In terms of vendors, it all depends on what tasks need to be accomplished. Obviously, the software should not only block writing to disk, but it also would be helpful to be able to pull the results of the tool into a case management system (like Guidance Software Inc.'s EnCase product line). It's also important that the vendor be able to point to where the tool has been used successfully in legal proceedings, since admissibility is usually a matter of precedent.
A few open source options are starting to appear (search Google for "software write-blockers" to get the latest list), and there are a few utilities like PDBLOCK and RCMP HDL available. NIST is starting to do detailed evaluations of these tools, as well as of hardware write-blockers, which might also be helpful.
- Make life easier for forensics investigators: Learn to employ a forensics mindset.
- Read more about investigating hacker activities with the Windows registry.
Dig Deeper on Security operations and management
Related Q&A from Mike Rothman
Pirated software is still a major concern nowadays. Uncover how to prevent software piracy and protect your organization's intellectual property. Continue Reading
While liaison officer responsibilities vary depending on the company they work for, their strong organizational and communications skills make them ... Continue Reading
The CISSP certification can be a challenge to obtain. Mike Rothman unveils how to get on the right education and career tracks in order to get CISSP ... Continue Reading