Insights Blog

Write-blocking: Not a Panacea

Anyone who has been conducting forensics for more than a day can tell you that when you make a forensic image you should be utilizing a write-blocking device such as the Tableau T8-R2 Forensic USB Bridge or others.  Physical write-blockers are needed devices in any forensicators arsenal.

Software write-blockers are just as viable as their hardware cousins; however, many people snub them because there is no “physical” disconnect.   In other words, there is nothing tangible that the user can see to rely on.  We need to realize that with the ever growing popularity of live forensic collections, neither of these methods can be used.

In a lab environment where you need to collect and image already-seized devices, write-blockers are well worth the time, effort and cost.  In fact, it’s standard operating procedure to use them.  For labs that are running Mac OS X, we recommend our write-blocking software – SoftBlock.  This is a kernel extension that loads upon boot, and does a terrific job of preventing writes to a connected device.

Many nay sayers will be quick to jump on the fact that software write-blocking is a dangerous and worthless endeavor because software is fallible.   They will further say you should use a hardware blocker in all cases because physical write-blockers are more reliable.  The latter was true many years ago when devices were different, and there existed the very really possibility of a physical disconnect occurring.  This varies with today’s reality.

I would like to point out that even hardware write-blockers use software, and all software is engineered by humans.  Humans make mistakes in developing software, even for physical write-blockers.  Such was the case recently relating to a popular device.  This is not a slight on the company that markets the device at all – in fact, I own and use several of their products. The company did a great job in identifying this problem and making it known to the community, but it emphasizes the point that a forensic practitioner should be testing and vetting all of his/her tools, all the time.  It also dispels the myth that hardware write-blockers are a panacea over software versions. As many of my friends and colleagues would say “for belts and braces,” use both.

BlackBag Team