Hi, Minions:
Again, and after a time of inactivity in the Blog, I come back with a new article. This time, the article is about reviewing a new product.
This article should have been published earlier, but it has been impossible for me. First, for study reasons. Studies that have had a strong and positive impact on my profession and my life. Secondly, for the celebration of the "I National League of Challenges in Cyberspace", organized by the Guardia Civil. The NCL is an event that has been created to value our university talent from a multidisciplinary vision. And this humble servant has had the immense honor, (and responsibility), of mentoring with a fantastic cast of professionals from diverse disciplines and wonderful people. I must say that I have been touched by what has been called 'The Spirit of Aranjuez'. Because NCL is not just an event. The NCL is an initiative that aims to detect and enhance the talent that exists in our country. You can see what has happened in this first edition of the "I National League of Challenges in Cyberspace", following the hashtags 'NationalCyberLeagueGC' and 'FinalNationalCyberLeagueGC'.
To summarize, in what has been the "I National League of Challenges in Cyberspace", I recommend reading these two articles:
Family photo of the 1st NCL held at the Guardia Civil University Center
As I said before, this article should have been published before, but it has been impossible for me. So, I think the first thing I have to do is apologize for not having written it before.
Returning to today's topic,
I'm incapable of trying something new and not writing about it.
I believe that when someone tries something new, they should tell their experience, they should expose their evidence, so that others can learn about it.
A very interesting piece of hardware has come into my hands. This is Guardonix, a hardware write blocker and read stabilizer, owned by DeepSpar Data Recovery Systems.
What is a write blocker?
It is a physical device that prevents the writing of a storage device, object of an analysis, as digital evidence. A writing blocker is the best method of creating forensic images. The purpose of its use is to obtain a forensic image that does not alter, in any way, any data from the original storage device being processed.
The write lock can be performed either by software or hardware. But a write lock should not be confused with a write lock. As with software, there are many brands on the market that sell these products. But Guardonix, in my opinion, makes a difference, with a series of very interesting and useful functions, which we will see later.
You should keep in mind that when you connect a storage drive, the system will be constantly trying to write to the disk to update various file system metadata. Without a write-blocker, simply viewing the contents of the drive, in this case, would cause the tests to be permanently overwritten.
What is Guardonix?
Guardonix is a USB 3.0 write blocker. This hardware element has a very small size. In fact, it fits in the palm of your hand, making it very comfortable to work with. Guardonix allows any Windows-based software tool to work with partially failed storage devices. Each kit includes the Guardonix device's USB cable and power supply. The power supply is optional and only needs to be connected if the power supply unit has an unusually large power consumption.
How does Guardonix work?
After turning on the workstation, simply connect Guardonix directly to a USB port. Once Guardonix has been connected to the workstation, the storage device to be treated is connected to it. With everything connected, all that's left to do is choose the forensic imaging software tool of your choice and enjoy the process.
What is the main advantage of Guardonix?
The main advantage of Guardonix is that this write-blocker will not allow the data acquisition process to be interrupted by reading instabilities that may occur in the device being acquired. This is of vital importance because, if the power supply or reading of the unit is interrupted, Guardonix will resume the activity in the state in which the unit was left.
The unique advantage of Guardonix, with other writing blockers, is that, in addition to writing blocking, it also stabilizes the USB connection.
Guardonix runs on Windows systems and allows full interaction with the source drive, as if you were working directly with it. It stabilizes the connection with the USB device, thus ensuring that the unit is not disconnected or that the system is blocked, which is quite common in very degraded units. The speed of reading is represented in a graph and the sectors are visualized in a map of sectors. All in real time.
Guardonix hardware is located between the computer equipment and the storage device, thus securing its connection. In other words, what happens on the workstation will not affect the storage device and what happens on the storage device will not affect the workstation.
From the first instant, when connected to the storage device, Guardonix displays read speed, drive status, current read sector, current sector status, and write attempts. All in real time.
It is nice to be able to visualize, in real time and in detail, the whole process of creating a forensic image, (without constantly asking us if the selected tool is working well).
Improves the speed of forensic imaging, because it interrupts the processing of bad sectors, translated into the reading retries of a given sector.
Optionally, Guardonix can prevent Windows from mounting the file system on the USB storage unit, which is the subject of the scan, thus eliminating the possibility of mounting errors with a damaged file system.
Guardonix is not imaging software. You will be able to choose the one that interests you most, for each case, but Guardonix will offer you some options to complement some possible gaps in your software, (such as, for example, the reading wait time between one sector and the next).
