Free Download

Block USB Writes Without a $400 Tableau. Free.

Per-disk IOCTL write blocking with race-window timing, BadUSB defense, shadow mode and Ed25519-signed forensic reports. Free to protect. $39 Pro for court.

Sherlock Forensics USB Write Blocker v1.1.0 is a Windows forensic tool providing per-disk IOCTL write blocking, BadUSB HID Guard, shadow mode via bundled ImDisk driver and Ed25519-signed audit logs. Free to use. The Pro Edition at $39 one-time adds court-ready PDF reports, full audit export and chain of custody documentation. Replaces a $400 Tableau hardware write blocker for field triage and incident response.

Free to use. Pro at $39 one-time unlocks advanced features.

Compare to Tableau ($400+)
No install required· IOCTL-level blocking· No registry hacks· Since 2006

Quick Answer

Which Write Blocker Do You Need?

Your scenarioBest toolWhy
Lab forensic acquisition with budget for $400+ hardwareTableau T356u / Wiebetech UltraBlockIndustry-standard, NIST-tested hardware
Field triage, first responder or on-scene seizureSherlock USB Write Blocker Pro ($39)10x cheaper Tableau alternative, software-only, Ed25519 audit trail
Solo examiner or mid-market firm without hardware budgetSherlock USB Write Blocker Pro ($39)Court-ready PDF and chain of custody at fraction of hardware cost
Incident response USB device analysis under time pressureSherlock USB Write Blocker Pro ($39)Fastest deployment, no hardware procurement delay
Free product evaluationSherlock USB Write Blocker (Free)View-only without Ed25519 audit, suitable for training

Download Free   Start blocking USB writes immediately. Upgrade to Pro ($39) for Ed25519 audit, court-ready PDF and chain of custody documentation.

Mechanism

How Sherlock Forensics USB Write Blocker Works

Sherlock Forensics USB Write Blocker v1.1.0 uses IOCTL_DISK_SET_DISK_ATTRIBUTES to enforce per-physical-disk read-only access at the Windows kernel level. Each USB storage device is blocked individually the millisecond Windows detects it via PnP arrival notification. The race-window timing between device detection and write-block activation is recorded in the audit log for court evidence.

The live pristine pulse indicator shows a green pulse while zero bytes have been written to a blocked drive. If any write occurs before the block takes effect, the race-window log captures the exact timing so the examiner can assess whether evidence integrity was maintained.

PANIC LOCKDOWN mode provides an emergency global override that blocks all USB storage simultaneously. Per-device controls allow surgical blocking and unblocking from the topology viewer.

Technical Details

Write Block Method
IOCTL_DISK_SET_DISK_ATTRIBUTES per physical disk. Surgical per-device blocking, not a global registry toggle. Each disk gets its own read-only attribute set independently.
Device Detection
PnP arrival notification via Windows device management APIs. Devices detected the millisecond the bus enumerates them. Race-window timing recorded for every block event.
Scope
Blocks USB mass storage class devices (flash drives, external hard drives, USB-connected card readers). Full topology view shows every USB device on the bus including HIDs, audio, cameras and printers. MTP and PTP devices use different protocols and are not write-blocked.
Shadow Mode
Bundled ImDisk virtual disk driver creates a read-only virtual mount of the source disk. Source disk goes offline before mount to prevent duplicate-signature collisions. Works on all Windows editions.
Admin Privileges
Required. IOCTL disk operations and shadow mode driver registration require administrator elevation. The tool prompts for UAC consent on launch.
Audit Trail
Ed25519-signed hash-chained JSONL audit log at %PROGRAMDATA%\Sherlock\usb-blocker\audit.jsonl. Every action timestamped to the millisecond. Public key embedded for downstream verification. Exportable as PDF or JSON forensic report (Pro).

Technical Depth

Technical Details: How Sherlock Implements Software Write Blocking

Sherlock USB Write Blocker is a software write blocker that operates at the Windows storage stack rather than at a physical hardware controller. The core mechanism is per-disk IOCTL_DISK_SET_DISK_ATTRIBUTES with the DISK_ATTRIBUTE_READ_ONLY flag set. Each USB device gets its own read-only mount enforcement at the volume level the moment PnP arrival fires. This is fundamentally different from registry-only write protection, which is a global flag that does not bind per-device and does not survive certain low-level access paths.

