Your new manager comes to you and asks you that he keeps he…

Your new manager comes to you and asks you that he keeps hearing about read/write blockers for forensic imaging. He’s not sure what that is. He also is confused because he’s heard that there’s two different types (software and hardware). Also, there’s commercial and open source tools. He knows you just took a course in digital forensics so he asks you to prepare a memo for him explaining all that. Being familiar with what tools the investigator used will help you. You gain credibility by asking what hardware or software tools they used, how they deployed it and why they went with a hardware or software version.

MEMORANDUM

To: [Manager]
From: [Your Name]
Date: [Date]

Subject: Explanation of read/write blockers for forensic imaging

I understand that you are curious about read/write blockers for forensic imaging and would like a comprehensive explanation regarding the different types, namely software and hardware, as well as the distinction between commercial and open source tools. This memo aims to provide you with a thorough understanding of these concepts, based on my knowledge and the tools used by investigators in our field.

1. Introduction
Forensic imaging involves creating an exact duplicate of digital media, such as hard drives and solid-state drives, for the purpose of preserving and analyzing evidence. The process must ensure that the original data remains unaltered throughout the investigation. Read/write blockers are essential components used in this process to prevent unintentional modifications to the original media during the imaging process.

2. Read/Write Blockers
Read/write blockers are devices or software that intercept data communication between the forensic imaging tool and the source media, controlling and limiting the actions that can be performed on the source media. These blockers serve two primary functions:

a. Write Blocking: A write blocker prevents any write commands from reaching the source media, ensuring that no changes or modifications can be made to the original data. This is crucial to maintain the integrity and admissibility of digital evidence.

b. Read Blocking: A read blocker allows read commands to reach the source media but does so in a controlled manner, collecting and logging information about each read action. This function aids in maintaining a proper record of access to the original data.

3. Software and Hardware Blockers
Both software and hardware-based read/write blockers are widely used in digital forensics. The choice between these two options depends on various factors, such as cost, level of expertise, and specific requirements of the investigation.

a. Software-Based Blockers: Software-based read/write blockers are programs or applications that run on a computer system and intercept data communication with the source media. They often rely on the operating system’s built-in write blocking functions or drivers to control write access. These blockers are cost-effective and easy to deploy as they can be installed on existing hardware.

b. Hardware-Based Blockers: Hardware-based blockers are standalone devices that sit between the forensic imaging tool and the source media. They usually operate at a lower level than software-based blockers and provide more robust write-blocking capabilities. Hardware-based blockers are often preferred for their reliability and independence from the host system, making them less susceptible to malware or unauthorized access.

4. Commercial and Open Source Tools
In the realm of read/write blockers, there are both commercial and open-source options available to digital investigators. The choice between these two types of tools often revolves around factors such as cost, support, and user preferences.

a. Commercial Tools: Commercial read/write blockers are products offered by specialized vendors in the digital forensics market. These tools are typically accompanied by technical support, regular updates, and comprehensive documentation. Commercial tools often provide a wider range of features, customizations, and integration options, but their costs may present a barrier for individuals or organizations with limited budgets.

b. Open-source Tools: Open-source read/write blockers are freely available software or hardware designs that can be modified and distributed by the user community. These tools are often developed collaboratively, allowing for customization and enhancement by forensic practitioners. Open-source tools may lack the support and extensive documentation provided by commercial counterparts, but they offer cost savings and opportunities for knowledge sharing among digital investigators.

Please let me know if you require any further information or clarification. I would be happy to provide additional insights based on the specific tools used by our investigators.

[Your Name]