Finally, Guardonix generates a very detailed log with the actions that have been carried out with the storage device under analysis. This log is generated with each connection that Guardonix makes to the computer and can be saved in a '.txt' format.
Some videos on how Guardonix works are available on the official Guardonix site (https://guardonix.com/blog.html). Needless to say, its viewing is highly recommended to understand how it works.
Likewise, Brett Shavers has already written about Guardonix in the DFIR Training Blog (https://www.dfir.training/dfir-training-blog/if-you-don-t-already-have-a-deepspar-guardonix-you-might-want-to-get-one), so I'm going to focus on showing you a couple of tests I've been doing with this essential hardware element, which is already part of my DFIR arsenal.
I have a 128GB USB 3.0 memory drive from EMTEC.
This was, (in the past), one of my battle devices. I thought it worked perfectly, but, at a certain point...
The unit becomes inaccessible. Clearly this is a symptom that something is not working well. So, I have a perfect candidate for the first test.
First, I plug the USB device into the USB 3.0 port on my workstation directly.
Once the unit is connected to the computer, the System mounts the file system and assigns a drive letter so that scanning of the device can begin. As shown in the image below, the device contains information. I run the FTK Imager Lite tool to create the corresponding forensic image of the device.
The forensic imaging process begins at a speed of 11,570 MB/sec, with an estimated completion time of 02:49:19 hours.
After a wait of 07:36:57 hours, I recheck the status of the process. Theoretically, it should be over by now, successfully, but...
What I find on the screen is that, despite all the time that has already elapsed, not only has not finished the process of creating the forensic image, but also that, in addition, the time scheduled for its completion is still 06:55:42 hours, (and is still increasing that estimated remaining time). Similarly, the reading speed of the device has decreased from 11,570 MB/sec to 02,254 MB/sec, (and that reading speed is still decreasing). In the same way, the content that was previously available in the folder of the device has disappeared, leaving this window in a permanent 'Working on it' mode.
I decide to wait longer... I'm not in a hurry, for now.
After 19:38:39 hours, the forensic imaging process has stagnated at 53%, with a reading speed of 0.885 MB/sec and with an estimated completion time of 17:23:39 hours.
I therefore decide to cancel this process.
If we take a look at the log of creation of the forensic image of the device, we can see that there are many bad sectors, which have reading errors. Sectors, whose content has been replaced by zeros in the forensic image.
Needless to say, this failed forensic imaging process has further damaged the device.
I'm going to start a new process, with the same tool, using Guardonix.
The first thing we have to do when we connect the Guardonix device is to open the unit, which will contain a text file with the URL www.guardonix.com/download inside. In this web address we will be able to download the software of the Guardonix device, providing the serial number of our device. This software will be downloaded in '.zip' format.
Once the file has been downloaded and decompressed in our working folder, with Guardonix connected, we run the file 'Guardonix.exe'.
In the new window that will appear, which is the window of the Guardonix utility, if we place ourselves on the 'Log' tab, we can see that it is necessary to install the device driver on the workstation. In the same way, when an update of the device is available, we will be warned. Simply press the 'Install' or 'Update' button to perform these tasks. After finishing, the System will have to be restarted.
Once the system has been restarted, either by installing the driver or by updating it, we run again the utility 'Guardonix.exe'.
The first thing to know is that the Guardonix hardware does not allow the workstation to have direct access to the connected unit. This way we can have the peace of mind of being able to work with the storage device in a secure way.
The first thing you can see, when you open the Guardonix utility, are a number of options, among which are the typical control interface.
In this tab you will find the options of the Event Log, which you can mark or unmark with the corresponding checkboxes. Guardonix can record in its log events of reading errors (with indication of the sector address and the length of the block), events of satisfactory readings, events of attempted writing and events of 'Errors/Warnings', which record various information about errors and warnings.
Below, we find options for configuring the professional edition, which is what I'm going to show in this review.
The first of these options is about mounting the file system. If this option is unchecked, we will prevent Windows from mounting the file system of the connected drive. In other words, a drive letter will not be assigned and we will not be able to explore the drive. This is a very interesting option to bear in mind when working with units that are very degraded and that could present problems during their assembly, being able to arrive, in some cases, up to the own blocking of the work station.
The second option in the configuration for professional editing is the ability to set the connected unit to be treated as read-only only. Windows does not behave in the same way with read-only units.
The third option we have available from the checkbox, for the professional version, is the possibility of shutting down the connected unit if it is inactive. By default, this will happen after 300 seconds of inactivity. But this value can be modified through a Windows Registry key. An auto-scan storage device is good for you to perform your own maintenance. But if the drive has bad sectors it will have the opposite effect, aggravating its damage.