The software write blocker model also includes sector lock semantics: the block device is marked read-only at the OS storage layer, so Win32 file APIs (WriteFile, WriteFileEx, SetEndOfFile, FlushFileBuffers) return ACCESS_DENIED on any attempt to write. A UDMA write blocker at the hardware level enforces this further down the stack. We are honest about the scope: physical-sector writes through certain kernel-mode drivers or raw block device handles can bypass user-mode protection. For most field-triage and incident-response scenarios this gap is academic. For lab acquisition where a defense expert may test bypass paths, a hardware UDMA write blocker is still the safer choice.

Sherlock combines per-disk IOCTL software write blocker enforcement, sector lock at the volume layer, PnP arrival race-window timing capture, the Ed25519-signed audit log and the live pristine pulse indicator that proves zero bytes were written to the blocked block device. Together these make Sherlock a forensically defensible software write blocker for the price point.

Evidence Integrity

Why Forensic Examiners Need Write Blocking

Write blocking is a foundational requirement in digital forensics. When a USB device is connected to a Windows computer without write protection, the operating system can modify the device in ways that compromise evidentiary value. Windows may update access timestamps, create Recycle Bin metadata, write System Volume Information folders or trigger autorun processes. Any of these modifications can alter the hash value of the original evidence and undermine its admissibility in court.

Evidence Integrity

Forensic evidence must remain unaltered from the moment of seizure through final presentation in court. Write blocking ensures that no bits are changed on the suspect device during examination. The forensic image hash will match the original device hash, proving the evidence has not been tampered with. Standards from NIST CFTT and SWGDE require demonstrable write protection during evidence acquisition.

Chain of Custody

Chain of custody documentation must account for every interaction with evidence. Using a write blocker provides a documented control that proves no modifications occurred during your examination. Defense attorneys routinely challenge digital evidence by questioning whether proper handling procedures were followed. A write blocker eliminates the most common attack vector against digital evidence authenticity. See our chain of custody software for complete evidence tracking.

Court Admissibility

Courts in the United States, Canada and most common law jurisdictions expect forensic examiners to use write blocking during evidence acquisition. The Daubert standard requires that forensic methods follow accepted practices in the field. Write blocking is a universally accepted practice. Failure to use write protection can result in evidence being excluded, case dismissal or expert testimony being challenged under cross-examination.

Compare

Hardware vs Software Write Blockers

FeatureSherlock Forensics USB Write Blocker (Software)Hardware Write Blocker (Tableau/CRU)
Protection levelOperating system (registry)Hardware controller
CostFree$200 to $500+
Court acceptanceAccepted in many jurisdictionsGold standard
PortabilitySoftware only, no hardware neededRequires physical device
USB supportAll USB mass storageAll USB mass storage
SATA/IDE supportNoYes (model dependent)
Bypass riskPossible via admin access or malwareNo software bypass possible
Setup timeOne clickPhysical connection required
NIST CFTT testedNoYes (select models)

When to Use Each Approach

Sherlock Forensics USB Write Blocker is built for triage speed, field deployment and incident response. Situations where waiting for a hardware blocker means losing evidence. Hardware write blockers from Tableau (now OpenText) and CRU remain a strong choice for formal acquisition in a controlled lab. Many examiners use both: software write blocking for the immediate response window, hardware write blocking for formal acquisition. The Ed25519-signed audit log produced by Sherlock Forensics USB Write Blocker Pro provides cryptographic proof of every action, which courts accept when proper procedure is documented. The right tool depends on the moment. When a USB device just landed on your desk and you need it locked down now, software write blocking is what serves the case.

Cost

Cost Comparison

SolutionPriceNotes
Tableau T356789iu (hardware)$400+Single-port hardware blocker, OpenText
CRU WiebeTech (hardware)$300+Hardware blocker, formal acquisition
Sherlock Forensics USB Write Blocker Pro$39 one-timeSoftware, field-ready, court-ready audit
Sherlock Forensics USB Write Blocker Free$0Core write blocking, no reports

Competitor Displacement

Sherlock USB Write Blocker vs Tableau T356u vs Wiebetech UltraBlock

The Tableau write blocker line (now OpenText after the Guidance Software acquisition) is the gold standard for lab forensic acquisition at $400 to $500 per unit. The Wiebetech UltraBlock series from CRU runs $300 to $400. Logicube write blockers compete in the same hardware tier. All three are excellent for controlled lab work. None of them solve the field-triage, first responder or DFIR scaling problem that mid-market firms face every week. That is the gap Sherlock fills as a Tableau alternative, Wiebetech alternative and Logicube alternative at the $39 software price point.

