What vendors would you recommend for software write-blockers?

In a forensics investigation, a software write-blocker can be very helpful. But which vendors offer the best blockers? Security management expert Mike Rothman explains what to look for.

We are currently evaluating the use of software write-blockers. What vendors would you recommend in this space and what should we look for?
A software write-blocker is used in forensics investigations to stop the writing of new data to the drive in question. That drive could be a traditional disk drive or a USB/flash memory drive. This is important due to chain-of-custody and evidence-admissibility requirements. A computer forensics investigator must be able to prove that the disk was not tampered with once the investigation began, in order to ensure the legitimacy of the data gathered during the investigation.

In terms of vendors, it all depends on what tasks need to be accomplished. Obviously, the software should not only block writing to disk, but it also would be helpful to be able to pull the results of the tool into a case management system (like Guidance Software Inc.'s EnCase product line). It's also important that the vendor be able to point to where the tool has been used successfully in legal proceedings, since admissibility is usually a matter of precedent.

A few open source options are starting to appear (search Google for "software write-blockers" to get the latest list), and there are a few utilities like PDBLOCK and RCMP HDL available. NIST is starting to do detailed evaluations of these tools, as well as of hardware write-blockers, which might also be helpful.

More information:

  • Make life easier for forensics investigators: Learn to employ a forensics mindset.
  • Read more about investigating hacker activities with the Windows registry.

Dig Deeper on Security operations and management

Enterprise Desktop
Cloud Computing