ELI5: What are Write Blockers?
A write blocker lets you read a hard drive without accidentally changing anything on it. It is like looking at a painting through glass — you can see everything but cannot touch it.
Definition
Write blockers are hardware devices or software tools used in digital forensics to prevent any write operations to storage media being examined, ensuring that the original evidence is not modified during acquisition or analysis. Hardware write blockers sit between the evidence drive and the forensic workstation, intercepting and blocking all write commands at the hardware level. Maintaining write protection is essential for evidence admissibility and chain of custody.
Key Details
- Hardware write blockers are preferred over software blockers for forensic validity and court admissibility
- Prevents accidental modification of evidence during disk imaging or live examination
- Without a write blocker, mounting a drive can alter timestamps, modify metadata, or trigger OS auto-run behavior
- After acquisition with a write blocker, hash verification (MD5/SHA-256) confirms image integrity
- Common hardware write blockers: Tableau (Guidance Software), UltraBlock, CRU WiebeTech
Connections
- Parent: digital-forensics — write blockers are a fundamental tool ensuring the integrity of forensic evidence
- See also: disk-imaging, hash-verification, chain-of-custody, order-of-volatility