Performance using a write blocker

A tranditional write-blocker is effectively a "smart bridge" that connects a host computer to a disk drive. It is a "smart bridge" since it only allows read requests to be passed from the host to the disk drive. It then passes the responses from the disk back to the host computer, effectively allowing read-only access to a disk drive. Traditional write-blockers accept IDE disks drives, SCSI disk drives and SATA disk drives.

Use of the write-blocker is necessary when making a forensic acquisition using a Windows based computer, as the Windows operating system will automatically attempt to mount an newly attached disk drive. (This mount attempt can often result in modification to file meta data, including file access times. It can also alter the filesystem journal.)

The below chart, slightly unfairly, compares the difference in times of using dd to acquire 10GB an 80 GB IDE disk drive via IDE as opposed to acquiring 10GB from the same disk drive, on the same computer, via a USB based write-blocker. It should not be a surprise that the write-blocker took longer, as USB is slower than IDE.

This higlights an important point, which is that the interface to the writeblocker plays an important role in the overall throughput of the acquisition.

Performance USB external vs USB writeblocker

This chart compares the penalty of using a USB based write-blocker as compared to a standard USB based external disk. In both, the internal disk is accessed via a IDE to USB bridge. However, the write-blocker smart bridge must do more processing as compared to the standard IDE to USB bridge, as the smart bridge is looking to remove write requests.

Here, the performance penalty of the USB based write-blocker is still evident.