From the course: Incident Response: Evidence Collection in Windows
Join today to access over 22,600 courses taught by industry experts or purchase this course individually.
Write blockers
From the course: Incident Response: Evidence Collection in Windows
Write blockers
- [Instructor] Now that we've collected all the evidence from the computer that we could while it was running and we've shut it down, we now need to take the next step in our investigation. At this point, we want to go ahead and take that victim workstation back to our lab as evidence or we want to remove its hard drive and make a forensic disk image here, right on the scene. Additionally if we find any USB drives, external hard drives, CDs or DVDs, now would be a good time to image and collect those as well. But before we attempt to make a disk image of any of those internal and external hard drives, we do need to make sure that we're using a write blocker. That begs the question, what is a write blocker? Well a write blocker is a software or hardware device that prevents your forensic workstation from writing data back to the target media. Basically a write blocker works like a check valve. This means that data can…
Practice while you learn with exercise files
Download the files the instructor uses to teach the course. Follow along and learn by watching, listening and practicing.
Download courses and learn on the go
Watch courses on your mobile device without an internet connection. Download courses using your iOS or Android LinkedIn Learning app.