What Is Write Blocking? Protecting Source Media in Digital Forensics

Introduction

In digital forensics there is a rule that comes before every other rule: do not change the evidence. Yet the moment you plug a hard drive, memory card or phone into a running computer, the operating system may quietly write to it — updating access times, replaying journals, mounting volumes — all before a human has touched a single file. Write blocking is the safeguard that stops this from happening. It is the first line of defence in any sound acquisition, and understanding it is essential for auditors, investigators, police and anyone who must later prove that a copied file is exactly what it claims to be. This article explains what write blocking is, why it matters, how hardware and software approaches differ, and how it works hand in hand with hashing to deliver defensible evidence.

What Write Blocking Actually Is

A write blocker is a control — implemented either in hardware or in software — that sits between your examination workstation and the source media. Its job is simple to state and powerful in effect: it allows read commands to pass through, so the data can be copied and analysed, but it intercepts and blocks any write command before it can reach the original device. The source drive, card or disk is therefore never modified during acquisition. Everything you do with the evidence is read-only at the level of the original, which means you can examine it as many times as you like without altering it by even a single byte.

Why It Matters

Without write blocking, simply connecting a drive can change it. Operating systems routinely update last-accessed timestamps, write recovery and journal data, and create hidden system folders the instant a volume is mounted. Each of those changes alters the source media — and once the original is altered, its metadata no longer reflects the state in which it was seized. That undermines both the integrity of the evidence and, ultimately, its admissibility: an opposing party can credibly argue that the data was modified after it left the custody of its owner. A write blocker removes that whole line of attack. The media you examined is provably the media you received, untouched. For more on why an unaltered copy is the bedrock of an investigation, see our overview of the digital forensics tool workflow.

Hardware vs Software Write Blockers

Write blocking comes in two broad forms. A hardware write blocker is a physical unit that the source media plugs into; it filters commands at the interface itself, so the host operating system simply has no path to write to the device. Because the protection lives outside the examiner's machine, it is independent of how that machine is configured, which is why many practitioners treat hardware blocking as the more robust option. A software write blocker, by contrast, is a driver or configuration on the examiner's own system that intercepts write commands before they reach the attached device. Software blocking is convenient and portable — useful in the field or when no hardware unit is to hand — but it depends on the correct setup of the host. Both approaches achieve the same goal; the right choice depends on the situation, and in every case the result should be validated, not assumed.

How It Pairs with Hashing

Write blocking and hashing are two halves of the same discipline. The standard sequence is write-block, image, then hash. First you attach the source through a write blocker so it cannot be altered. Next you create a bit-for-bit forensic image — a complete copy of the media. Finally you compute a cryptographic hash of both the source and the image and compare them. If the two hashes are identical, you have mathematical proof that the copy is exactly equal to the source and that nothing changed during acquisition. The write blocker protects the original; the hash proves the original was protected. You can produce and verify those hashes — MD5, SHA-256, SHA-512 and more — offline on your own machine with e-Dex (formerly Hash Calculator).

Limitations and Verification

A write blocker is a preventive measure, not a certificate. It stops writes, but it does not by itself document that nothing changed — and blockers can be misconfigured, firmware can have edge cases, and some media types behave unusually. This is precisely why hashing remains mandatory rather than optional. By hashing the source before and after, and hashing the resulting image, you obtain an independent, reproducible record that the write blocker actually did its job. The blocker is your seatbelt; the hash is the proof you were wearing it. Treat the two together and you have a defensible acquisition; rely on either alone and you leave a gap.

Frequently Asked Questions

What is write blocking in digital forensics?
Write blocking is a control, implemented in hardware or software, that sits between an investigator's workstation and the source media being examined. It allows read commands to pass through so the data can be copied, but it intercepts and blocks any write command before it can reach the source. The result is that the original drive, card or device is never modified during acquisition, which is the foundation of defensible digital forensics.

Why does write blocking matter for evidence integrity?
Modern operating systems write to a disk the moment it is connected, updating timestamps, journals and metadata before anyone opens a file. Those silent changes alter the source and can undermine the integrity and admissibility of the evidence. Write blocking prevents them, so the media you examined is provably the same media you received. Without it, an opposing party can argue the evidence was changed in handling.

What is the difference between a hardware and a software write blocker?
A hardware write blocker is a physical device that the source media plugs into; it filters commands at the interface level and the operating system never gets a direct path to write. A software write blocker is a configuration or driver on the examiner's machine that intercepts write commands before they reach the device. Hardware blockers are generally preferred for their independence from the host, while software blockers are convenient and portable. Either way, the work should be validated by hashing.

How does write blocking work together with hashing?
The standard workflow is write-block, image, then hash. You attach the source through a write blocker, create a bit-for-bit forensic image, and compute a cryptographic hash of both the source and the image. If the hashes match, you have mathematical proof that the copy is identical to the source and that nothing changed during acquisition. The write blocker protects the original; the hash proves it worked.

Is a write blocker enough on its own to prove evidence was not altered?
No. A write blocker is a preventive control, but it does not by itself document that nothing changed. Blockers can be misconfigured, and some media types have edge cases. That is why every acquisition should still be verified by hashing the source and the resulting image and recording a MATCH result. The hash is the independent, reproducible proof that the write blocker did its job.

Conclusion

Write blocking is the quiet discipline that makes digital evidence trustworthy: read everything, change nothing. Paired with a forensic image and a matching hash, it turns "we were careful" into a fact you can demonstrate — that the copy equals the source and the original was never touched. If you want to learn how to acquire and verify media the right way, read our guide on how to hash a hard drive without changing it, and explore the free, fully offline digital forensics tool from e-Dex to put it into practice on your own Windows machine.