What is a write blocker and when should it be used?

• A. A software tool that monitors drive health and reports errors
• B. A device or tool that prevents writes to the original media during acquisition to maintain evidence integrity
• C. A tool that automatically deletes temporary files during imaging
• D. A device that converts data formats during acquisition

Answer: (B)

A write blocker is a device or tool that prevents writes to the original media during data acquisition to preserve evidence integrity. It sits between the suspect drive and the imaging system, intercepting or blocking any write commands so the drive can be read without being modified. This is essential because actions by the host system or the drive itself can change data, metadata, or timestamps, potentially tainting the evidence or breaking the chain of custody. By using a write blocker, you can produce a bit-for-bit image of the original media while leaving the source unaltered, which is critical for a defensible forensic process. Hardware write blockers are typically preferred for reliability since they physically stop writes, though software options exist, they rely on the operating system and can be more easily bypassed if misconfigured. Use a write blocker whenever acquiring data from original media, especially in investigations where maintaining the exact state of the evidence is crucial. The other options describe functions unrelated to protecting the original drive: monitoring drive health, automatically deleting files, or converting data formats.