Mac OS X,  Mac Security

Preserving the Chain of Custody for Mac OS X

One of the most important aspects of performing forensics work in Mac OS X is to write-block the volumes that you are inspecting in order to maintain the chain of custody for the evidence (or potential evidence). One way to do this is to use a physical write blocker so that when you plug a USB, SATA, eSATA or other type of drive into the write blocker you will only be presented with a read only volume on the computer. For example, some good write blockers can be found at Digital Intelligence. WeibeTech also makes a nice USB device for write blocking on the Mac.

But this can get kinda’ pricey because you often need to carry around a ton of fairly expensive devices to have one of each type that is required. So many choose to use software. On the Mac you can disable disk arbitration, which automatically mounts drives by moving the /System/Library/LaunchDaemons/com.apple.diskarbitrationd.plist file to another location, or simply stopping the LaunchDaemon. You can then mount volumes manually. But chances are this will become cumbersome. So BlackBag Technologies has announced SoftBlock, write-blocking software for the Mac that provides GUI control over the mounting and management of devices at the kernel level of Mac OS X.

When you plug a device into your computer, SoftBlock identifies them and then allows you to select whether to mount it as read-only or read-write. This is pretty similar in nature to how the Faronics DeviceFilter works, except instead of having management centralized to control whether you can mount a device in the first place this tool allows a user to control how each device will mount. Both are great tools and they’re apples and oranges, except in the fact that both appear to be built on the same concept.

Overall, I’m excited to see BlackBag release SoftBlock and happy to be testing in my lab right now!