does the write-block also kill internet connections? what happens to internet connections and data transfers as write-block is engaged/started/initiated on the machine?
With a hardware write-blocker, you don't use it on a running machine. You remove the hard drive while the machine is off and connect it to the write blocker.
With software write-blockers, you are generally booting the computer from a USB drive that contains the forensic software you want to use. For example, if I wanted to image a Windows laptop without removing the hard drive (or where it wasn't removable), I could boot to a USB drive that contains a Linux distribution and mount the laptop's hard drive in read-only mode; the copy of Windows that is stored on the hard drive would not be running.
There are triage/incident response tools that run on live systems. These tools *may* limit the changes they make to the system (e.g. by accessing files through a driver to avoid modifying timestamps) but the system is still running and making other changes. Some tools, that are meant for security incident response, may allow you to quarantine a machine to block all incoming/outgoing network traffic other that what is needed to run the tool; the purpose of this is to prevent a hacker from continuing to make changes and reach other machines on the network while you investigate.
The question "How critical is Write-Block during onsite triage?" needs qualifiers to answer accurately.
Every scenario is independent from another. What is 'critical' in one scenario may not be in another. Case objectives, device configurations, and conditions onsite affect the decision-making of whether to write block or not, and if you can write block at all.
–Is the computer off?
—–Then you can "triage" in a write-protected mode using a forensically sound boot OS (Linux or Windows). Decryption key needed if the device is encrypted or else you won't have access to the data.
—–Of if the drive is accessible to a physical write protect device, triage via a forensic workstation with the drive attached through a hardware write blocker. You'll still need the key if the drive is encrypted.
–Is the computer on?
—–Do you need the RAM? You can't write protect if you do.
—–Is it encrypted and you don't have the key? You'll have to image while its running (live) without write protection.
—–Is someone's life or limb at risk and you need intel now? Best to get the intel and not worry about write protection.
There is a sliding scale of what is reasonable as it relates to write protecting evidence. On one hand, if a storage device is easily accessible (removable as an example), not encrypted (or you have the decryption key), and time is not of the essence, then write blocking the drive to triage is probably most reasonable. However, if you are onsite of a child that has been lured away, and the computer is running, I would hope you would not even consider writing blocking the device, since that would mean (1) shutting it down, (2) losing RAM, and most importantly, (3) wasting valuable and potentially life saving time.