Call:   (888) 458-3222


What is a Write Blocker?


The central requirement of a sound forensic examination of digital evidence is that the original evidence must not be modified, i.e., the examination or capture of digital data from the hard disks of a seized computer must be performed so that the disk contents are not changed. The examiner follows a set of procedures designed to prevent the execution of any program that might modify the disk contents. These procedures involve a layered defense against any modifications to the source disk using the following strategies:


• Where possible, set a hardware jumper to make the disk read only.

• Use an operating system and other software that are trusted not to write to the disk unless given explicit instructions.

• Use a hard disk write block tool to intercept any inadvertent disk writes


The informal hard disk write block tool requirements are the following as defined by NIST:


• The tool shall not allow a protected disk to be changed.

• The tool shall not prevent obtaining any information from or about any disk.

• The tool shall not prevent any changes to a disk that is not protected.


The above take from the National Institute of Standards and Technology - Write Block Tool Specification.






Back to FAQ

Next Question: What is an Info 2 Record?


Center for Computer Forensics

21800 Melrose Ave

Suite 1

Southfield, MI 48075

This website is not intended to provide legal or professional advice. The site is merely a starting point to learn about the topics listed. While we attempt to maintain current, complete and accurate information we accept no responsibility for errors or omissions.