Call: (888) 458-3222
What is a Write Blocker?
The central requirement of a sound forensic examination of digital evidence is that the original evidence must not be modified, i.e., the examination or capture of digital data from the hard disks of a seized computer must be performed so that the disk contents are not changed. The examiner follows a set of procedures designed to prevent the execution of any program that might modify the disk contents. These procedures involve a layered defense against any modifications to the source disk using the following strategies:
• Where possible, set a hardware jumper to make the disk read only.
• Use an operating system and other software that are trusted not to write to the disk unless given explicit instructions.
• Use a hard disk write block tool to intercept any inadvertent disk writes
The informal hard disk write block tool requirements are the following as defined by NIST:
• The tool shall not allow a protected disk to be changed.
• The tool shall not prevent obtaining any information from or about any disk.
• The tool shall not prevent any changes to a disk that is not protected.
The above take from the National Institute of Standards and Technology - Write Block Tool Specification.
Back to FAQ
Next Question: What is an Info 2 Record?
Center for Computer Forensics
21800 Melrose Ave
Southfield, MI 48075
This website is not intended to provide legal or professional advice. The site is merely a starting point to learn about the topics listed. While we attempt to maintain current, complete and accurate information we accept no responsibility for errors or omissions.