A write blocker must be used in order to preserve the integrity of evidence contained within a hard drive. Without a write blocker, any action taken by a digital forensic examiner will be recorded on the drive, no matter how minor or inconsequential. Even these miniscule changes can cast a shadow of doubt on the investigation and render any evidence collected inadmissible in a legal proceeding.
Write blockers can either be separate devices or built directly into the forensic workstation. Regardless of configuration, all write blockers act as an intermediary preventing any data alteration to the source drive. To verify data integrity, digital forensic analysts use cryptographic hash values.
The hash value of the source drive is compared to its clones, providing clear and immediate indication of any potential tampering, no matter how small.
In rare cases, such as in live acquisition on a running machine, using a write blocker is not possible. These investigations require special care and consideration. Spindletop Investigations will discuss all special circumstances with you in advance of proceeding with any investigation.
Back To Glossary