Software write blockers

[jamiean...@gmail.com]

Hello everyone,

 

Does anyone use software write blockers in their workflow and/or have any recommendations? I'm looking into installing one on a departmental laptop for archivists to use as they go out and meet with donors, so that they can do some appraisal in the field without worrying about accidental alterations. For example, in a meeting with the donor they may have a CD or a flash drive that the archivist wants to look at before committing to accepting the files. I've searched past threads and am coming up empty. Thank you for any input.

 

Jamie

[Kam Woods]

Option for a Windows 8/10 machine: ForensicSoft SAFE Block https://www.forensicsoft.com/safeblock.php (currently $549)

Option for a Mac: BlackBagTech Softblock https://www.blackbagtech.com/software-products/softblock-7/softblock.html (currently $600 for private sector)

These are not endorsements. I do not work for or contract with either of these companies. These are simply two well-established companies. This is the BitCurator list, so I'd be remiss if I didn't just tell you "one option is to use BitCurator in a VM for free when connecting USB devices."

You don't generally need a write blocker of any sort to look at optical media. You'd have to go through some exceptionally specific steps even to rewrite CD-RW or DVD-RW.

There are many write ups (http://mykeytech.com/softwarewriteblocking2-4.pdf) and posts (http://www.forensicfocus.com/Forums/viewtopic/t=12616/) that can educate you about the possible dangers of relying on software write blocking. Even companies that produce software write blockers are careful to outline the risk space (https://www.blackbagtech.com/blog/2011/03/17/write-blocking-not-a-panacea/). NIST has done some testing that might be of interest (https://www.cftt.nist.gov/software_write_block.htm).

Finally: hardware write blockers are the standard for acquisition and analysis. If you're going to be looking mostly at USB drives (and CDs) you could save money over the software options and buy a TK8u (https://www.amazon.com/Tableau-TK8u-USB-Forensic-Bridge/dp/B00YDEM30O). Currently $424.

Hope this is useful.

Kam

--
You received this message because you are subscribed to the Google Groups "BitCurator Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcurator-users+unsubscribe@googlegroups.com.
To post to this group, send email to bitcurator-users@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/bitcurator-users/d30c0950-99dc-4181-8348-e0c3ba598087%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.