CapabilityTableau T356uWiebetech UltraBlockSherlock USB WB Pro
Price~$400-500 hardware~$300-400 hardware$39 software
Hardware requiredYes, physical write blocker unitYes, physical write blocker unitNo, install on examiner workstation
Deployment timeProcurement plus shippingProcurement plus shippingImmediate download
NIST CFTT testedYesYesIndependent test eligible (not yet submitted)
Court-ready PDF reportOptional via Tableau ImagerOptionalIncluded with Forensic Edition
Ed25519 cryptographic audit trailNoNoYes, unique to Sherlock
Chain of custody logOptionalOptionalIncluded
Tamper-evident outputManualManualAutomated
Cross-platformWindows / forensic LinuxWindows / forensic LinuxWindows + Linux
First responder deploymentRequires hardware kitRequires hardware kitSoftware, instant

Choosing a Tableau alternative is not about replacing hardware in every scenario. The honest framing: use the Tableau write blocker or Wiebetech UltraBlock for formal lab acquisitions where the case will be heavily contested and you have time and budget for hardware kit logistics. Use Sherlock as the wiebetech alternative and Tableau alternative when you need to lock down a USB device in the field within seconds of seizure, when you are a solo examiner running 30 cases a month at margins that cannot absorb a $400 capex per kit, or when you are doing incident response USB analysis at endpoint scale. The Sherlock Ed25519-signed audit trail and the court-ready PDF cover the evidentiary side; the $39 price point covers the budget side. For the deeper competitor positioning context see our Cellebrite vs Magnet AXIOM 2026 breakdown, which addresses the same enterprise-vs-mid-market dynamic in the mobile forensics tier.

Procedure

Recommended Forensic Acquisition Procedure

Follow this step-by-step procedure when using Sherlock Forensics USB Write Blocker for forensic USB device acquisition. Document each step in your case notes.

  1. Enable Write Protection. Launch Sherlock Forensics USB Write Blocker with administrator privileges. Arm the protection. The tool activates PnP arrival monitoring and will apply per-disk IOCTL write blocking to every USB storage device the moment it is detected. The live pristine pulse confirms zero bytes written.
  2. Confirm Protection Status. Verify the status bar shows ARMED with a green protection indicator. The race-window timing in the audit log confirms how fast the block was applied. Screenshot or export the audit log for your case file.
  3. Insert the Suspect USB Device. Plug the suspect device into a USB port. Windows will detect and mount the device in read-only mode. You will be able to browse files and read data but all write operations will be blocked by the operating system.
  4. Verify the Device is Listed. Open Windows Explorer or Disk Management and confirm the suspect device appears. Verify you can browse its contents. Attempt to create a test file on the device to confirm write operations are blocked. Document the device serial number, capacity and filesystem type.
  5. Acquire the Forensic Image. Use your forensic imaging tool (FTK Imager, dd, Guymager or similar) to create a bit-for-bit image of the suspect device. Calculate and record the hash (MD5 and SHA256) of both the source device and the acquired image. The hashes must match to confirm evidence integrity.

Limitations

Known Limitations

Sherlock Forensics USB Write Blocker v1.1.0 uses per-disk IOCTL write blocking with race-window timing. These are the limitations forensic examiners should understand.

Software-Level Protection
v1.1.0 uses IOCTL_DISK_SET_DISK_ATTRIBUTES for per-physical-disk write blocking at the Windows kernel level. This is stronger than the old registry approach but still operates above the hardware layer. A rootkit or kernel-level exploit could theoretically bypass it. For criminal cases or high-stakes litigation where absolute hardware-level guarantees are required, pair with a hardware write blocker. The race-window timing in the audit log provides court evidence of protection speed.
MTP and PTP Devices
Write blocking targets USB mass storage class devices (external drives, USB sticks, SD card readers). Smartphones connected via MTP (Media Transfer Protocol) and cameras using PTP (Picture Transfer Protocol) use different protocols that are not blocked by disk-level IOCTL. Use the topology viewer to identify device classes before handling.
Windows Only
IOCTL disk attributes and the ImDisk shadow mode driver are Windows-specific. This tool does not work on macOS or Linux. For those platforms, use mount -o ro or a hardware write blocker.
Requires Admin Privileges
Per-disk IOCTL operations and the shadow mode driver require administrator access. The tool will prompt for UAC elevation on launch. It cannot run under a standard user account.
Shadow Mode Driver
The bundled ImDisk virtual disk driver installs as a Windows service on first use. While it works on every Windows edition (Home, Pro, Enterprise, Education), the driver registration requires a one-time admin approval. The driver is BSD-licensed open source and installs under a Sherlock-specific service name to avoid conflicts with existing ImDisk Toolkit installs.

