Best practices require that when creating a forensic image of a computer, or other digital media used with a computer, a write-blocking device should be used.  Typically, practitioners turn to hardware write-blocking devices such as a  Tableau Forensic Bridge or others.  The common belief is that a physical hardware write-blocker is required for evidence acquisition.

What is not commonly recognized is that software write-blockers are just as viable as their hardware cousins.  Part of this can be attributed to the common saying, “seeing is believing.”  A hardware write blocker is a physical thing; it has lights indicating it is working and you physically connect it to the devices you want to image.

The ever-growing importance of live forensic collections negates the immediate use of any type of write-blocking.  What used to be a firm maxim which said, “change nothing,” has been left behind in favor of a live collection of volatile data. 

After the collection of volatile data, imaging the entire device, using write-blocking to preserve the evidence is crucial.  Whether imaging in a laboratory environment, where write-blockers are the standard operating procedure or in the field, a method must be employed to prevent changes to the data on the media.

Cellebrite offers a unique solution for labs that are running macOS systems; the write-blocking software “SoftBlock.”  SoftBlock is a kernel extension that loads upon boot and does a terrific job of preventing write to a connected device.

There are those who are firmly against software write-blocking, insisting it is a dangerous and worthless endeavor because the software is fallible.  They will further argue that hardware write-blockers should be used in all cases because physical write-blockers are more reliable and while that may have been true many years ago when devices were different.

What you should understand is that even hardware write-blockers contain internal software, and all software is engineered by humans.  Humans make mistakes in developing software, even for physical write-blockers.  This has occurred with hardware write-blockers in the past. 

When the problem was identified, the company made it known to the community and resolved the issue.  The point being, regardless of whether you are using hardware or software write-blocking, every forensic practitioner should be testing the tools they use.

Every time you connect a device for imaging, you must rely on the tools you have available. Having a software write-blocker in your arsenal provides amazing additional flexibility.   No matter what type of device you connect to your macOS forensic workstation, SoftBlock identifies the newly attached device and mounts it “read-only” or “read-write” permissions according to user preferences. 

Whether you attach a device with NTFS, which macOS does not natively write to, or a T2 Apple system, SoftBlock permits you to mount the device as read-only.  Combine the read-only mounting of SoftBlock with the imaging capabilities of Digital Collector, you can collect data from any macOS computer.  External drives, thumb drives, and other media can be connected directly to your macOS forensic workstation for imaging.

There are many ways to approach the same problem.  Hardware write-blockers and software write-blockers solve the same problem but in different ways.  Having the ability to write-block is essential during the data collection process. How you accomplish that is up to you.  

There are advantages to not carrying around additional devices when you can accomplish the same functionality with a software solution.  SoftBlock provides that software solution for your macOS forensic workstation.

Share this post