The central requirement of a sound forensic examination of digital evidence is that the original evidence must not be modified, i.e., the examination or capture of digital data from the hard disks of a seized computer must be performed so that the disk contents are not changed. The investigator follows a set of procedures designed to prevent the execution of any program that might modify the disk contents. These procedures involve a layered defense against any modifications to the source disk using the following strategies:

• Where possible, set a hardware jumper to make the disk read only.
• Use an operating system and other software that are trusted not to write to the disk unless given explicit instructions.
• Use a hard disk write block tool to intercept any inadvertent disk writes 

The informal hard disk write block tool requirements are the following as defined by NIST:

• The tool shall not allow a protected disk to be changed.
• The tool shall not prevent obtaining any information from or about any disk.
• The tool shall not prevent any changes to a disk that is not protected.