FIREBrick
Cybercrime has been a growing concern for the past two decades. What used to be the task of specialist national police squads has become the routine work of regional and district police departments. Unfortunately, the funding for cybercrime units does not seem to grow as fast as the amounts of digital evidence.
FIREBrick is an open source alternative to commercial hardware write blockers and disk imagers, which can be assembled from off-the shelf mass-produced components for around $199.
Here is a short introductory video about FIREBrick:
FIREBrick features
- Autonomous disk imaging at speeds of up to 5Gb per minute
- Images hashed on-the-fly with verification checks
- Storage disk can be encrypted (via LUKS)
- FireWire write blocker functionality, target drive is visible as a FireWire harddisk
- Portable – fits in a small HTPC case (including display) – MiniITX form factor
- Free, open source firmware
- Can be fully customised to the needs of specific departments
- Adheres to NIST Computer Forensic Tool Testing protocols
- Automatically configured internal storage (none, single disk or RAID)
- RAID mirroring and striping support
- Unlimited configurations – possible development ideas: Android imaging, Kindle imaging, USB imaging, disk image searching… Get involved!!
List of parts
To build a FIREBrick you need:
- ASRock E350M1 Motherboard
- 1Gb DDR3 Desktop RAM (1333 or 1066)
- Dynamode PCIX3FW 3-Port Firewire PCIe card
- An LCD2USB 20×4 display (You can buy it from Lcdmodkit or you can make one yourself according to these instructions)
- 120W+ PSU
You will need a case of your choice that fits a mini-ITX (pretty much any case – or even make one yourself!).
If you want internal storage, you will need a SATA HDD. You will need two equal-sized HDDs for internal RAID storage. If you have no storage drives, you can still use the FIREBrick as a writeblocker, if you have a single storage disk you can image to that, if you have 2 storage drives the system will configure them for RAID ( RAID 0 or RAID 1).
FIREBrick Assembly steps:
- Attach the motherboard to the case
- Connect the Power SW wire to the motherboard
- Connect the Reset SW wires to the motherboard
- Connect the HDD wires to the motherboard
- Connect the Power LED header to the motherboard
- Connect the HD Audio wires to the motherboard
- Connect the front LCD Screen wires to the motherboard
- Insert the RAM into the motherboard
- Connect SATA cables to the motherboard
- Put the firewire card into the motherboard PCI-E slot.
- Connect power supply header to the firewire card. Then connect the power header to the motherboard.
- The finished FIREBrick.
Flashing the FIREBrick BIOS:
Visit https://github.com/leetobin/firebrick for source code, ROM and more instructions.
NEWS!
We’ve just created a new github repo for a new build of the FIREBrick. It uses WiFi.
https://github.com/leetobin/firebrickRemote
Congratulations! When I used to be with INTERPOL I wanted to build a tool which is cheap, forensically sound, and easy to use for developing countries. You built it. Well done Guys!
Thank you, Bernhard. Our talks about the needs of the developing world back in 2010 served as a motivation for this project.
Hi
many thanks for your project:)
Could you please tell us a lcd2usb seller inside European Union?
Regards
Alesssandro
Hey Alesssandro,
I don’t know of a European distributor, however http://lcdmodkit.com/ are quite good and their delivery times are reasonable.
Cheers,
Lee
thanks for your answer.
the problem with lcdmodkit are tax and custom…could you please check some european big reseller to help us (on ebay, amazon, etc)?
regards
Alessandro
Sure, I’ll take a look.
Cheers,
L
We are working on another configuration of the FIREBrick, it won’t require an LCD screen. We’re using a WiFi dongle to allow the system to be controlled via a phone or computer. Should be available soon if you are interested…
very interested, if it’s possible. But I l’ike very much the LCD version 😉 Did you find any reseller in EU?
Best regards
A
Looks like a great project!
Is there a certain reason why only a 1394a / FW400 card is used, instead of the more suitable FW800 version?
Marek
Thank you, Marek,
The only reason for using FW400 was to keep the cost of FIREBrick down. It should work with an FW800 PCIe card also, but we have not tested it yet.
Best,
Pavel
thanks Pavel!
So…. how’s the driver situation then? I assume I won’t be able to just put any pcie fw800 card in the box, as most cards need different drivers.
I reckon the kernel will pick the card up, if it’s a reasonably common card that is. You can just grep dmesg to check…
The ASRock E350M1 Motherboard is the only Mb thats works? Thanks.
Well really any board will work. If you want to burn the OS to the BIOS you need a motherboard that supports Coreboot. If you want to boot from a USB flash drive then you can use any motherboard.
Very very nice. Heard about this project on the forensics lunch. Are we just write blocking firewire here or can we utilize other technologies such as USB3, eSATA, and Thunderbolt(eventually)?
Jason
Absolutely, I don’t see why you couldn’t use any technology. We just chose write-blocking over Firewire because we… well just chose it. If you did want to develop a new version of FIREBrick to include USB3 writeblocking, please do. And if we can help, let us know!
Just a small clarification. FIREBrick in its basic version writeblocks SATA/IDE and performs disk duplication. The write-blocked content is exported over FireWire for triage/preview. We chose FireWire because it allows FIREBrick to act as a peripheral device (like an external HDD or an Apple Mac in Target mode). You probably noticed that ASROCK motherboard has other connectors on the board: eSATA, and USB3 (in the newer version), but unlike FireWire, USB3 and eSATA are strictly master/slave and the controllers on the ASROCK motherboard are hardwired to be masters.
You could configure FIREBrick to export data over USB3 if you install an appropriate USB3 card, like USB3380EVB, but we have not tested it yet.
Couple things:
1. Ever thought about adding this to kickstarter and selling completed version of it? Like a “supported version”. I can’t get a lot of the parts where I live. Or even selling pre-configured ones with a bit of a markup with the proceeds going back into the program?
2. Does this suppose USB wiping as well similar to how it would function with a hdd?
Hi Nick,
Sorry for the delay in reply! That’s a very good idea, and I’m going to suggest it to the other devs.
It doesn’t support USB wiping but that functionality could very easily be added to the system. I’ll make a note of it for sure.
Cheers,
Lee
Hi there,
very nice and interesting work.
For a security project on mobile forenisc (for some reasons, I have been cited in the 2014 NIST guide) I am in the need to build a forensic station from the scatch to add some innovative function. Please can you send a direct email adddress so I can explain what I/we could do?
Thanks
Salvatore
Hi Salvatore,
I’ve emailed you directly.
Cheers,
Lee
I found your publication, and I would like to know if this device is sold by you already armed and with the software loaded, what does it cost in dollars and if you make international shipments to Paraguay?
Please see my previous response
Hi, and thank you for such a great work you do here, but I’m wondering, is this project abandoned ? As I see no updates in comments since years and I cannot imagine a so exciting project staying still so long.
Then I’m wondering… being an IT consultant, I need more and more to proceed data collection for private cases, but could your Firebrick be certified for legal forensic ?
I heard about a company called Cyanline that proposes a commercial alternative that looks like a lot your firebrick but I’m actually looking for a cheaper solution.
No it is still kicking.
Hi Lee,
Could you tell me if this project is still continued ?
If yes, I’d like to have more informations about hardware, as the mainboard is not available anymore.
Thanks a lot,
Cheers,
Yannick
Hello Yannick,
Lee is currently finishing up his PhD, so it was put on hold, but yes we are pretty much continuing with it. What is your query?
Pavel