Field Operations

When Software Beats Hardware: Field Triage and First Responder Use Cases

Hardware write blockers win on lab-quality formal acquisition. Software wins on operational tempo. Field triage, first responder, DFIR scaling and endpoint forensics are scenarios where waiting for hardware procurement or hauling a hardware kit to the scene is the slower path that loses evidence. This is the operational gap that a software-only Tableau alternative was built to fill.

Field Triage at Time of Seizure

Field triage means an examiner is on-scene with a freshly-seized USB device and needs to lock down write access in seconds, not in the days it takes to ship hardware. Sherlock USB Write Blocker installs on the examiner's existing forensic laptop, arms protection on launch and starts blocking writes the instant the suspect device is inserted. Field triage workflows for civil litigation, corporate internal investigations and law-enforcement seizures all share this same time-pressure constraint that hardware write blockers cannot solve without pre-stationed kit.

First Responder Workflows

A first responder in the digital forensics context is the first examiner to handle evidence at the scene of an incident. Corporate IR teams, law-enforcement first responders and incident response consultants need to be able to lock down USB media before the suspect or another party can modify it. Sherlock is a first responder write blocker because it deploys via a 12 MB installer with no admin-time hardware procurement, so the first responder can equip every team member with the same software write blocker rather than rationing a small inventory of hardware units.

Incident Response USB Device Analysis

Incident response USB workflows handle: USB devices found on a compromised endpoint, USB devices used by a suspected insider for data exfiltration, USB devices delivered as part of a malicious USB drop or BadUSB attack. Sherlock's BadUSB HID Guard plus the IOCTL software write blocker layer plus the Ed25519 audit log let IR teams handle suspicious USB media at incident response speed. Pair with our Android Acquirer for the cross-device responder kit and our PST Viewer for the post-imaging mailbox-evidence analysis side.

DFIR Scaling at Mid-Market

A DFIR write blocker buying decision at a mid-market firm running 30 cases a month means choosing between buying 5 hardware kits at $400 each (or rationing 1 across 5 examiners) versus deploying a $39 software write blocker per examiner. The math is obvious; the DFIR write blocker scaling argument is what makes Sherlock the practical Tableau alternative for firms outside the enterprise-budget tier. See also our full forensic tool catalogue for the cross-product DFIR mesh.

Use Cases

Who Uses Sherlock Forensics USB Write Blocker

Forensic Examiners

Digital forensic professionals use write blocking as standard practice during evidence acquisition. Sherlock Forensics USB Write Blocker provides immediate protection for field triage when a hardware blocker is unavailable or impractical.

Law Enforcement

Police and federal investigators seize USB devices during search warrants and investigations. Write blocking ensures evidentiary value is preserved from the moment of seizure through courtroom presentation.

IT Administrators

System administrators use write blocking to safely examine USB devices found in corporate environments. Investigate potential data exfiltration or malware delivery without risking modification of the original device.

Incident Responders

DFIR teams responding to security incidents need to preserve USB evidence quickly. Software write blocking provides immediate protection during the critical first hours of an incident response engagement.

Corporate IT / IR Teams

Ransomware response, breach investigations and insider threat cases all start with a USB device that must not be modified. Lock down suspect drives in seconds, then export the Ed25519-signed audit log to satisfy legal, insurance and regulatory reviewers. Far cheaper per seat than provisioning hardware blockers across every IR responder.

v1.1.0 Features

What Ships in v1.1.0

Protection

Per-disk IOCTL Write Blocking

Intercepts I/O control requests at the device driver level. Selectively protect individual evidence drives while keeping other USB devices writable.

Race-window Timing

Eliminates the gap between device insertion and protection activation. Write blocking engages before the filesystem driver can issue any write command.