Below, we find five drop-down options.
The first of these is related to the type of device. It is critical that we choose the type of device well, between the hard disk and the SSD or Flash device.
The next of the options corresponds to the reading timeout. Guardonix gives us the option to tell you how long to wait before launching a read request to the storage device. The available options are: short, medium, long and off. This aspect must be taken into account when assessing the state of the storage unit. If the drive is not damaged it is recommended to set it to 'Off'. But if the unit has an ingest amount of bad sectors it is recommended to set it to 'Short'. The right choice will depend on the condition of the unit.
The third drop-down option is the one referring to the possibility of retrying readings in faulty sectors and blocks. As a general rule, any data recovery software, or even the Windows System itself, carries out read retries on faulty sectors. The options we have at our disposal are to allow, not to retry sectors or not to retry blocks. If we select the option not to retry blocks, Guardonix will automatically respond with an error when that failed reading is attempted again and the forensic software will not be able to access the source unit. This speeds up the forensic image generation process, at the cost of losing some sectors or blocks. If we select the option not to retry sectors, it will allow the reading of the sectors of the same block, but it will prevent the reading of the damaged sectors that are in that block.
The next drop-down option we find is about the answer to writing attempts. We have the option to specify how Guardonix hardware will respond to write attempts. We can set this response to 'Fake write' to simulate satisfactory writing on the unit, without writing anything on it, or we can set it to 'Error', to block that writing attempt.
The last of the options we see in this tab is the one related to USB speed. We can choose between a USB 2.0 speed, USB 3.0 speed, or an automatic selection. Depending on the damage to the unit, it may be advantageous to set a lower read speed to the unit.
Now we are going to move to the 'Log' tab. In this tab we can see all the information related to the storage unit.
This section will record all the information of the storage device, the information of the Guardonix hardware and the options that we have indicated in the configuration (readings with errors, attempts to write, satisfactory readings and / or other errors / alerts. The advice Guardonix gives us will also be recorded. Guardonix has shown me to be intelligent, offering tips as you come across different states in the connected units.
Now we move to the 'Sector Map' tab. In this section we will be able to observe the reading speed of the device, in real time. Below the graph shows the map of the sectors, which can present the colors green, (sectors that have been read correctly), red, (sectors that have presented an error in their reading), yellow, (sectors that have not been read because the waiting time has been exceeded), black, (is the last sector processed and indicates the current position), and blue, (which corresponds to an attempt to write in that sector).
I have now connected the damaged USB storage device to the Guardonix hardware.
With the following configuration.
The System mounts the file system of the storage unit and I can explore it normally. In fact, by mistake, I'm going to delete a series of files.
Guardonix processes the information as if it had actually deleted the selected files from the storage device. In the meantime, in the sectors map tab, we can observe the reading of the sectors in real time and the sectors map of the content read, with its corresponding colour code.
But it is enough to make a new connection to the device, using the 'Power Off' and 'Power On' buttons, to be able to observe that no change has been made to the target device.
After a new unit feedback, the unit content becomes available again.
In other words, I can carry out any action with the device with peace of mind because Guardonix allows me to work in complete safety.
I scan the file system of the device I have connected to Guardonix and, during scanning, I encounter cyclic redundancy errors.
These errors can be seen on the sector map, which will indicate the damaged sectors in red. In addition to finding these damaged sectors in the log that Guardonix generates, we could place the mouse cursor over one of them to indicate its location.
Reading errors in the scanning of the unit could be solved with a change in the configuration of Guardonix, but Guardonix is clever and advises well, with messages like this below.
"WARNING: Unchecking File System Mounting in Settings is strongly recommended to improve performance and prevent Windows from hanging when working with unstable drives."
Guardonix will show us advice depending on the situation.
So, I'm going to make a change to the Guardonix configuration so that it doesn't mount the file system, among other factors. Because what interests me is to process a forensic image in a satisfactory way.
Having said that, I now configure Guardonix as follows.
I run, with the device connected through Guardonix, a new forensic image generation process.
The estimated time for completion of this new process is 06:07:37 hours. What will happen now?
The reading speed is 7,577 MB/sec during this part of the process, with an estimated run time of 04:19:25 hours.
Until, from 53 % of the executed process, the reading errors begin to appear in the unit.
Information that we can see in map of sectors.
And information we can see in Guardonix's log.
Even with that many reading errors, Guardonix's configuration makes the time optimized better, with a reading speed of 4,501 MB/sec, with an estimated completion time of 02:51:44 hours.
Please note that in the first test performed, without the use of Guardonix, the process stagnated at 53% of the forensic image generation, with an elapsed time of 19:38:39 hours and an estimated time of 17:23:39 hours.
