Write-Blocker Forensic Use Case: Verifying Write-Block on The Acorn
This Write-Blocker forensic use case highlights how the Acorn helps digital examiners verify write protection on suspect devices. Using the built-in Disk Manager, it detects connected media, toggles to Read Only mode, and ensures no accidental writes occur – all while maintaining a defensible chain of custody.
Context
A digital forensics examiner, Jane Smith, arrives on site to image a suspect’s external USB drive believed to contain illicit material. She uses the Acorn’s Disk Manager which includes our proprietary software-based write blocker to safeguard evidence integrity.
1 . Mounting the Suspects Drive
• Jane inserts the USB drive into the Acorn.
• The Disk Manager immediately detects /dev/sdc, displays NTFS partition details, and automatically toggles the drive to “Read Only” mode.
• This ensures no accidental writes to the suspect drive.
2. Verifying Write Block
• Before imaging, Jane confirms that the “Write” checkbox is unchecked in the Disk Manager.
• She attempts a test write, which fails as expected, verifying that write blocking is enforced.
• To ensure no unintentional writes occurred, Jane calculates the MD5 and SHA1 hash values of the suspect drive before proceeding.
3. Aquisition with Guymager
• Confident the drive is write blocked, Jane opens Guymager to create a forensic image (E01 or raw) from /dev/sdc.
• She enables MD5 and SHA1 hashing to confirm the image authenticity matches the original drive.
• After imaging, Jane recalculates the hash values of the suspect drive and compares them to the original pre-imaging hash values.
• The values match, verifying that no modifications occurred during the imaging process.
4. VeraCrypt Volume Creation Wizard
• To protect the forensic image during transport, Jane creates an encrypted VeraCrypt container on an external SSD.
• A copy of the forensic image is stored within the VeraCrypt container, ensuring only authorised personnel can access it.
• The original forensic image remains unaltered on secured forensic storage, preserving chain-of-custody best practices.
• Encryption ensures compliance with forensic security policies while protecting sensitive case data.
5. LibreOffice Forensic Report Draft
• After imaging the drive, Jane compiles a preliminary forensic report documenting:
– The imaging process.
– The confirmation of write-block enforcement.
– The successful verification of the forensic image via hash values.
• Using LibreOffice Jane creates a standardised, court-ready report, which she exports as a PDF..
6. Preserving Integrity
• Throughout the process, the Acorn’s Disk Manager ensures no data modifications occur, fulfilling evidence handling best practices.
• Jane completes her imaging, and removes the suspect drive for secure storage.
Why the Acorn Wins Here
• Integrated Software Write Blocker – Windows typically requires separate software or hardware blocks; the Acorn simplifies it under one interface.
• Minimal Overhead – The Acorn’s lean Ubuntu base efficiently handles imaging tasks quickly, with fewer background processes.
• All‐in‐One Forensic Toolkit – The examiner has access to Guymager, ddrescue, and other DFIR tools ready to go, saving time in the field.
