A write blocker is a device digital forensics investigators use to gain read-only access to a computer to avoid damaging any of the data it contains. The computer may have critical data that can serve as evidence, and accessing it without a write blocker can be risky and prone to accidents resulting in data damage or loss.
In a physical crime scene, investigators wear gloves, take photos, mark items methodically while preventing unauthorized people from entering the area. These measures are done to prevent any piece of evidence lying around from getting tampered with. Digital investigators use write blockers, also called “forensic disk controllers,” for the same reason.
Other interesting terms…
Read More about “Write Blocker”
Technology and the Internet have changed the way we do things, including crime investigations. Digital evidence can now be presented in court for almost all types of cases, so crime analysis and investigations often include accessing digital devices, be they the suspect’s, victim’s, or anyone involved in a case.
Preserving any data used as evidence is critical, regardless of whether the crime is physical or digital (as in cybercrime). For example, when retrieving video footage from surveillance cameras, the court and jury may not find the evidence believable if files have been tampered with. To this end, crime investigators often use write blockers.
How Are Write Blockers Used?
An investigator simply connects the device to his forensics workstation, effectively write blocking any other device that he may use on his computer. Since he used an external or hardware write blocker, he also needed to connect the device to the power. You may watch the video below to get a sense of how investigators use write blockers.
Who Invented Write Blockers?
The first hard drive write blockers were invented by Steve Bress and Mark Joseph Menz. They applied for a patent in September 2000, which was granted in November 2004. Bress and Menz cited law enforcement and crime investigation as one of the use cases of write blockers. They also mentioned the usefulness of write blockers for computer security, particularly in blocking malicious actors from making any changes to any data on a target device.
Why Are Write Blockers Used to Acquire Digital Evidence?
Operating systems (OSs), such as Windows, can make changes to a drive even when a user is only reading data. For instance, the OS may update a file’s access time and log hardware details and create hidden folders. While these automatic write processes are helpful in a typical and crime-free setting, they could contaminate data that can be used as evidence. As a result, the evidence could appear weak and doubtful in the jury’s eyes. Worse, it could even be ruled as inadmissible in court.
As such, when acquiring digital evidence, it is best to use write blockers to prevent OSs from writing to the drive. The practice also helps prevent accidental data damage or loss.
Additionally, the National Institute of Standards and Technology (NIST) has a set of rules that guides investigators when retrieving digital evidence. These guidelines include using write blockers, which NIST published specifications for.
What Is the Difference between Hardware and Software Write Blockers?
Now that you know what a write blocker is, it is also important to understand that they are available as software and hardware devices. So what’s the difference between these two types?
Software Write Blockers
Software write blockers come in modules integrated into the forensic software to block any port’s writing capabilities. For instance, if you install a writer blocker on a computer’s universal serial bus (USB) port, any device connected to it would become read-only. The speed of a software write blocker depends on the speed of the port it is blocking, so it may be limited in this sense.
Hardware Write Blockers
On the other hand, hardware write blockers are much faster, with some devices able to transfer data at 3GB per minute. These write blockers come in small and pluggable forms, making them portable. Another consideration when using hardware write blockers is the different connectors required for specific interfaces—USB, Small Computer System Interface (SCSI), and others.
Knowing what a write blocker is helps us understand the intricate processes involved in crime investigations. It’s not only a matter of turning on a suspect’s computer and retrieving evidence, as normally shown in TV shows and movies.
The use of write blockers has become a standard in digital forensics, saving law enforcers and investigators headaches from doubtful or nullified evidence. These devices could be costly, but they help preserve the integrity of critical data.