So, you are interested in becoming a digital forensic analyst? That is great! It is an exciting and growing field, one filled with many possibilities for the enthusiastic learner. The purpose of this article is to introduce those interested in the forensics field with one of the most important tools in their toolbox, the hardware write blocker.Any computer forensics course or book will stress that one of the most important parts of the job is preserving the state of the evidence to be examined. This begins at the seizure of said evidence and it carries all the way through to either the trial or when the evidence is finally destroyed or released. This is where the write blocker makes its entrance into the forensic framework.Once a piece of digital evidence has been identified and seized it must be examined. Now, since you are not supposed to change the original evidence, or at least keep any changes to a minimal that can be explained, there must be a way to create a forensic copy of that evidence. This copy goes by many different names and this article isn’t intended to provide a full explanation of them. Some call them bit-by-bit copies, others call them bit stream copies, it makes no difference. What you are doing is creating an exact replica or copy of the original piece of evidence.In order to perform this vital part of your job one of the tools available to you is the write blocker. These are pieces of hardware, versus software write blockers, that provide a level of protection which will allow you to access the evidence, without changing it. There are methods of write blocking via software that will be explored in a later blog.It is important to note that proper testing procedures should be followed, as these are hardware pieces and they can fail! Many an analyst has been surprised when they learned that their write blocker had failed and their evidence had become contaminated. So, take the time to test your write blockers before plunging into creating a copy of your evidence.There are many different write blockers on the market, most of which are rather expensive. If you are just entering into the field, then it is an investment you should consider making. Many companies provide their analysts with write blockers but if you are desiring to learn on your own or work on your own as a consultant then you should strongly consider purchasing one. I would note here that working as a digital forensic consultant is a good line of work, but it does require investment on your part, not only in write blockers, but also in good forensic machines and proper training.
Fig. 1. Tableau Forensic Duplicator
Above is a photograph of what is known as a forensic duplicator. This is similar to a write blocker but operates more as a straight duplicator of a hard drive. You can utilize these as a write blocker, but always remember that is not their main focus. It is very handy for taking an evidentiary hard drive and transferring it to a similar hard drive for examination. You can see them at the below listed web page.https://www2.guidancesoftware.com/products/Pages/tableau/products/duplicators.aspxA very popular write blocker is the UltraBlock USB kit format sold by Digital Intelligence. I used these write blockers during my law enforcement career and found them easy to use and reliable. They run around $300.00 and are a worthy investment if you are performing forensic imaging.http://www.digitalintelligence.com/cart/ComputerForensicsProducts/UltraBlock-USB-Write-Blocker-Kit.html$299.00
The Ultra Kit combines a variety of different write blockers into one handy Pelican case. They are purchased all at one time, are combined into one portable kit and are very reliable. These do cost more than a single write blocker, but if you purchase a kit you will get a variety of write blockers that fit many different hard drive formats. I would recommend investing in one of these if you are going to seriously enter the realm of digital forensics and want to be prepared for almost any situation that you might face.http://www.digitalintelligence.com/products/ultrakit/$1,799 - $4,399
Fig. 3 Wiebetech UltraDock
Another popular write blocker is the WieBeTech UltraDock. This is a handy sized forensic write blocker that can easily fit into a “go bag” and be taken places with you. I utilize this particular write blocker routinely and have found it to be very reliable.http://www.cru-inc.com/products/wiebetech/forensic-ultradock-v5-5/$300.00There are many, many more hardware write blockers on the market. I would encourage you to research the market, find one or several that will suit your needs and take the plunge. Granted, it is an investment, but it will definitely help you learn the tools of the trade!
