Forensic workstation pt 4 – write blockers

Forensic workstation, part 4 – write blockers

In recent weeks I have shared my experiences of building a forensic workstation, starting with the base unit, followed by additional hardware and software. This final part of the series looks at a further essential piece of hardware for your digital preservation workflow – that of the write blocker.

What is a write blocker?

A write blocker is a piece of hardware that sits between your forensic workstation and the media containing the born-digital archives you wish to access. It creates a one-way system allowing the data to be read but critically not be modified.

Why should I use a write blocker?

A write blocker can play a crucial role in establishing trust in the born-digital archives in our care.

Imagine…. being given some papers following the death (in 2015) of a leading author which includes unpublished work on a USB drive. If you simply copied the files off the drive in the usual way, the file could have a created date of 2020 and a last modified date of 2015. Surfacing this metadata, embedded within the file, as part of your discovery system could lead some researchers to question the authenticity of the file. Using a write blocker with forensic software like FTK Imager (which I will look at in more detail in a subsequent blog) would ensure that the created date would remain unchanged. 

How do I use a write blocker?

The write blocker can resemble a jumble of cables but basically consists of a power cable, drive specific adapter with power to the data source (included with the write blocker) and a USB cable out to the forensic workstation. The write blocker itself has a small screen display for key information.

Forensic write-blockers are quite a specialist piece of hardware but there are a small number of manufacturers. I have used Tableau in the past but decided to go with the CRU Forensic ComboDock. I was attracted to the CRU Wiebetech range because they have a free validation utility which allows you to verify the write blocker is working before you use it. The ComboDock also has a switch allowing you to move from write-protect (the default setting) to read-write if you wanted to read a drive in a more traditional way. 

Given the importance of the write blocker in the digital preservation workflow I decided to purchase new devices. There are a couple of UK suppliers, I went with 4Secure who had been helpful in answering a few questions I had. I bought the ComboDock v5.5 (£250) to work with either IDE or SATA hard drives and the Media WriteBlocker (£165) to work with USB devices and a range of portable media cards.

Do I need to use a write blocker for all media?

Some media formats have built-in write protection functionality;

  • 3.5″ floppy disk – sliding the tab to reveal the hole makes the disk write protected
  • zip drives – the Iomega tools software lets you send a message to the drive to protect the disk
  • CD-R and DVD-R – once the data has been burnt onto the disk it becomes read-only
  • SD cards with a notched corner – slide the tab down to make it write protected

Software write blockers

My experiences to date have been with hardware write blockers but I am intrigued by the software solution, I took advantage of SafeBlock software offering a 7 day free trial. I soon discovered, when it stopped me downloading the user guide, that all drives are blocked by default. The software has a simple interface allowing you to easily block (or unblock) drives. You can open a file from a protected drive but the software does prevent you from saving to the drive – displaying a prompt that the drive is either full, write-protected or damaged (it can’t distinguish which).

Having only previously used hardware write blockers before, the software blocker does take some getting used to. One advantage is that it will work with all types of drive, so whilst the software is £450 to purchase this is comparable to purchasing multiple write blockers.

Costs (revisited)

  1. base unit, including monitor, keyboard and mouse £230
  2. three hard drives for testing £19 [optional]
  3. USB hard drive adapter £26 [optional]
  4. USB Zip250 drive including some PC and Mac disks £27 [optional]
  5. three 3.5″ floppy disk drives £26 [optional]
  6. software titles including LibreOffice, Audacity, Handbrake FREE
  7. digital preservation software including DROID, FTK Imager FREE
  8. CRU Wiebetech Forensic ComboDock v5.5 £250
  9. CRU Wiebetech Media WriteBlocker £165
  10. SafeBlock software write blocker £450 [an alternative option to 8 & 9 above]

The total spent is about £765 (including postage etc) but I have a forensic workstation with the capacity to read and safely extract born-digital archives from computer and laptop hard drives and portable media from USB devices aswell as floppy disks, zip drives and SD cards.

I have produced a 2 page summary (300kb PDF) of the hardware options my forensic workstation (including the additional hardware and write blockers) supports as things currently stand.

If you have made it to here – thank you!  In the following weeks I will be returning taking a more detailed hands-on look at some of the free software that is used by the digital preservation community.

Leave a Reply

Your email address will not be published. Required fields are marked *