Linux and we mount a partition using following command:

sudo mount -o ro /dev/sdc1 /mnt

The partition is supposed to be read-only so that the OS and user cannot write to the disk without changing the mount permissions.

From the ForensicsWiki:

Write blockers are devices that allow acquisition of information on a drive without creating the possibility of accidentally damaging the drive contents. They do this by allowing read commands to pass but by blocking write commands, hence their name.

This seems to me that it is just to prevent accidental flags. The page also says that there are additional features to some write-blockers, such as slowing the disk down to prevent damage. But for this let’s assume it is just a simple one that can only block writing.

If you can just mount a disk in read-only mode, what is the point of buying something such as a write blocker? Is this just to help prevent things such as an accidently mount command with write permissions (user error, which cannot be permitted in some instances, i.e. criminal cases), or am I missing some more of the in-depth features of how filesystems work?

Note: I am aware that some SSDs shuffle data continuously, I am not sure whether to include them in the question or not. It seems like that would make it much more complicated.

Solution 1:

The Journal of Digital Forensics, Security and Law has an excellent article A STUDY OF FORENSIC IMAGING IN THE ABSENCE OF WRITE-BLOCKERS that analyses forensics capture both with and without write blockers. From the journal:

Best practices in digital forensics demand the use of write-blockers when creating forensic images of digital media, and this has been a core tenet of computer forensics training for decades. The practice is so ingrained that the integrity of images created without a write-blocker are immediately suspect.

Merely mounting a file system can cause read/writes. Many modern filesystems, from ext3/4 and xfs to NTFS, all have a journal that maintains metadata about the filesystem itself. If power is lost, incomplete shutdown, or a number of reasons, this journal is automatically read and written back to file structures across the drive to maintain consistency of the filesystem itself. This may happen during the mount process, whether or not the file-system is read-write.

For example, from the ext4 documentation the ro mount option will...

Mount filesystem read only. Note that ext4 will replay the journal (and thus write to the partition) even when mounted "read only". The mount options "ro,noload" can be used to prevent writes to the filesystem.

Although these driver level changes do not affect the content of files, it is a forensics standard to take cryptographic hashes of evidence upon collection in order to maintain a chain of custody. If one can show that the hash, ie sha256, of currently held evidence matches what was collected, then you can prove beyond reasonable doubt that the drive's data has not been modified during the analysis process.

Digital evidence can be cited as evidence in nearly every crime category. Forensic investigators need to be absolutely certain that the data they obtain as evidence has not been altered in any way during the capture, analysis, and control. Attorneys, judges and jurors need to feel confident that the information presented in a computer crime case is legitimate. How can an investigator ensure for certain that his or her evidence is accepted in court?

According to the National Institute of Standards and Technology (NIST), the investigator follows a set of procedures designed to prevent the execution of any program that might modify the disk contents. http://www.cru-inc.com/data-protection-topics/writeblockers/

A write blocker is necessary, because if any bit changes for any reason—OS, driver-level, file-system level or below—then the hashes of the collected vs analysed system will no longer match, and the drive's admissibility as evidence may be questioned.

The write-blocker is thus both a technical control against the possibility of low-level changes, and a procedural control to provide assurance that no changes were made, regardless of user or software. By removing the possibility of changes, it supports hashes to be used to show that analysed evidence matches collected evidence, and prevents many potential evidence handling problems and questions.

The JDFSL article's analysis shows that without a write-blocker, changes were made to the drives they tested. However, on the contrary side - the individual data files hashes would still be intact, so arguments for the soundness of evidence collected without a write blocker exist, but are not considered best-industry-practice.

Solution 2:

You can't be sure. @jakegould covers a ton of the legal and technical reasons, so I'm focusing on the operational reasons.

Firstly, you never mount a drive like that, you image an entire device. Your core premise, that you can use filesystem permissions is wrong. You're going to use some flavour of DD or a specialised acquisition tool that should include working read only by default.

Forensics is all about being absolutely sure you've not tampered with the evidence at any stage, and that you can provide a verified copy of the drive with no changes made to it. (In fact, unless you need to do live forensics, you only touch a suspect hard drive once to image it).So in addition to your acquisition tool being read only, it acts as a second line of defence against messing up.

The write blocker does certain things.

1. It shifts the burden of proving that the drive was in fact read only
2. In a more idiotproof way - It becomes part of your 'acquisition' rig/process
3. with the device guaranteed to do so by the manufacturer - which is something you want in your evidence/incident log.

In a sense it slots into the process of evidence collection and there's one less thing for your frail human self to mess up.In addition to verification that the source drive isn't written to, it might save you if you mix up source and destination.

In short it takes out one possible major weak point. You don't have to think about 'did I mount the drive readonly' or 'did I swap my source and destination in dd?'

You hook it in, and you don't need to worry if you overwrote your evidence.

Solution 3:

You state this:

If you can just mount a disk in read-only mode, what is the point of buying something such as a write blocker?

Let’s—at a high, non-technical level—logically look at how data for evidence would be collected. And the key to all of this is neutrality.

You have a suspect of… Something in a legal or potentially legal case. Their evidence must be presented as neutral as possible. In the case of physical documents you can just take the printed materials and physically store them in a safe place. For data? The nature of computer systems inherently has an issue of data manipulation in play.

While you state you could just logically mount the volume as “read only” who are you? And how can someone who is not you—like a court or investigator—trust your skills, systems and expertise? Meaning what makes your system so special some background process cannot suddenly pop up on the system and start indexing it the second you plug it in? And how will you monitory that? And heck, what about file metadata? MD5’s on files are useful… But if one character of metadata changes in a file guess what? The MD5 changes.

What it comes down to is in the great scheme of things your personal technical skills have no bearing on the ability for you to present data as neutrally as possible to investigators, courts or others.

Enter a write blocker. This is not a magically device. It clearly blocks data writing on a base level and what else? Well, that’s all it does and that is all it should ever do (or not do).

A write blocker is a neutral piece of hardware made by another company to industry accepted standard that performs one task and one task well: Prevent data writes.

To an investigator, court or others the use of a write blocker basically states, “I am a computer professional who understands data forensics and understands the need for data integrity when providing others information I am charged with gathering. I am using a physical device we all agree prevents writes to access this data to show everyone that yes, this is the evidence you need to do what you need to do.”

So the point of “buying something such as a write blocker” is to buy a tool that is universally recognized by people all over the world as a valid tool for neutral data access and collection. And that if someone else—who is not you—were to access the data with a similar write blocker, they too would get the same data in return.

Another real world example is video camera evidence. Now yes, there is a risk of video evidence being tampered with. But let’s say you witnessed a crime and saw the suspect and know that they did it. In a court, your integrity as a witness will be eviscerated by the defense as they seek to defend their client. But let’s say in addition to your eyewitness report the police get video footage of the crime happening. That impartial, unblinking eye of a neutral image capturing device lays to rest most doubts of your claims. Meaning, a “robot” thing that is not a human but can record data will backup the prosecutions case against the defense and not just your word/trust.

The reality is the world of law and legality really comes down to solid, tangible and—pretty much—irrefutable physical evidence. And a write blocker a tool that ensures physical data evidence is as clean as possible.