SAFE Block User's Guide

Setup

The Setup button on the main interface brings up this window:

The left pane of the dialog box allows selection of whether you want to change password, change the default blocking policy, control advanced settings, or see information about SAFE Block.

Default Policies.

The figure above shows the default policy setup interface.

• Block removable disk by default (USB,IEE1394) - checking this box means that removable drives, such as USB thumb drives, USB card readers, flash media devices, and firewire (IEEE1394) devices will be write blocked by default both at boot time and when they are connected to a running system. This includes any IDE and/or SCSI disks attached via USB or IEEE 1394.



• Block fixed disk by default (IDE, SCSI) - checking this box means SAFE Block will block all fixed disks (except the system disk, which cannot be blocked, and CD/DVD drives which cannot be blocked) that are present when the system boots, as well as immediately upon detection of hot-swappable drives that are attached to a running system, such as SATA drives.



• Remember status of fixed disks - If this box is checked, (default) then SAFE Block will "remember" the last blocked status of all fixed disks that it has seen on the machine since SAFE Block was installed. For instance, if you have an application disk installed that you never want blocked, you can check this box, unblock the drive, and it will be unblocked, even through system restarts, until (if) you choose to block it through SAFE Block's interface. This policy overrides the default policies of the two check boxes above it. That is, if a fixed device that has been seen in the system before is connected to the system and this box is checked, then the device's last blocked/unblocked status will be used, regardless of the default policy in the previous two checkboxes. If the box is not checked, then the former status of all returning devices is ignored and the above two checkboxes set default policy.

Checking only the third check box SAFE Block will not block any new drives by default. This is not recommended for forensic purposes where you want to prevent Windows from writing to new disks before you can block them through the SAFE Block XP interface. For forensic purposes it is recommended to check the first two policy boxes so that Windows can not write to the device during startup and/or upon insertion of the device.

Removable disks (e.g. USB and IEEE 1394) can not have their status remembered.

Advanced Settings.

The Advanced Settings brings up this dialog box:

The single box controls blocking of some esoteric low-level write commands:

• Unchecked (default) - in this mode SAFE Block will block all write commands to the disk, including some write commands that are highly unlikely to write to the disk and may cause some applications problems. For forensic purposes this conservative blocking is recommended.
• Checked - in this mode the esoteric write commands will be allowed. This is highly unlikely to allow writes to the disk and may allow some applications to run that fail when conservative blocking is used. This too is unlikely, so it is recommended not to check this box.

Note that SAFE Block blocks the SCSI command Write Attributes. This command is highly unlikely to write to the disk, but may write to the disk in some circumstances.