The question "How critical is Write-Block during onsite triage?" needs qualifiers to answer accurately.
Every scenario is independent from another. What is 'critical' in one scenario may not be in another. Case objectives, device configurations, and conditions onsite affect the decision-making of whether to write block or not, and if you can write block at all.
--Is the computer off?
-----Then you can "triage" in a write-protected mode using a forensically sound boot OS (Linux or Windows). Decryption key needed if the device is encrypted or else you won't have access to the data.
-----Of if the drive is accessible to a physical write protect device, triage via a forensic workstation with the drive attached through a hardware write blocker. You'll still need the key if the drive is encrypted.
--Is the computer on?
-----Do you need the RAM? You can't write protect if you do.
-----Is it encrypted and you don't have the key? You'll have to image while its running (live) without write protection.
-----Is someone's life or limb at risk and you need intel now? Best to get the intel and not worry about write protection.
There is a sliding scale of what is reasonable as it relates to write protecting evidence. On one hand, if a storage device is easily accessible (removable as an example), not encrypted (or you have the decryption key), and time is not of the essence, then write blocking the drive to triage is probably most reasonable. However, if you are onsite of a child that has been lured away, and the computer is running, I would hope you would not even consider writing blocking the device, since that would mean (1) shutting it down, (2) losing RAM, and most importantly, (3) wasting valuable and potentially life saving time.
↧