During live and dead acquisition, it’s important not to mess up with the evidence. Write blockers protect the evidence from accidental tampering the evidence making sure it will be admissible in court.
Hardware write blockers
Windows
Windows Software Write Blockerย Basically, one can do this manually. This includes changing the value in the registry.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies changing the value of the WriteProtect DWORD to 1 under this key, the device will be set to read-only mode, preventing any data from being written to it.
macOS
Either use a hardware write blocker or turn off disk arbitration.
Disk Arbitration prevents the host computer from writing data to the target MacBook using Target Disk Mode. To turn off this feature, refer toย thisย page. Itโs needed so the forensic machine wonโt change the data on the suspect MacBook. For Mac acquisition - followย theseย steps.
๐งชย What files are changed when something is connected to a Mac (USB or using Thunderbolt)? Is turning off the disk arbitration feature really preventing changes to the target drive?
๐งช When attaching my MacBook to another via Share Disk mode, I deleted files from the target MacBook even with DA off. Why? Share Disk doesn’t work the same way as the Target Disk mode. It’s an SMB share. See the comprehensive research above.
There is also a tool ๐ ๏ธ https://github.com/aburgh/Disk-Arbitrator. That helps and eases the work. I need to check this out.
# Turn DA off
# Old macOS
cd /etc/mach_init.d
ls
sudo cp diskarbitrationd.plist /
ls /
sudo rm diskarbitrationd.plist.
# New macOS
# Option #1. Kill the process
# cat /var/run/diskarbitrationd.pid gives the PID
# ps -ex gives the proc list
ps -ex | grep $(cat /var/run/diskarbitrationd.pid)
# Option #2. Remove the plist
sudo cp /System/Library/LaunchDaemons/com.apple.diskarbitrationd.plist /
# give read-only FS
# Turn on
sudo cp /diskarbitrationd.plist /etc/mach_init.d.