Call:   (888) 458-3222

 

What is a Write Blocker?

 

The central requirement of a sound forensic examination of digital evidence is that the original evidence must not be modified, i.e., the examination or capture of digital data from the hard disks of a seized computer must be performed so that the disk contents are not changed. The examiner follows a set of procedures designed to prevent the execution of any program that might modify the disk contents. These procedures involve a layered defense against any modifications to the source disk using the following strategies:

 

• Where possible, set a hardware jumper to make the disk read only.

• Use an operating system and other software that are trusted not to write to the disk unless given explicit instructions.

• Use a hard disk write block tool to intercept any inadvertent disk writes

 

The informal hard disk write block tool requirements are the following as defined by NIST:

 

• The tool shall not allow a protected disk to be changed.

• The tool shall not prevent obtaining any information from or about any disk.

• The tool shall not prevent any changes to a disk that is not protected.

 

The above take from the National Institute of Standards and Technology - Write Block Tool Specification.

 

 

 

 

 

Back to FAQ

Next Question: What is an Info 2 Record?

Center for Computer Forensics

21800 Melrose Ave

Suite 1

Southfield, MI 48075

 

info@computer-forensics.net

This website is not intended to provide legal or professional advice. The site is merely a starting point to learn about the topics listed. While we attempt to maintain current, complete and accurate information we accept no responsibility for errors or omissions.