One of the foundations of forensic examination of digital media is preserving the integrity of the media throughout the investigation. A single unintended change to a device can compromise the entire case. Before connecting any evidence device to a collection system, the examiner must activate a software or hardware write blocker.
What are Write Blockers?
A write blocker is a hardware or software tool that allows a forensic examiner to access data on a storage device without permitting any changes to be written back to it. In simple terms, it makes the evidence "read-only." Hard drives are typically connected through a hardware write blocker, which intercepts write commands that the operating system may automatically attempt to send to the media. Without a write blocker in place, even an experienced professional can accidentally alter digital evidence.
Why write blockers are essential:
- Maintaining forensic integrity
- Supporting chain of custody
- Ensuring legal defensibility in court proceedings
- Reducing the risk of human error
Hardware vs. Software Write Blockers
There are two primary types of write blockers used in forensic environments.
Hardware Write Blocker
A hardware write blocker is a physical device placed between the evidence drive and the forensic workstation. It runs its own internal firmware that blocks the workstation from writing to the attached device, regardless of how the operating system behaves. Hardware write blockers are widely adopted by law enforcement, government agencies, and professional forensic labs because of their proven credibility.
- Highly reliable and court-tested
- Ideal for high-stakes investigations
Examples:
- Tableau Forensic Write Blocker SATA/IDE
- UltraBlock SAS Write Blocker
A few things to note:
- Always test the write blocker with a spare external device first to confirm it is blocking writes correctly before attaching the suspect device.
- A write blocker only prevents the workstation from writing to the disk. Some devices, such as flash drives, contain internal controllers, and minor changes may still occur due to how flash memory operates.
Software Write Blocker
A software write blocker is an application or driver that prevents write commands at the operating system level. It is easier to deploy and more affordable than hardware solutions. In situations where a computer cannot be powered down, media cannot be physically removed for imaging, or the contents of RAM need to be preserved, the software can function as both an imaging tool and a write blocker.
Advantages:
- More affordable
- Easy to deploy
- Useful for field work
Examples:
- Registry edit for write blocking
blockdev --setro /dev/XYZ
Software write blocking using regedit:
- Open
regeditand navigate to the keyHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control - Add a new key named
StorageDevicePolicies, then add a newDWORD (32-bit)value namedWriteProtect, set its value to1, and save.
Top comments (0)