Voom Technologies, Inc.| Computer Forensic and Data Backup and Recovery products

VOOM vs The Virus (CIH)

By Seth Fogie, Feb 24, 2004

It is not often that I come across a hardware device that makes me stop in awe of its potential. Sure, there are lot of neat toys and stuff out there such as the PDA, HUD glasses, nanobots, and more, but these are things we have been seeing in scifi shows and movies for decades. But for all the cleverness of mankind, we sometimes miss things...and one of these items is the VOOM ShadowDrive.

I should start by saying that one of the editors here at InformIT.com was keeping an eye out for cool ideas at Comdex 2003 for us (and I am sure others as well). When she returned, it was with news of the VOOM ShadowDrive, which struck her as curiously unique. Since this is sold as a forensics tool, I contacted the company and asked for one to play with as part of the work I am doing for the forensics section of the Security Reference Guide. Once I unpacked the device and set it up, I realized that this device was much more than just a simple forensics tool.

If you aren't familiar with VMWare, you need to download a demo and try it out. For security research types, VMWare is a great PC and Linux based tool that allows you to run entire computers operating systems inside an emulator shell. In addition to allowing you access to programs that run only on a certain OS, it also provides a nice sandbox environment for installing Trojans and viruses. Once the emulated system is infected or dies, you can delete the VMWare file or use a snapshot feature to quickly restore it...but there is one problem, VMWare is software based, and doesn't work for every program and can be rather slow. In addition, VMWare has no real value as a forensics tool because it uses proprietary data formats, which do not allow room for evidence images. That said, let me introduce you to the ShadowDrive.

The ShadowDrive is "...a patented computer hardware device that is designed to aid the investigation of a computer's hard drive. It provides investigators with read write access from the host computer's perspective, while maintaining the original hard drive unchanged." From this description, you can see issues that affect software based solutions do not apply to the ShadowDrive. This is a true hardware solution that only protects the main hard drive, without impact the rest of the computers resources (e.g. graphics card).

Since I am the curious type, you can probably guess what I did. After setting it up, I installed programs, deleted files, etc. As advertised, the ShadowDrive worked like a charm. With three quick presses of a button (three presses are required to prevent accidental reset), the device reset and my main drive was returned to its original state. In other words, my evidence would have been protected. This means I can use the actual evidence collected from a criminals computer during the trial without worrying about corrupting the drive and destroying the evidence.

Before going any further, the ShadowDrive is a proprietary device with a hard drive of its own inside (I opened the box a took a peek). The drive acts as an invisible buffer to which all 'writes' are recorded. At no time is the main drive to be altered, which is necessary if the evidence is to be maintained. This is not a write blocker, per se, because all writes are redirected to the ShadowDrive thus ensuring the operating programs remain running as normal. The only negative that I can come up with about this device is that it is IDE (ATAPI 4,5,6) only.

While all my testing was great for VOOM, I was slightly bored by the prospect of having something that worked as planned inside this forensics-defined environment. So, I started to think about more extreme testing procedures that might not have been considered. I figured (without reading this pdf voom_pdf/ShadowDriveNoOptions.pdf) that the device only blocked drive writes at an upper level, which leaves out fdisk or other partitioning type tools. So, I fdisked and formatted my main disk and discovered that after the reset everything was returned to its original. At this point, I did about all you can possible do to a drive and still expect it to work. I doubt the ShadowDrive could redirect a direct blow from a hammer!

After thinking about the damage I could cause to my 'protected' system, I recalled a nasty virus that went around a few years ago called 'The Chernobyl Virus', or CIH. I started searching the Internet, with a very locked down browser (not IE) and after a few minutes, and more than one false lead, I found a package with three main version of the virus. I emailed VOOM and told them about my plans because the CIH virus could overwrite the flash ROM on the motherboard. My test PC is old and can be tossed if it dies, but I didn't want to trash their device. They gave me the green light, so I downloaded CIH to the target PC and infected myself. Since CIH is a date control virus, I changed the date on my PC and execute the CIH infected program. My PC froze and when I rebooted it, it was thoroughly hosed. However, and as promised, once I reset the ShadowDrive, everything returned back to normal.

So, to sum this up, VOOM offers what I believe is the first hardware based write redirecting device that is not only mobile (the size of a small PC), but is also very successful at protecting the main drive. This is the type of tool that could easily reduce the downtime and reset time of any security and/or virus researcher. Of course, VOOM also sells products that can help reduce the problems associated with patch and update testing. If something fails when you install a patch to your main system, simply reset the device and all the damage is instantly repaired. Finally, at $1295 the ShadowDrive is a pretty good deal. Even VMWare costs $299, and it has no real value as a forensics tool. In addition, software based emulators are often limited in their functionality (e.g. games). Check out http://www.voomtech.com for more details!