In this new process, with the use of Guardonix, the forensic image generation process is at 60%, with an elapsed time of 04:25:22 hours and an estimated time of 02:51:44 hours.
I continue to generate the forensic image and the process ends satisfactorily after 08:17:19 hours. That's less than half the time of the previous process, which was stalled.
I don't know much about numbers... but the difference is huge. That's a lot of hours. Many, many hours, which can be devoted to the analysis, properly speaking, of the forensic image of the unit.
For the next test, I decide to use a mechanical hard disk of 80 GB, of the house HITACHI, connected to the workstation by means of an adapter SATA to USB. This hard disk is used exclusively for testing purposes. All kinds of crazy tests, like the ones I'm going to do here, now. It sounds a lot like a ratchet, but there is no way to break it, without resorting to physical violence ;)
This test will consist in the extraction of the hard disk during the forensic image generation process, (simulating the worst of situations).
I'm running a new process for forensic image generation.
Within seconds of starting the forensic image generation process, I remove the hard drive from the adapter. I'm reckless.
As soon as we remove the hard disk from the adapter, we get a 'nice' message on the screen...
A message that dictates: “Failure: The specified network resource or device is no longer available. (55)”
If I now connect the hard disk, again, to the adapter, I won't get anything because I would have to start with a new forensic imaging process. Here I have provoked it a few seconds from the beginning, but imagine that it happens a few seconds from the end. The time you lose is a lot, as is the damage you cause.
Again, I'm going to make use of Guardonix hardware. Before connecting the hard disk to the Guardonix hardware, I configure the utility as follows.
I could connect my SATA adapter to USB, directly to Guardonix. But I also have the SATA to USB adapter provided by Guardonix. So, I am going to use this last method of connection to the workstation, using also the power adapters.
Once the hard disk is connected to the Guardonix hardware, it is detected and registered in the Log tab of the Guardonix utility.
Start a new process to generate the corresponding forensic image.
As in the previous case, I decide to remove the hard disk from the adapter a few seconds after it has started.
But, unlike the previous case, the process does not end unexpectedly.
Automatically, after the disconnection of the hard disk, the utility is placed in the Log tab and informs us that there has been an error in the reading of a certain sector.
But the process is not interrupted. It remains paused. Remember that the workstation does not communicate directly with the storage device connected to the Guardonix hardware and that what happens in one does not affect the other.
I decide to leave the disk disconnected for a while and what appears are reminders that tell us that the disk has been disconnected, but is still mounted.
After a few minutes, I decide to turn it back on. And this activity is also included in Guardonix's log, which can read that sector satisfactorily.
I carry out this process of disconnection and disconnection on two occasions, which are shown in the reading of the sector map.
And the same activity is recorded in the log, with satisfactory readings for each reconnection.
Despite all power interruptions or hard drive disconnections, the forensic software has remained waiting for the device to reconnect, without unexpected termination.
In addition to stabilizing the USB connection, Guardonix also optimizes the reading speed.
To do this, I have decided to create, under the same circumstances, two forensic images of this hard drive.
The first of these, without using Guardonix hardware, ended in 53:37 minutes.
The second one, connecting the hard disk to the Guardonix hardware, finished in 40:21 minutes.
Conclusions
Personally, I really liked the way Guardonix works. I tested it on a badly damaged USB 3.0 device and a SATA hard drive.
This is a small writing blocker. It literally fits in a shirt pocket.
In addition to performing the functions of a write-blocker, it also stabilizes the USB connection by maintaining and resuming the process in its current state when a reconnection is made.
Guardonix does not allow the forensic image acquisition process to be interrupted by reading instabilities occurring on the target device.
Both the reading speed and the sector map, in any of their states, are represented in real time in a graph.
Logs all activity that takes place on the target unit and offers the ability to select which records to save.
It offers a multitude of options with event registration, with the assembly of files, with the turning off of the unit if it is inactive during a period of time, with the choice of the type of device, with the waiting time in the reading between sectors, with the reading retries in sectors and defective blocks, with the USB speed, ...
Provides warnings and tips during operations, as you encounter different states in the unit.
What happens on the workstation does not affect the storage device, and what happens on the storage device does not affect the workstation.
Guardonix hardware does not allow the workstation to have direct access to the connected unit.
In the tests I've carried out, it saves a lot of time.
In short, and in my tests, it has shown me that it allows me to work in complete safety, in any case.
I have to congratulate the DeepSpar team because, in my opinion, they have developed a very interesting product.
That's all.
Entradas
No hay comentarios:
Publicar un comentario