Q

What vendors would you recommend for software write-blockers?

In a forensics investigation, a software write-blocker can be very helpful. But which vendors offer the best blockers? Security management expert Mike Rothman explains what to look for.

We are currently evaluating the use of software write-blockers. What vendors would you recommend in this space and what should we look for?
A software write-blocker is used in forensics investigations to stop the writing of new data to the drive in question. That drive could be a traditional disk drive or a USB/flash memory drive. This is important due to chain-of-custody and evidence-admissibility requirements. A computer forensics investigator must be able to prove that the disk was not tampered with once the investigation began, in order to ensure the legitimacy of the data gathered during the investigation.

In terms of vendors, it all depends on what tasks need to be accomplished. Obviously, the software should not only

block writing to disk, but it also would be helpful to be able to pull the results of the tool into a case management system (like Guidance Software Inc.'s EnCase product line). It's also important that the vendor be able to point to where the tool has been used successfully in legal proceedings, since admissibility is usually a matter of precedent.

A few open source options are starting to appear (search Google for "software write-blockers" to get the latest list), and there are a few utilities like PDBLOCK and RCMP HDL available. NIST is starting to do detailed evaluations of these tools, as well as of hardware write-blockers, which might also be helpful.

More information:

This was first published in August 2008

Dig deeper on Information Security Laws, Investigations and Ethics

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close