Live Pristine Pulse

Continuous background verification confirms the evidence drive remains unmodified. Any unexpected change triggers an immediate alert in the audit log.

PnP Arrival Detection

Hooks into the Windows Plug and Play subsystem to detect USB device insertion at the earliest possible moment. Protection activates before the device is fully enumerated.

PANIC LOCKDOWN

One-click emergency lockdown blocks all USB write operations system-wide. Use when you suspect active tampering or need immediate protection across every connected device.

USB Intelligence

Full USB Topology View

Displays every USB hub, port and connected device in a hierarchical tree. See exactly what is plugged in and where it connects in the USB chain.

Device History Database

Maintains a persistent record of every USB device that has connected to the system. Includes serial numbers, vendor IDs, first-seen and last-seen timestamps.

Auto-recognize Evidence Drives

Tag known evidence drives so the tool automatically applies the correct protection profile when they are inserted. Reduces human error during repetitive acquisitions.

Shadow Mode

Bundled ImDisk Driver

Ships with the ImDisk virtual disk driver. No separate download or third-party installation required. Everything you need is in the 9.8 MB package.

One-click Install

Shadow mode setup takes a single click. The ImDisk driver installs silently and configures itself for immediate use with no reboots required.

Auto Offline-source

Automatically mounts the shadow copy as an offline source. The original evidence drive stays completely untouched while you work with a writable virtual copy.

Works on All Windows Editions

Shadow mode functions on Windows 10 Home, Pro and Enterprise as well as Windows 11. No edition restrictions or feature gating.

BadUSB Defense

HID Guard Modes

Detects USB devices that claim to be keyboards, mice or other human interface devices. Configurable modes let you block, prompt or allow based on your threat model.

Auto-quarantine HIDs

Suspicious HID devices are automatically quarantined on insertion. The device is disabled at the driver level before it can inject any keystrokes or commands.

Persistent Allow/Deny Lists

Maintain lists of trusted and blocked USB device identifiers. Known-good devices pass through instantly. Unknown devices are held for review.

Chain of Custody

Ed25519-signed Audit Log

Every action is logged and cryptographically signed with Ed25519. Any tampering with the audit trail is immediately detectable through signature verification.

PDF + JSON Report Export

Export the complete audit trail as a formatted PDF for courtroom presentation or as structured JSON for integration with case management systems.

Courtroom-deliverable Artifact

Reports include examiner credentials, case identifiers, device serial numbers and timestamped action logs. Ready for direct submission as court exhibits.

UX

Dark/Light Theme

Switch between dark and light interfaces. Dark mode reduces eye strain during extended forensic sessions. Light mode works better in well-lit lab environments.

Left Rail Navigation

Collapsible left panel organizes all features into logical groups. Access protection controls, device lists, shadow mode and reports without hunting through menus.

Auto-update

Checks for new versions on launch and applies updates automatically. Stay current with the latest protection capabilities without manual downloads.

Compare

Free vs Pro Edition

FeatureFreePro ($39)
Per-disk IOCTL write blockingYesYes
Race-window timingYesYes
Live pristine pulseYesYes
PnP arrival detectionYesYes
PANIC LOCKDOWNYesYes
Full USB topology viewYesYes
Device history databaseYesYes
Shadow mode (ImDisk)YesYes
HID Guard (BadUSB defense)YesYes
Auto-quarantine HIDsYesYes
Dark/light themeYesYes
Left rail navigationYesYes
Auto-updateYesYes
Auto-recognize evidence drives (saved case profiles)NoYes
Persistent allow/deny lists (BadUSB policy)NoYes
Ed25519-signed audit log (tamper-evident)NoYes
Court-ready PDF report exportNoYes
JSON audit export (case management integration)NoYes
Chain of custody documentationNoYes
Priority email supportNoYes

$39 vs $400 Tableau

A Tableau T356789iu hardware write blocker costs $400 or more. Sherlock Forensics USB Write Blocker Pro provides per-disk IOCTL protection, BadUSB defense, shadow mode and Ed25519-signed audit logs for $39 one-time. The free edition covers core write blocking with no restrictions. Upgrade to Pro when you need court-ready reports and advanced forensic features.

