In terms of vendors, it all depends on what tasks need to be accomplished. Obviously, the software should not only block writing to disk, but it also would be helpful to be able to pull the results of the tool into a case management system (like Guidance Software Inc.'s EnCase product line). It's also important that the vendor be able to point to where the tool has been used successfully in legal proceedings, since admissibility is usually a matter of precedent.
A few open source options are starting to appear (search Google for "software write-blockers" to get the latest list), and there are a few utilities like PDBLOCK and RCMP HDL available. NIST is starting to do detailed evaluations of these tools, as well as of hardware write-blockers, which might also be helpful.
Dig Deeper on Information security laws, investigations and ethics
Related Q&A from Mike Rothman
The CISSP certification can be a challenge to obtain. Mike Rothman unveils how to get on the right education and career tracks in order to get CISSP ... Continue Reading
In the world of security certifications, what is the GISP and how alike is it to the CISSP? In this security management expert response, learn about ... Continue Reading
Depending on your enterprise, it may or may not be necessary to utilize a QSA. In this security management expert response, learn how to determine ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.