FIREBrick: Open Source Hardware Forensic Disk Imager & Write Blocker

 

FIREBrick logoCybercrime has been a growing concern for the past two decades. What used to be the task of specialist national police squads has become the routine work of regional and district police departments. Unfortunately, the funding for cybercrime units does not seem to grow as fast as the amounts of digital evidence.

FIREBrick is an open source alternative to commercial hardware write blockers and disk imagers, which can be assembled from off-the shelf mass-produced components for around $199.

FIREBrick features

  • Autonomous disk imaging at speeds of up to 5Gb per minute
  • Images hashed on-the-fly with verification checks
  • Storage disk can be encrypted (via LUKS)
  • FireWire write blocker functionality, target drive is visible as a FireWire harddisk
  • Portable – fits in a small HTPC case (including display) – MiniITX form factor
  • Free, open source firmware
  • Can be fully customised to the needs of specific departments
  • Adheres to NIST Computer Forensic Tool Testing protocols
  • Automatically configured internal storage (none, single disk or RAID)
  • RAID mirroring and striping support
  • Unlimited configurations – possible development ideas: Android imaging, Kindle imaging, USB imaging, disk image searching… Get involved!!

List of parts

To build a FIREBrick you need:

  1. ASRock E350M1 Motherboard
  2. 1Gb DDR3 Desktop RAM (1333 or 1066)
  3. Dynamode PCIX3FW 3-Port Firewire PCIe card
  4. An LCD2USB 20×4 display (You can buy it from Lcdmodkit or you can make one yourself according to these instructions)
  5. 120W+ PSU

You will need a case of your choice that fits a mini-ITX (pretty much any case – or even make one yourself!).

If you want internal storage, you will need a SATA HDD. You will need two equal-sized HDDs for internal RAID storage. If you have no storage drives, you can still use the FIREBrick as a writeblocker, if you have a single storage disk you can image to that, if you have 2 storage drives the system will configure them for RAID ( RAID 0 or RAID 1).

FIREBrick Assembly steps:

  • Attach the motherboard to the caseDSC_0312
  • Connect the Power SW wire to the motherboard
    DSC_0318
  • Connect the Reset SW wires to the  motherboard
    DSC_0319
  • Connect the HDD wires to the motherboard
    DSC_0320
  • Connect the Power LED header to the motherboardDSC_0322
  • Connect the HD Audio wires to the motherboard
    DSC_0330
  • Connect the front LCD Screen wires to the motherboard
    DSC_0331
    LCD2USB
  • Insert the RAM into the motherboard
    DSC_0332
  • Connect SATA cables to the motherboardMBStore
  • Put the firewire card into the motherboard PCI-E slot.
    DSC_0338
  • Connect power supply header to the firewire card. Then connect the power header to the motherboard.
    DSC_0345
  • The finished FIREBrick.
    DSC_0276

 

Flashing the FIREBrick BIOS:

Visit https://github.com/leetobin/firebrick for source code, ROM and more instructions.

NEWS!

We’ve just created a new github repo for a new build of the FIREBrick. It uses WiFi.

https://github.com/leetobin/firebrickRemote

 

  21 Responses to “FIREBrick: Open Source Hardware Forensic Disk Imager & Write Blocker”

  1. Congratulations! When I used to be with INTERPOL I wanted to build a tool which is cheap, forensically sound, and easy to use for developing countries. You built it. Well done Guys!

    • Thank you, Bernhard. Our talks about the needs of the developing world back in 2010 served as a motivation for this project.

  2. Hi
    many thanks for your project:)
    Could you please tell us a lcd2usb seller inside European Union?

    Regards
    Alesssandro

  3. Looks like a great project!
    Is there a certain reason why only a 1394a / FW400 card is used, instead of the more suitable FW800 version?

    Marek

    • Thank you, Marek,

      The only reason for using FW400 was to keep the cost of FIREBrick down. It should work with an FW800 PCIe card also, but we have not tested it yet.

      Best,
      Pavel

      • thanks Pavel!
        So…. how’s the driver situation then? I assume I won’t be able to just put any pcie fw800 card in the box, as most cards need different drivers.

  4. The ASRock E350M1 Motherboard is the only Mb thats works? Thanks.

    • Well really any board will work. If you want to burn the OS to the BIOS you need a motherboard that supports Coreboot. If you want to boot from a USB flash drive then you can use any motherboard.

  5. Very very nice. Heard about this project on the forensics lunch. Are we just write blocking firewire here or can we utilize other technologies such as USB3, eSATA, and Thunderbolt(eventually)?

    Jason

    • Absolutely, I don’t see why you couldn’t use any technology. We just chose write-blocking over Firewire because we… well just chose it. If you did want to develop a new version of FIREBrick to include USB3 writeblocking, please do. And if we can help, let us know!

    • Just a small clarification. FIREBrick in its basic version writeblocks SATA/IDE and performs disk duplication. The write-blocked content is exported over FireWire for triage/preview. We chose FireWire because it allows FIREBrick to act as a peripheral device (like an external HDD or an Apple Mac in Target mode). You probably noticed that ASROCK motherboard has other connectors on the board: eSATA, and USB3 (in the newer version), but unlike FireWire, USB3 and eSATA are strictly master/slave and the controllers on the ASROCK motherboard are hardwired to be masters.

      You could configure FIREBrick to export data over USB3 if you install an appropriate USB3 card, like USB3380EVB, but we have not tested it yet.

  6. Couple things:

    1. Ever thought about adding this to kickstarter and selling completed version of it? Like a “supported version”. I can’t get a lot of the parts where I live. Or even selling pre-configured ones with a bit of a markup with the proceeds going back into the program?

    2. Does this suppose USB wiping as well similar to how it would function with a hdd?

    • Hi Nick,

      Sorry for the delay in reply! That’s a very good idea, and I’m going to suggest it to the other devs.

      It doesn’t support USB wiping but that functionality could very easily be added to the system. I’ll make a note of it for sure.

      Cheers,
      Lee

  7. Hi there,
    very nice and interesting work.
    For a security project on mobile forenisc (for some reasons, I have been cited in the 2014 NIST guide) I am in the need to build a forensic station from the scatch to add some innovative function. Please can you send a direct email adddress so I can explain what I/we could do?
    Thanks
    Salvatore

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>