Free Forensic USB Write Blocker Evidence Preservation Tool

Sherlock USB Write Blocker modifies a single Windows registry value to enforce read-only access on all USB storage devices. The tool targets the registry path HKLM\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies\WriteProtect. When this value is set to 1, Windows mounts every newly inserted USB mass storage device in read-only mode. No data can be written to the device, no files can be modified and no metadata can be altered.

The protection takes effect on the next USB device insertion. This means you must enable write protection before plugging in the suspect device. Once protection is active, Windows blocks all write operations at the operating system level. The device remains fully readable for forensic imaging and file browsing.

To disable protection, click the toggle again. The tool sets WriteProtect back to 0 and USB devices inserted afterward mount with normal read-write access. The interface displays the current protection state at all times so you always know whether writes are blocked.

Technical Details

Registry Path

HKLM\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies

Registry Value

WriteProtect (DWORD). Value of 1 enables read-only mode. Value of 0 restores normal read-write access.

Scope

Applies to all USB mass storage class devices including flash drives, external hard drives and USB-connected memory card readers.

Activation

Takes effect on the next USB device insertion. Already-mounted devices are not affected until ejected and reinserted.

Admin Privileges

Required. Modifying HKLM registry keys requires administrator elevation. The tool prompts for UAC consent on launch.

SHA256 Verification

Published SHA256 hash for download integrity verification. Confirm the installer has not been tampered with before execution.

Write blocking is a foundational requirement in digital forensics. When a USB device is connected to a Windows computer without write protection, the operating system can modify the device in ways that compromise evidentiary value. Windows may update access timestamps, create Recycle Bin metadata, write System Volume Information folders or trigger autorun processes. Any of these modifications can alter the hash value of the original evidence and undermine its admissibility in court.

Evidence Integrity

Forensic evidence must remain unaltered from the moment of seizure through final presentation in court. Write blocking ensures that no bits are changed on the suspect device during examination. The forensic image hash will match the original device hash, proving the evidence has not been tampered with. Standards from NIST CFTT and SWGDE require demonstrable write protection during evidence acquisition.

Chain of Custody

Chain of custody documentation must account for every interaction with evidence. Using a write blocker provides a documented control that proves no modifications occurred during your examination. Defense attorneys routinely challenge digital evidence by questioning whether proper handling procedures were followed. A write blocker eliminates the most common attack vector against digital evidence authenticity.

Court Admissibility

Courts in the United States, Canada and most common law jurisdictions expect forensic examiners to use write blocking during evidence acquisition. The Daubert standard requires that forensic methods follow accepted practices in the field. Write blocking is a universally accepted practice. Failure to use write protection can result in evidence being excluded, case dismissal or expert testimony being challenged under cross-examination.

Follow this step-by-step procedure when using Sherlock USB Write Blocker for forensic USB device acquisition. Document each step in your case notes.

1. Enable Write Protection. Launch Sherlock USB Write Blocker with administrator privileges. Click Enable Protection. The tool sets WriteProtect to 1 in the registry. Confirm the status indicator shows protection is active. Do not insert the suspect device until this step is complete.
2. Confirm Protection Status. Verify the application displays an active protection state. Optionally confirm by opening Registry Editor and navigating to HKLM\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies. The WriteProtect value should read 1. Screenshot this confirmation for your case file.
3. Insert the Suspect USB Device. Plug the suspect device into a USB port. Windows will detect and mount the device in read-only mode. You will be able to browse files and read data but all write operations will be blocked by the operating system.
4. Verify the Device is Listed. Open Windows Explorer or Disk Management and confirm the suspect device appears. Verify you can browse its contents. Attempt to create a test file on the device to confirm write operations are blocked. Document the device serial number, capacity and filesystem type.
5. Acquire the Forensic Image. Use your forensic imaging tool (FTK Imager, dd, Guymager or similar) to create a bit-for-bit image of the suspect device. Calculate and record the hash (MD5 and SHA256) of both the source device and the acquired image. The hashes must match to confirm evidence integrity.

Sherlock USB Write Blocker provides effective software-level write protection but has limitations that forensic examiners must understand before relying on it in casework.

New Insertions Only

Write protection applies only to USB devices inserted after protection is enabled. Drives that are already mounted when you activate the tool retain their current read-write state. You must eject and reinsert any connected device for protection to take effect.

Software-Level Protection

The registry-based approach operates at the Windows kernel level. While effective under normal conditions, it is theoretically possible for a rootkit or kernel-level exploit to bypass this protection. Hardware write blockers provide a stronger guarantee because they operate below the operating system. For criminal cases or high-stakes litigation, use a hardware write blocker.

USB Mass Storage Only

This tool blocks writes to USB mass storage class devices only. It does not affect USB devices using other protocols such as MTP (Media Transfer Protocol) used by many smartphones or PTP (Picture Transfer Protocol) used by cameras in certain modes.

Windows Only

The StorageDevicePolicies registry key is a Windows-specific mechanism. This tool does not work on macOS or Linux. For those platforms, use mount options (mount -o ro) or a hardware write blocker.

Requires Admin Privileges

Modifying the HKLM registry hive requires administrator access. The tool will prompt for UAC elevation on launch. It cannot run under a standard user account.