Evidence Protection & Write-Blocking
The Acorn incorporates kernel-level read-only enforcement, controlled device access workflows and investigator-managed evidence protection controls designed to support forensic examinations.
Evidence devices can be managed through Sleuthy’s Device Manager/Write-Blocker, providing a structured approach to device visibility, protected access and forensic workflows.
Integrated Evidence Protection
The Acorn incorporates evidence protection controls directly into the operating environment. Rather than relying on a single protection mechanism, it uses a layered approach designed to support forensic examinations, device management and controlled investigator workflows.
The platform provides integrated evidence protection controls that may reduce the need for external hardware write blockers in some workflows, while still allowing organisations to follow their own policies, procedures and validation requirements.
Kernel RO Enforcement
Read-only controls are applied to supported removable storage devices by default, helping investigators interact with evidential media without immediate write access.
Device Management
Connected devices can be reviewed and managed through Sleuthy’s Device Manager/Write-Blocker, providing visibility into device status and access controls.
Safe Mount Workflows
Evidence devices can be mounted using workflows designed to support forensic examinations, helping investigators maintain consistent handling procedures.
Investigator Control
Access changes are investigator initiated and managed through controlled workflows when write access is intentionally required.
Kernel-Level Read-Only Protection
When supported removable storage devices are connected to The Acorn, the operating environment is designed to apply kernel-level read-only protection by default. This approach helps investigators interact with evidential media without immediate write access, supporting structured and repeatable evidence handling workflows while helping to maintain evidential integrity throughout the examination process.
Removable Device Connected
Kernel-Level Read-Only Protection
Evidence Available For Examination
Controlled Access Workflows
The Acorn provides investigator-controlled access workflows, allowing authorised users to intentionally transition supported devices between protected and read-write states when required.
Sleuthy's Device Manager
Sleuthy’s Device Manager provides visibility into connected storage devices, device status and evidence handling workflows through a centralised management interface. Investigators can review connected media, identify protection states and manage controlled access workflows from a single location.
Device Mounted Read-Only Successfully
Supported devices can be mounted using controlled read-only workflows designed for forensic examinations.
Read-Write Confirmation Warning
Write access changes require deliberate investigator action and present a confirmation warning before proceeding.
Read-Write Access Granted
Successful access changes remain visible to the investigator through the device management workflow.
Device Status Visibility
Device status and access modes remain visible throughout the examination process.
Designed For Repeatable Evidence Handling
Over an 18-month period, the platform has been continuously tested and refined across evidence handling, device management and investigator workflow scenarios to support a consistent and repeatable approach to digital forensic examinations.
Explore The Acorn Platform
The evidence protection capabilities shown on this page form part of The Acorn forensic workstation. The platform combines integrated evidence protection, forensic workflows and open-source investigation technologies within a portable Linux forensic environment.