Hi. Can someone help me with a response to my classmate's discussion post? Thanks.

A write blocker is any tool that allows read-only access to any information storage device, while keeping the integrity of the data. This would assist in any investigation whether it be for a corporate or criminal case, because if a write blocker is used appropriately, it can assure the safety of the datas chain of custody (CRU Acquisition Group, 2019). Maintaining the chain of custody is critical to the investigation. This ensures that the evidence was not altered, tampered with, or falsified. There are two types of write blockers, hardware and software. The software write blocker is installed on a forensic investigators computer workstation. However, the hardware write blockers have a blocking software installed on a controller chip that is on a transportable physical device.

2) Imagine you are a computer forensic examiner receiving a suspect hard disk drive from a detective in your department. The drive was seized properly during a legally executed search warrant. The detective signs the chain of custody log and hands you the drive. Your job is to accept the drive, conduct an analysis, and maintain the drive until trial. Please explain the steps you would take, from receipt of the evidence until testimony, including the reasons why you would take each step. For example, what would you check for when you sign for the drive on the chain of custody document? Once the evidence is in your hands, you should always look at the chain of custody document. When looking at the chain of custody document it should always specify what the evidence is, how they got it, when it was seized, who has handled the evidence, for what reason they were, where the evidence has been, and where the evidence has be stored (Scalet, 2005). The reason why we should look for these things is because if the chain of custody is not properly documented then the evidence could be thrown out in court. After we ensured that the chain of custody has been documented appropriately, we would then conduct the forensic examination of the device. However, the technician should create a bit-for-bit forensic image, because we never want to use the original media unless there is no other options. If we have to use the original, it needs to be documented that we did so and why. Then we would do an analysis on the hard disk, by examining the structure of the disk and look for any suspicious files or hidden files on it. We may even find evidence hidden in plain sight. After we searched through those files, we would see if there were any encrypted files on the hard disk that needed a password to unlock. Furthermore we would look for any file irregularities, compressed files, and discovering new things on the device. For Instance, emails, and recently used documents, visited websites, and snippets or fragments of information (UMUC, n.d.). Then, when we were done analyzing the hard disk and finding all the incriminating evidence on the hard disk, we would save the evidence for future use, because you might need to review the work that you completed. Nevertheless, we would report the analysis results when we were finished analyzing the evidence. Lastly, we would make sure the chain of custody document was signed, and put the evidence in designated secure location until needed for the trial.