I was talkinf to a friend, he is an advocate but is also a great computer expert. He says, that he don't want to use writeblocker. To expensive. he prefer to use windows, manipulate the registry, and aquire USB cell to cell.
Which is your opinion, I use Writeblocker Wiebetech.
best regards
A physical write blocker can be seen. A software one really need checking every time to make sure it is still blocking.
I tried a software one once, and it also blocked the USB drive I wanted to copy files to. I bought a Tableau.
I did the same, I bought a wiebetech lol
Always use a hardware write blocker. It is a must. Software write blockers are not reliable. It is not worth risking.
I agree. Software write blockers are less reliable than hardware ones. You never know when an update to Windows or a particular software could cause the registry tweak to not work properly.
While I have the tweak on my laptops just in case, I always use a physical writeblocker. My vote goes to Tableau )
In Windows I would always use a write blocker, but I do acquire using Linux distributions without a write blocker.
In Windows I would always use a write blocker, but I do acquire using Linux distributions without a write blocker.
I second this.
Sometimes you may not be able to use a write blocker. Keeping the option open is best practice, whereas if you make it a policy to "always use a write blocker", you've have painted yourself in a corner at some point.
One instance in which you can't use a write blocker is a live acquisition (due to encryption or machines you can't shut down for some reason. Other times, perhaps you are only triaging/previewing a massive amount of computers for specific and direct evidence.
Live forensic boot systems don't require write blockers (although I'm sure you can use a write blocker too), and are considered as valid evidence as acquired using a hardware write blocker.
But I do agree, a hardware write blocker is safer to prevent operator error of evidence modification, but still cannot be considered 100% protection to the evidence drive as can be seen in failures of at least one popular hardware writing blocking device.
………..if you make it a policy to "always use a write blocker", you've have painted yourself in a corner at some point.
Painted into a corner implies no wiggle room. Whereas in reality if the policy is always to use hardware write-blockers and you find yourself in a situation where you can't or don't want to use one, as long as you can justify it and then document it, IMO you're OK.
Cheers
In Windows I would always use a write blocker, but I do acquire using Linux distributions without a write blocker.
Thirded! Also the acquisition speed of a hard drive through a USB3 Sata dock is about 3 times the speed of acquisition through a writeblocker.