Skip to content

00.Software Write Blocker Concept

๐Ÿ”น What is a Write Blocker?

Itโ€™s a toolโ€”either hardware-based or software-basedโ€”that prevents any attempt to add, modify, or delete data on a disk or device during forensic analysis.\ In this guide, we focus on the software version.

๐Ÿ”ง Tools Used:

  • Software Write Blocker from: forensicsoft.com/products/safeblock

  • The program is available with a 7-day trial.

  • Some Linux forensic distributions, like SIFT, come with a built-in software write blocker.

โš™๏ธ Steps to Use the Write Blocker Program:

  1. Download and Install:

  2. Register on the website and download the software.

  3. Youโ€™ll be asked for a license file during installation.

  4. Set a password to protect the program from unauthorized use.

  5. Launch the Program:

  6. Upon launch, youโ€™ll be prompted for the password.

  7. The interface will show:

    • Physical disks

    • Logical partitions (like C:\ or G:)

  8. Select Target Disk:

  9. You cannot apply blocking to the system partition (like C:).

  10. Choose another drive (e.g., G:) for testing.

๐Ÿงช Practical Test:

Before Activation:

  • You can copy or delete files freely from the G:\ drive.

  • You can read/write as you like.

After Activation (Enable Blocking):

  • The program may close File Explorer if it's using the disk.

  • A ๐Ÿ”’ icon appears next to the drive name โ†’ indicating "write protection" is active.

Test:

  • Try copying a file: โŒ Not allowed

  • Try deleting a file: โŒ Not allowed

โœ… Result: The disk is now completely write-protected.

โœ… Why Use a Write Blocker?

Benefit Explanation
๐Ÿงฉ Evidence Protection No modifications are allowed during analysis.
๐Ÿฆ  Malware Defense Even if malware is present, it can't alter data.
๐Ÿ”’ Data Integrity Evidence remains exactly as it was when seized.
๐Ÿ“ธ Forensic Imaging Images created from the disk are legally trustworthy.

๐Ÿ“Œ Important Note:

Software Write Blockers are not recommended for critical cases since they are not as secure as hardware write blockers.\ However, they are useful for training or low-risk scenarios.

๐Ÿงญ Summary:

Item Details
Tool Used Software Write Blocker from ForensicSoft
Purpose Prevent disk modification during examination
State After Activation No copying, deleting, or editing files allowed
Ideal Use Case Creating a forensic image or analyzing a suspectโ€™s drive