Explain why or why not. In what situations would collect an image of memory most useful to the investigation?

Subject: Digital Forensics

Topic: Initial response and forensic duplication

Difficulty: Medium

A write blocker is any tool that permits read-only access to data storage devices without compromising the integrity of the data. A write blocker, when used properly, can guarantee the protection of the data chain of custody.

NIST‘s general write blocking requirements hold that:

• The tool shall not allow a protected drive to be changed
• The tool shall not prevent obtaining any information from or about any drive.
• The tool shall not prevent any operations to a drive that is not protected.

The answer is that you should always use a write blocker, if one is available. Depending on the forensic CD you use, the state of the source material, the volume definition, and the file system in use, there may be a chance that the simple ‘read only’ flags you pass to mount commands are not sufficient. This is a situation where familiarity with common file systems and partitioning schemes is essential.