Software Blocker

If you use MS Steady State there are options to WB the USB port but keep it readable. Steady State is basically a GUI for the group policy and reg edits for admins. As it is a GUI you can have a little mental comfort in seeing the check box. Do validate, validate, validate first. I have never personally used it in a forensic environment just as an admin tool.

The only one I could find was DSi USB Write Blocker, however its does more of a blanket block and blocked everything, even mem card readers, so unlike some you can't point to specific ports. Dunno if this is a good or bad thing \

It's a good thing, working as advertised. I've used it on my laptop to image from a USB attached suspect disk to an attached e-SATA target disk, worked fine.

So it did not block the attached e-SATA target disk?

Windows has its own write block,if you are using Windows XP,here it is
Open the registry and find this
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\

under this key there should be a key called "StorageDevicePolicies"
In the right pane there is a REG_DWORD called "WriteProtect" ,double click it and change the value to 1 then all your computer's USB ports should be write protected.

There's a link to a free USB software write blocker and other free tools on this page which I put together. As with anything, use at your own risk.

http//www.forensiccontrol.com/fcresources.php

Hello, Link Not Found. Please Check. Thanks

Hello, Link Not Found. Please Check. Thanks

Well, this board is intended for digital detectives …

Via Wayback Machine
https://https://www.forensiccontrol.com/fcresources.ph p">web.archive.org/web/20101215025749/ https://www.forensiccontrol.com/fcresources.php

The "current" (since 2012) page is here
https://forensiccontrol.com/resources/free-software/
but the list is "no more", cache of the "new" pages with list, starting from
https://web.archive.org/web/20110720041602/http//forensiccontrol.com80/resources/free-software/

jaclaz

FWIW, EnCase will write block USB, IDE, SATA, etc.. (FastBloc SE) without a dongle..

Windows has its own write block,if you are using Windows XP,here it is
Open the registry and find this
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\

under this key there should be a key called "StorageDevicePolicies"
In the right pane there is a REG_DWORD called "WriteProtect" ,double click it and change the value to 1 then all your computer's USB ports should be write protected.

Actually, you need to remove any attached devices and reinsert them, then they become write protected. Same goes for when changing it back from write protected to write enabled.

A list of software write blockers here https://www.dfir.training/tools/forensic-utilities/write-blocking-software

A list of software write blockers here https://www.dfir.training/tools/forensic-utilities/write-blocking-software

The whole 'dfir' website seems to be unavailable!

Sometimes the site gets overloaded, but refreshes fairly quick. Over a million hits a month…so it gets quite a bit of traffic to stunt it once in a while