Forensics & IR
Write Blocker
Also known as: Forensic write blocker, Read-only bridge
Definition
A hardware or software tool that permits read access to a storage device while preventing any write operations that could alter evidence.
Examples
- A Tableau T8u USB 3.0 hardware write blocker used while imaging a suspect external drive.
- A Linux examination workstation configured with udev rules and blockdev to prevent accidental writes.
Related terms
Forensic Imaging
Creating a bit-for-bit copy of a storage medium, verified by cryptographic hashes, for use in forensic analysis and as legally admissible evidence.
Evidence Acquisition
Evidence Acquisition — definition coming soon.
Chain of Custody
The chronological, documented trail showing every person, location, and action affecting a piece of evidence from seizure through final disposition.
Disk Forensics
The analysis of non-volatile storage media — HDDs, SSDs, USB drives — to recover, examine, and interpret file-system, application, and operating-system artefacts.
Preservation of Evidence
Preservation of Evidence — definition coming soon.
Digital Forensics
The scientific discipline of identifying, preserving, analysing, and reporting on digital evidence from computers, networks, and devices in a legally defensible way.