Changelog

Version History

v1.1.0 (2026-05-14)

  • Per-disk IOCTL write blocking replaces registry-only approach
  • Race-window timing closes the gap between insertion and protection
  • Live pristine pulse for continuous evidence integrity monitoring
  • PnP arrival detection hooks into Plug and Play subsystem
  • PANIC LOCKDOWN for emergency system-wide write blocking
  • Full USB topology view with hierarchical device tree
  • Device history database with serial numbers and timestamps
  • Auto-recognize evidence drives with saved profiles
  • Shadow mode with bundled ImDisk driver and one-click install
  • Auto offline-source for shadow copies
  • HID Guard BadUSB defense with configurable modes
  • Auto-quarantine for suspicious HID devices
  • Persistent allow/deny lists for USB device control
  • Ed25519-signed audit log for tamper-evident chain of custody
  • PDF and JSON report export for courtroom delivery
  • Dark/light theme toggle
  • Left rail navigation with collapsible panel
  • Auto-update on launch

v1.0 (2026-04-18)

  • Per-disk IOCTL write blocking with race-window timing
  • One-click enable/disable toggle
  • Status verification display
  • UAC elevation prompt
  • Evidence drive protection for all USB mass storage devices
  • Forensic imaging preparation workflow

More Tools

Need More Forensic Tools?

Sherlock Forensics Disk Imager

Free

Free forensic disk imager with resumable imaging, E01 and raw dd output, three-pass SHA-256 verification and chain of custody. 4.4 MB. Integrates with USB Write Blocker for a complete forensic imaging workflow.

Sherlock Forensics PST Viewer

$67

Open and search Outlook PST files without Microsoft Outlook. Extract emails, attachments and metadata for forensic analysis and eDiscovery.

Sherlock Forensics Android Acquirer

$399

Acquire forensic images from Android devices. Extract app data, messages, call logs and file systems for mobile forensic examinations.

Download

Get Sherlock Forensics USB Write Blocker

Version 1.1.0 for Windows 10/11 (64-bit). Single executable, 9.8 MB. No license required for free edition.

File
sherlock-usb-blocker.exe (9.8 MB)
SHA256
61140492fc6d3b984d088093e12486f22f1b91ea9d0e8513ae97155349cbdbbd
Version
1.1.0
Platform
Windows 10/11 (64-bit)
Size
9.8 MB
Price
Free core protection. $39 one-time for Pro edition.

