Digital Forensics Tutorial [Part 3] – Write Blocking using Winhex

Digital Forensics Course

By : Bijay Acharya / studentvideotutorial
Write Blocking – Definition

Write blocking is the act of ensuring that the contents of an evidence drive cannot be modified during the scope of an investigation. It allows acquisition of information on a drive without creating the possibility of accidentally damaging the drive contents. Write blockers do this by allowing read commands to pass but by blocking write commands, hence their name. This can be done one of two ways: with either hardware or software write blockers.

In This Tutorial

Once a disk image has been created, hashing and write blocking the image are the immediately pivotal steps to be taken in order to ensure the integrity of the evidence file. Write blocking tools have been written into several of the free software programs we have used or have available, including WinHexand DiskExplorer NTFS. Alternatively, it is possible to do a form of write blocking by simply changing the
status of the disk image to read-only.

In this tutorial we will go through the process of creating a write blocked disk image in order to prevent changes in the course of the investigation.

· Write block a disk image file using WinHex
· Write block a disk image file using file properties and read-only.

1) Open image file we created in Winhex as shown in image below.
image src : winhex free version screenshot
2) go to options and then to Edit Mode. Screen like below will appear.
3) Select ‘Read only mode’ and click OK. 
Well, this was it. 
In any confusion, please refer video demo of this article here >

Leave a Reply

Your email address will not be published.