Write Blocking – Definition
Write blocking is the act of ensuring that the contents of an evidence drive cannot be modified during the scope of an investigation. It allows acquisition of information on a drive without creating the possibility of accidentally damaging the drive contents. Write blockers do this by allowing read commands to pass but by blocking write commands, hence their name. This can be done one of two ways: with either hardware or software write blockers.
In This Tutorial
Once a disk image has been created, hashing and write blocking the image are the immediately pivotal steps to be taken in order to ensure the integrity of the evidence file. Write blocking tools have been written into several of the free software programs we have used or have available, including WinHex and DiskExplorer NTFS. Alternatively, it is possible to do a form of write blocking by simply changing the
status of the disk image to read-only.
In this tutorial we will go through the process of creating a write blocked disk image in order to prevent changes in the course of the investigation.
*Note that once you exit WinHex, the disk image file will no longer be write protected. If you were to open the disk image file within another program, changes could be made. The write blocking provide within WinHex is only functional within WinHex itself. However, this feature is highly useful for analysis of disk image file contents within WinHex.