• To ensure you get the most out of your CIN membership and stay connected with the latest updates, we are asking all members to update their community profiles. Please take a few moments to log in and: • Complete all sections of your profile • Review your current information for accuracy • Enter an alternative email address if desired (CIN requires your valid business email address for your training organization). Keeping your profile up to date helps us better serve you, ensures your account is correctly linked with CompTIA’s CRM, streamlines processes, enhances communication, and guarantees you never miss out on valuable CIN opportunities. Thank you for taking this important step! step!

Write Blocker

No. and for demo, they are to expensive.
What i tell in the Courses about this:
Also the Problem is with non-removal Flash Storage: No more useful. (All the Apple Stuff, Microsoft Surface and so on)
Also most Blockers are for IDE, maybe SATA Protocol. but not many for M.2 SSD. (Just found one for around 400 USD for M.2 only):
Link says:
Examine the contents of NVMe SSDs without modifying the contents


And what are you doing when the Files are encrypted with Bitlocker ?
Encrypting the Data to get to the real files is already modifying the Data, which means they are no longer as it should be (aka original).
Also Data would be need to be send to the Harddrive for decryption.
What are you doing when you copy the encrypted data, to decrypt you would need the Bitlocker Recovery Key...-> working with modified data, Hashing will no longer work.
What are you doing with VMs stored on a Machine..
So, HDD Write Blocker are maybe useful on legacy devices, but not for modern systems. IMHO.
You need to grab the Data from the running System..
Had no chance to talk about this with a forensic guy yet..
My 2c
 
  • Like
Reactions: Trevor Chandler
No. and for demo, they are to expensive.
What i tell in the Courses about this:
Also the Problem is with non-removal Flash Storage: No more useful. (All the Apple Stuff, Microsoft Surface and so on)
Also most Blockers are for IDE, maybe SATA Protocol. but not many for M.2 SSD. (Just found one for around 400 USD for M.2 only):
Link says:
Examine the contents of NVMe SSDs without modifying the contents


And what are you doing when the Files are encrypted with Bitlocker ?
Encrypting the Data to get to the real files is already modifying the Data, which means they are no longer as it should be (aka original).
Also Data would be need to be send to the Harddrive for decryption.
What are you doing when you copy the encrypted data, to decrypt you would need the Bitlocker Recovery Key...-> working with modified data, Hashing will no longer work.
What are you doing with VMs stored on a Machine..
So, HDD Write Blocker are maybe useful on legacy devices, but not for modern systems. IMHO.
You need to grab the Data from the running System..
Had no chance to talk about this with a forensic guy yet..
My 2c
Your 2 cents is just as valuable as my 5 cents, so thank you very much Michael!!!