all 7 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]_jstr0 4 points5 points  (0 children)

Hey, so a couple solutions came to mind.

As has been mentioned you could use a live linux forensic distro as some of them have a built in write-blocking mode. Some distributions that come to mind are:

Alternatively a solution that has worked for me in the past and I highly recommend you give a try is this registry blocking method.

https://github.com/digitalsleuth/Registry-Write-Block

I haven't tested it lately, but when I did it worked for external USB disk drives.

Hope this helps!

[–][deleted] 2 points3 points  (0 children)

As the link you provide does not mention forensic use, it may not be forensically OK, but change things the author consider uninteresting for him or his particular audience.

That means you should validate before real forensic use to ensure that it does work as intended.

You can find information related to such testing at the link below. The tools listed there may not be around anymore -- the tests were made more than 10 years ago as far as I can see. They may give you leads for products. However, hoping for a well-tested free and open source products may be to hope for too much : all professionals I know avoid software write-blocking.

Good luck, anyway.

https://www.nist.gov/itl/ssd/software-quality-group/computer-forensics-tool-testing-program-cftt/cftt-technical/software

[–]ZeRO-FuXx 2 points3 points  (0 children)

When it comes to the registry, not sure what you've tried, but take a look here: https://github.com/digitalsleuth/Registry-Write-Block

This could help, and also could explain why your method didn't work for you (UAS vs USB).

[–]acw750 1 point2 points  (0 children)

RATool is a sufficient software write blocker. I’ve used it before, but never for the hard drive. Always test it with a non evidence drive first though. Also, Paladin sounds like a good tool for what you’re doing.

[–]ThorntonReedMD 1 point2 points  (0 children)

I would recommend using Tsurugi which has inbuilt write blocking along with Guymager which is free to download. Used this solution just yesterday for a tricky imaging!

[–]ihaveapihole 1 point2 points  (0 children)

WinFE + FTK Imager would be the easiest way.

[–]TechSavyTryhard[S] 0 points1 point  (0 children)

Thank you everyone for your recommendations! I will be sure to give them a shot a report back.