Forensic write blockers are used when trying to attain information from a drive without damaging the data on that drive. They act like a filter that will allow data to be read but blocks write commands from getting through as this will put information on the drive at risk.
Forensic write blockers can either block all write commands from getting through or they can be designed to filter certain write commands. The blocker can be fed with a list of commands that should be blocked so they will let every other command go through except for those that are contained in the list. Alternatively, write blockers can be used to slow down the speed at which data is read. Some drives have a kind of protection which prevents reading at high speed. The blocker is used to slow down the speed of the disks and that will make them easier to read. This is important when carrying out forensics on certain machines.
Forensic write blockers can be used for hardware or software. There are hardware writers and software writers which both do the same job but vary in where they are installed.
Hardware write blockers are installed with a chip that contains software to do the blocking while the software write blocker is installed on the workstation.
In essence, when it comes to forensic investigations, write blockers are essential in preserving the data or information on a disk which is the evidence that is being collected. Many times operating systems tend to write to any hard drive that is connected to it and this can very easily alter important facts such as time when a document may have been accessed or altered. Viruses and Malware to can cause alteration to data but when you use the write blocker, the commands that would have accompanied the access of this information is blocked leaving the information in its original state.
In court, lawyers can argue that information may have been altered during an investigation. By attaching a forensic write blocker, the forensic experts such as Cellebrite and Data Analyzers ensure that they preserve the device and its data in a state that will show it has not been contaminated so the evidence provided after forensic can be trusted.
In general, the forensic write blocker will do the following
– It will block any changes from being made to the drive thus prevent contamination of evidence
– Make any information on the drive readable and accessible but as read only
– Will allow operations of a drive that is not protected.
Here are the official hardware write blocker specifications from the National Institute of Standards and Technology: https://www.cftt.nist.gov/HWB-v2-post-19-may-04.pdf