Write Blocker
What is Write Blocker?
Write BlockerA hardware or software tool that permits read access to a storage device while preventing any write operations that could alter evidence.
Write blockers are core to forensic evidence acquisition: they ensure the source disk, USB drive, or memory card remains bit-for-bit identical during imaging. Hardware blockers sit inline between the suspect drive and the examiner workstation (Tableau, WiebeTech, CRU), exposing read-only protocol interfaces and often interpreting SATA, NVMe, USB, SAS, or M.2 connections. Software blockers (such as Linux blockdev settings, USBWriteBlocker, or registry-controlled Windows policies) achieve similar protection on a workstation. NIST's Computer Forensics Tool Testing (CFTT) program publishes test results validating tool behaviour. Using a write blocker is required practice under ISO/IEC 27037 to preserve evidentiary integrity.
● Examples
- 01
A Tableau T8u USB 3.0 hardware write blocker used while imaging a suspect external drive.
- 02
A Linux examination workstation configured with udev rules and blockdev to prevent accidental writes.
● Frequently asked questions
What is Write Blocker?
A hardware or software tool that permits read access to a storage device while preventing any write operations that could alter evidence. It belongs to the Forensics & IR category of cybersecurity.
What does Write Blocker mean?
A hardware or software tool that permits read access to a storage device while preventing any write operations that could alter evidence.
How do you defend against Write Blocker?
Defences for Write Blocker typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Write Blocker?
Common alternative names include: Forensic write blocker, Read-only bridge.