writeblocking

Writeblocking, in digital forensics, is the practice of preventing writes to a storage device during acquisition to preserve evidence integrity. A write blocker is an intermediary device that sits between the evidence drive and the acquisition workstation; it allows read access to the drive while blocking write commands from the host, ensuring the original data remains unaltered. This is essential for maintaining chain of custody and the evidentiary admissibility of digital evidence.

There are hardware and software approaches. Hardware write blockers are dedicated devices compatible with interfaces such

Usage typically involves connecting the evidence drive to the write blocker, then connecting the blocker to

Limitations include possible bypasses on some devices, potential misconfiguration, and the fact that some hardware or