What Can Happen if Write Block is Not Enabled?

Sometimes
—write blocking is impossible
—write blocking is impractical

It very much depends on what triage is being used for.

We use it a lot for monitoring of registered sex offenders, who are required to make their devices available for examination.
As this is not based on any kind of intel that an offence has taken place, merely enforcing a court order (SHPO or similar), it i has a different level of requirement. If it becomes relevant, it would be seized and taken as an exhibit and treated as such from that point.

If you are talking about for a warrant based on intel, then probably more stringent on the write blocking.

Without write-block, you are going to make some changes to the drive/device. But, it's not always possible to avoid making any changes. The goal should be to avoid making changes to the greatest extent possible. If you are working on a removable hard drive from a computer that is not currently turned on, then you should always use a write-blocker. In other situations, you may want to make some changes in order to capture the maximum amount of evidence. For example, you might load a program to capture RAM from a running computer. Or, you might be required to confirm the presence of such-and-such relevant evidence before taking the computer with you. In another circumstance, you might need to boot to a live distribution to recover data from a hard drive that is not removable.

The risk, when not using a write blocker, is that you'll change evidence in ways that hinder your investigation. For example, you might update last access timestamps or create new thumbnails by browsing pictures. You might even make a mistake and destroy evidence by accidentally deleting or overwriting a file. If you need to proceed without a write-blocker, it is important to understand what you are doing, limit your activity to what is necessary, and document each step you take so your work can be reviewed later.

Here is a useful pdf discussion document produced in 2003/2004 about possible failure of Software Writer Blockers you might find interesting, if you haven't read it before

http//mykeytech.com/SoftwareWriteBlocking2-4.pdf

Also see Software Write Blockers thread here at Forensic Focus 2005
https://www.forensicfocus.com/Forums/viewtopic/t=559/

Here is a useful pdf discussion document produced in 2003/2004 about possible failure of Software Writer Blockers you might find interesting, if you haven't read it before

http//mykeytech.com/SoftwareWriteBlocking2-4.pdf

Also see Software Write Blockers thread here at Forensic Focus 2005
https://www.forensicfocus.com/Forums/viewtopic/t=559/

The article states

A properly designed hardware media protection device, however, allows no changes to the media even if it has a failure. You can certify a controllable device but not a dynamic system.
[…]
Given the uncontrollable nature of the systems we use, the safest and least expensive route is to use hardware media protection.

Thus, a second link to disprove that is also needed https://github.com/msuhanov/Linux-write-blocker/blob/master/research/2017-01_Write_blockers.pdf

Also
https://www.forensicfocus.com/Forums/viewtopic/t=11739/

jaclaz

Here is a useful pdf discussion document produced in 2003/2004 about possible failure of Software Writer Blockers you might find interesting, if you haven't read it before

http//mykeytech.com/SoftwareWriteBlocking2-4.pdf

Also see Software Write Blockers thread here at Forensic Focus 2005
https://www.forensicfocus.com/Forums/viewtopic/t=559/

The article states

A properly designed hardware media protection device, however, allows no changes to the media even if it has a failure. You can certify a controllable device but not a dynamic system.
[…]
Given the uncontrollable nature of the systems we use, the safest and least expensive route is to use hardware media protection.

Thus, a second link to disprove that is also needed https://github.com/msuhanov/Linux-write-blocker/blob/master/research/2017-01_Write_blockers.pdf

GOOD RESOURCES AND LINKS TO PDF HERE - #HANDSHAKE!

A write blocker (hardware or software) can give you a completely false sense of security and will not work in all cases.

I have recently examined and downloaded the data records from a password protected bank card skimmer for a Police unit.

They had a go at examining it and tried to download the data using a USB cable, the download program that came with it, and the default access password of "0000" and they discovered that the password had been changed so they could not access the bank card data in it.

When they brought it to me to crack the password they said that they had used a USB write blocker to protect it when they attempted to examine it.

Now, think about that.

In order to download data from a USB connected device such as a skimmer you need to send it a command and it needs to give you a response.

If your write blocker was working as you thought it was, the command you send it would not be received by the device and it obviously would not give you a response.

Write blockers don't work as a "one device solves all" protection and using a write blocker gave no protection in this case.

And when you send a USB device like a skimmer a "D" for "Download" how do you know that the skimmer does not see "D" as the command to "Delete"?

Do not rely on a write blocker in all cases.

Without write-block, you are going to make some changes to the drive/device. But, it's not always possible to avoid making any changes. The goal should be to avoid making changes to the greatest extent possible. If you are working on a removable hard drive from a computer that is not currently turned on, then you should always use a write-blocker. In other situations, you may want to make some changes in order to capture the maximum amount of evidence. For example, you might load a program to capture RAM from a running computer. Or, you might be required to confirm the presence of such-and-such relevant evidence before taking the computer with you. In another circumstance, you might need to boot to a live distribution to recover data from a hard drive that is not removable.

The risk, when not using a write blocker, is that you'll change evidence in ways that hinder your investigation. For example, you might update last access timestamps or create new thumbnails by browsing pictures. You might even make a mistake and destroy evidence by accidentally deleting or overwriting a file. If you need to proceed without a write-blocker, it is important to understand what you are doing, limit your activity to what is necessary, and document each step you take so your work can be reviewed later.

does the write-block also kill internet connections? what happens to internet connections and data transfers as write-block is engaged/started/initiated on the machine?