The Association of Digital Forensics, Security and Law (ADFSL)


Best practices in digital forensics demand the use of write-blockers when creating forensic images of digital media, and this has been a core tenet of computer forensics training for decades. The practice is so ingrained that the integrity of images created without a write-blocker are immediately suspect. This paper describes a research framework that compares forensic images acquired with and without utilizing write-blockers in order to understand the extent of the differences, if any, in the resultant forensic copies. We specifically address whether differences are superficial or evidentiary, and we discuss the impact of admitting evidence acquired without write blocking. The experiments compare the changes made to a hard drive and flash drive when imaged and examined with a Windows-based forensics workstation.


Carlton, G.H. (2007). A Protocol for the Forensic Data Acquisition of Personal Computer Workstations. UMI 3251043. Ann Arbor, MI, ProQuest.

Federal Rules of Evidence (FRE). (2013, December 1). The Committee of the Judiciary, House of Representatives. Washington, D.C.: U.S. Government Printing Office. Retrieved from http://judiciary.house.gov/?a=Files.Serve &File_id=5334E54F-12CC-44B1-A0BC- 697E8E29BD15

Forensic Focus. (2010, May 11). Connecting a USB device without a write-blocker. Discussion thread. Retrieved from http://www.forensicfocus.com/Forums/vie wtopic/t=5809/

Henry, P. (2009, September 12). Best Practices in Digital Evidence Collection. SANS DFIR. Retrieved from http://digitalforensics.sans.org/blog/2009/09/12/bestpractices-in-digital-evidence-collection/

Lyle, J. (2012, November 30). Computer Forensics Tool Testing. In Forensics@NIST 2012. Retrieved from http://www.nist.gov/oles/upload/5- Lyle_James-CFTT.pdf

National Institute of Standards and Technology (NIST). (2001, November 7). General Test Methodology for Computer Forensics Tools, version 1.9. U.S. Department of Commerce. Retrieved from http://www.cftt.nist.gov/Test Methodology 7.doc

National Institute of Standards and Technology (NIST). (2003, September 1). Software Write Block Tool Specification & Test Plan, version 3.0. U.S. Department of Commerce. Retrieved from http://www.cftt.nist.gov/SWB-STPV3_1a.pdf

National Institute of Standards and Technology (NIST). (2004, May 19). Hardware Write Blocker Device (HWB) Specification, version 2.0. U.S. Department of Commerce. Retrieved from http://www.cftt.nist.gov/HWB-v2-post- 19-may-04.pdf

National Institute of Standards and Technology (NIST). (2005, March 21). Hardware Write Blocker (HWB) Assertions and Test Plan, draft 1 of version 1.0. U.S. Department of Commerce. Retrieved from http://www.cftt.nist.gov/HWB-ATP- 19.pdf

Nelson, B., Phillips, A., & Steuart, C. (2009). Guide to Computer Forensics and Investigations, 4th ed. Boston: Course Technology.

Scientific Working Group on Digital Evidence (SWGDE). (2013, September 14). Best Practices for Computer Forensics, version 3.0. Retrieved from https://swgde.org/documents/Current Documents/2013-09-14 SWGDE Best Practices for Computer Forensics V3-0

U.S. v. Labuda. (2012, April 11). Case #2:10- 20066, U.S. District Court (TN-W). Retrieved from http://infosecusa.com/cases/us-v-labuda




To view the content in your browser, please download Adobe Reader or, alternately,
you may Download the file to your hard drive.

NOTE: The latest versions of Adobe Reader do not support viewing PDF files within Firefox on Mac OS and if you are using a modern (Intel) Mac, there is no official plugin for viewing PDF files within the browser window.