Mac OS X Forensics
Never give up, the answer is right in front of you...
-
Our Sponsors
-
Custom Search
SoftBlock -
BlackBag Technologies Inc.
SoftBlock from BlackBag Technologies Inc. (http://www.blackbagtech.com/) is a new software utility available for the Macintosh that greatly enhances the ability of any digital forensic laboratory. OS X has always has the ability to control Disk Arbitration and we have offered Applescripts to make it even easier to turn it ON/OFF. Now, with SoftBlock, the Macintosh analyst can take full control of every digital media being introduced to the Mac individually. In this review, we are going to give a summary of the capabilities and how SoftBlock can make your digital forensics become immensely easier and reduce costs.
First, installation of SoftBlock is as simple as placing the SoftBlock application into the Application folder and launching it. The operating system with authenticate and then restart. Upon restart, a new icon will appear in the Finder menu bar as seen below.
Finder Menu Bar with SoftBlock installed
With SoftBlock installed, a Disk icon with a green "check" will appear representing all is well and the application is functioning as expected. From the included documentation, SoftBlock is "a kernel-level application which is designed to safely identify and mount newly connected devices in a forensically sound READ-ONLY manner, or traditional READ-WRITE configuration." This means for us, we can now safely connect digital media and SoftBlock will intervene every time with the following dialog:
SoftBlock Dialog when a USB Device is Connected
SoftBlock is indicating 3 choices can be made for the device that has been introduced to the Macintosh:
Mount read-only: The media will appear on the Desktop as an available drive but no changes can be made to the device. Forensically sound.
Mount read-write: This choice is intended for mounting media that you intentionally want to save data to.
Cancel Mount: Allows the device to be connected without any mount to occur. Excellent choice when you are about to image the physical device.
If you choose to mount read-only, the device immediately will show up on the Desktop and becomes available for viewing. However, if the read-write option is taken, a second dialog box is presented, with the buttons reversed for safety:
SoftBlock Second Dialog when Read-Write is Selected in First Dialog
In order to mount a device for the first time read-write, the examiner must move the mouse to a new location on the screen and select "Mount Read-Write" giving an added level of safety from accidental mounts in this manner.
Aside from the ability to intervene with all devices that are being introduced to the Mac, SoftBlock is also an application with a very useful interface.
SoftBlock Application User Interface
Within the SoftBlock application, the examiner can take full control of the digital media and partitions. Here, devices can be remounted and ejected, along with gathering valuable information about the physical device itself. BlackBag Tech. notes in their included ReadMe file that software RAID is not supported at this time, as well as multiple internal drives being mounted Read-Write. Notice in the above picture, "disk0s3" is mounted with a 'Lock' next to it. Only the boot partition is able to be mounted Read-Write. All other internal partitions will mount read-only and must stay that way. You can mount external devices read-write for saving your data.
With SoftBlock installed, your Mac has the ability to write-block, with ease, every type of digital media that you have an available port for or an adapter for. Consider the amount of money this can potentially save over physical write blocking devices. Excellent job with this new utility BlackBag Technologies.
For more information, see the BBT website at http://www.blackbagtech.com/store/software/softblock_1.0.1.html
SoftBlock from BlackBag Technologies Inc. (http://www.blackbagtech.com/) is a new software utility available for the Macintosh that greatly enhances the ability of any digital forensic laboratory. OS X has always has the ability to control Disk Arbitration and we have offered Applescripts to make it even easier to turn it ON/OFF. Now, with SoftBlock, the Macintosh analyst can take full control of every digital media being introduced to the Mac individually. In this review, we are going to give a summary of the capabilities and how SoftBlock can make your digital forensics become immensely easier and reduce costs.
Sponsored Advertisement
First, installation of SoftBlock is as simple as placing the SoftBlock application into the Application folder and launching it. The operating system with authenticate and then restart. Upon restart, a new icon will appear in the Finder menu bar as seen below.
Finder Menu Bar with SoftBlock installed
With SoftBlock installed, a Disk icon with a green "check" will appear representing all is well and the application is functioning as expected. From the included documentation, SoftBlock is "a kernel-level application which is designed to safely identify and mount newly connected devices in a forensically sound READ-ONLY manner, or traditional READ-WRITE configuration." This means for us, we can now safely connect digital media and SoftBlock will intervene every time with the following dialog:
SoftBlock Dialog when a USB Device is Connected
SoftBlock is indicating 3 choices can be made for the device that has been introduced to the Macintosh:
Mount read-only: The media will appear on the Desktop as an available drive but no changes can be made to the device. Forensically sound.
Mount read-write: This choice is intended for mounting media that you intentionally want to save data to.
Cancel Mount: Allows the device to be connected without any mount to occur. Excellent choice when you are about to image the physical device.
If you choose to mount read-only, the device immediately will show up on the Desktop and becomes available for viewing. However, if the read-write option is taken, a second dialog box is presented, with the buttons reversed for safety:
SoftBlock Second Dialog when Read-Write is Selected in First Dialog
In order to mount a device for the first time read-write, the examiner must move the mouse to a new location on the screen and select "Mount Read-Write" giving an added level of safety from accidental mounts in this manner.
Aside from the ability to intervene with all devices that are being introduced to the Mac, SoftBlock is also an application with a very useful interface.
SoftBlock Application User Interface
Within the SoftBlock application, the examiner can take full control of the digital media and partitions. Here, devices can be remounted and ejected, along with gathering valuable information about the physical device itself. BlackBag Tech. notes in their included ReadMe file that software RAID is not supported at this time, as well as multiple internal drives being mounted Read-Write. Notice in the above picture, "disk0s3" is mounted with a 'Lock' next to it. Only the boot partition is able to be mounted Read-Write. All other internal partitions will mount read-only and must stay that way. You can mount external devices read-write for saving your data.
With SoftBlock installed, your Mac has the ability to write-block, with ease, every type of digital media that you have an available port for or an adapter for. Consider the amount of money this can potentially save over physical write blocking devices. Excellent job with this new utility BlackBag Technologies.
For more information, see the BBT website at http://www.blackbagtech.com/store/software/softblock_1.0.1.html