Questions

USB Write Blocker FAQ

What is a USB write blocker?
A USB write blocker prevents any data from being written to a USB storage device. It ensures the contents of the device remain unmodified during forensic examination. This preserves evidence integrity and maintains chain of custody for court admissibility.
How does Sherlock Forensics USB Write Blocker work?
Sherlock Forensics USB Write Blocker v1.1.0 uses IOCTL_DISK_SET_DISK_ATTRIBUTES to set per-physical-disk read-only attributes at the Windows kernel level. PnP arrival detection catches devices the millisecond they appear on the bus. Race-window timing records how fast the block was applied for court evidence. The live pristine pulse confirms zero bytes were written to the blocked drive.
Is a software write blocker admissible in court?
Software write blockers are accepted in many jurisdictions when proper procedure is documented. However, hardware write blockers from manufacturers like Tableau and CRU provide a stronger forensic guarantee because they operate at the hardware level. For high-stakes cases, use a hardware write blocker or combine both methods.
Does it work on already-mounted drives?
v1.1.0 uses PnP arrival detection to catch devices the moment they connect. For drives already mounted before protection is armed, eject and reinsert them for the IOCTL block to apply. The topology viewer shows the current state of every connected device so you can verify protection status.
Is Sherlock Forensics USB Write Blocker free?
Yes. Sherlock Forensics USB Write Blocker is completely free with no trial period, no feature restrictions and no license required. Download and use it without limitations.
What is IOCTL-level write blocking?
IOCTL-level write blocking intercepts I/O control requests at the device driver level before they reach the storage hardware. Unlike registry-based blocking that applies globally, IOCTL blocking operates per-disk so you can selectively protect individual evidence drives while keeping other USB devices writable. This provides stronger forensic protection than registry-only methods.
Does this protect against BadUSB attacks?
Yes. Sherlock Forensics USB Write Blocker v1.1.0 includes HID Guard that detects USB devices masquerading as keyboards or other human interface devices. It can auto-quarantine suspicious HIDs and maintains persistent allow/deny lists so known-good devices pass through while unknown devices are blocked.
Can I use the audit log in court?
Yes. The Pro edition generates Ed25519-signed audit logs that provide cryptographic proof of every action taken during evidence handling. The audit trail exports to PDF and JSON formats suitable for courtroom presentation. Ed25519 signatures are tamper-evident so any modification to the log is detectable.
How does shadow mode work?
Shadow mode creates a virtual copy of the evidence drive using the bundled ImDisk driver. This lets you work with a writable shadow copy while the original evidence remains completely untouched. Shadow mode works on all Windows editions and installs with one click. The virtual disk operates as an offline source for safe forensic analysis.
Is Sherlock USB Write Blocker a Tableau alternative?
Yes. Sherlock USB Write Blocker is a software-only Tableau alternative at $39 versus $400-plus for the Tableau write blocker hardware line. It targets the field triage, first responder and DFIR scaling scenarios where hardware procurement is too slow or too expensive. For formal lab acquisition under heavy contest, the Tableau write blocker hardware remains the gold standard. For everything else, the software write blocker model at $39 with Ed25519 audit trail and court-ready PDF is the practical choice.
Can a software write blocker replace hardware for forensic acquisition?
In some scenarios yes, in others no. A software write blocker operates at the OS storage stack with read-only mount enforcement and sector lock at the volume layer. This blocks Win32 file APIs and standard write paths but cannot stop a custom kernel-mode driver from reaching the block device directly. For 95 percent of field triage, incident response USB analysis and DFIR scaling work, the software write blocker model is sufficient. For lab acquisition that will face a defense expert bypass test, use a UDMA write blocker hardware unit and document the procedure.
Does Sherlock pass NIST CFTT testing?
Not yet. Sherlock USB Write Blocker is eligible for independent NIST CFTT testing but has not been submitted at this time. The Tableau write blocker and Wiebetech UltraBlock hardware lines are NIST CFTT validated, which matters for lab acquisition. The Sherlock methodology is documented and the Ed25519-signed audit trail provides cryptographic evidence of every action; courts have accepted comparable software write blocker output when the procedure is properly documented.
What is the price difference between Sherlock and Tableau, Wiebetech or Logicube?
Sherlock USB Write Blocker Pro is $39 one-time. Tableau write blocker units (T356u and similar) run $400 to $500. Wiebetech UltraBlock hardware runs $300 to $400. Logicube write blockers are in the same hardware tier. As a wiebetech alternative or Tableau alternative for non-formal-lab use, Sherlock is 10x cheaper. The trade-off is hardware-level guarantees: hardware wins for the absolute lab gold standard, software wins for everything else.
Can I use Sherlock USB Write Blocker for first responder field triage?
Yes. Sherlock is built for field triage and first responder use. The installer is 12 MB. Once installed, arm protection and Sherlock will lock down every newly-arrived USB device with per-disk IOCTL write blocking the moment Windows fires PnP arrival. The Ed25519-signed audit log captures the race-window timing so the first responder can prove zero bytes were written before the block engaged. No hardware kit, no shipping delay.
Does Sherlock work for incident response USB device analysis?
Yes. Incident response USB workflows are a primary design target: USB devices found on a compromised endpoint, USB devices used for data exfiltration by a suspected insider, USB devices delivered as part of a BadUSB attack. Sherlock combines the software write blocker layer, the BadUSB HID Guard, per-disk sector lock and the Ed25519 audit log. The DFIR write blocker scaling math (one $39 license per IR team member versus rationing a $400 hardware kit) is what makes Sherlock the practical Tableau alternative for IR teams.

Get Started

Download Sherlock Forensics USB Write Blocker

Free forensic USB write blocker built by CISSP, ISSAP and ISSMP certified forensic professionals. Need a full forensic examination or incident response? Contact our team.

Since 2006CISSP, ISSAP, ISSMP certified888.883.4550

Used for: Endpoint security, compliance enforcement, data loss prevention, removable media control and air-gap protection

Try the free version before you buy. No limitations on core write-blocking features.

Sherlock Forensics USB Write Blocker is provided for lawful forensic use only. Ensure compliance with your jurisdiction's evidence handling requirements. Terms of Service

Download

Enter your details to download. We will send you update notifications for new versions.

Checkout - USB Write Blocker Pro

$39.00 USD one-time. License key delivered to your email.

Secure via Stripe One-time purchase $39 one-time