Once our evidence has been properly documented and collected, we can begin working on acquiring the actual digital evidence. I'll mention this a couple times in an effort to drive home the point, but the original evidence should only be used to create forensic copies or images, which will be discussed further on in this chapter and again in other chapters.

Working on the original evidence can and usually will modify the contents of the medium. For instance, booting a seized laptop into its native OS will allow data to be written to the hard drive and may also erase and modify contents contained in the RAM and paging file.

To prevent this from happening, the use of a write blocker must be employed. Write blockers, as the name suggests, prevent data from being written to the evidence media. Write blockers can be found in both hardware and software types. If a hardware write blocker is not available, software versions are readily available as standalone features in forensic operating systems including C.A.I.N.E, as mentioned in Chapter 1, Introduction to Digital Forensics, and also as a part of some commercial and open source tools such as EnCase and Autopsy.

Again, it is of high importance that a write blocker be used in investigations to protect and preserve the original evidence from being modified. The following image shows a cheap and efficient portable SATA and IDE adapter with write-blocking switches, used in drive acquisition and recovery: