Free Download

Sherlock Forensics USB Write Blocker Every USB Device. Surgical Write Protection. Court-Ready Audit Trail.

Per-disk IOCTL write blocking with race-window timing, BadUSB defense, shadow mode and Ed25519-signed forensic reports. Free to protect. $39 Pro for court.

Sherlock Forensics USB Write Blocker v1.1.0 is a Windows forensic tool providing per-disk IOCTL write blocking, BadUSB HID Guard, shadow mode via bundled ImDisk driver and Ed25519-signed audit logs. It intercepts write operations at the device driver level for stronger protection than registry-only methods. Free core with $39 Pro for court-ready reports.

Free to use. Pro at $39 one-time unlocks advanced features.

No install required· IOCTL-level blocking· No registry hacks· Since 2006

Mechanism

How Sherlock Forensics USB Write Blocker Works

Sherlock Forensics USB Write Blocker v1.1.0 uses IOCTL_DISK_SET_DISK_ATTRIBUTES to enforce per-physical-disk read-only access at the Windows kernel level. Each USB storage device is blocked individually the millisecond Windows detects it via PnP arrival notification. The race-window timing between device detection and write-block activation is recorded in the audit log for court evidence.

The live pristine pulse indicator shows a green pulse while zero bytes have been written to a blocked drive. If any write occurs before the block takes effect, the race-window log captures the exact timing so the examiner can assess whether evidence integrity was maintained.

PANIC LOCKDOWN mode provides an emergency global override that blocks all USB storage simultaneously. Per-device controls allow surgical blocking and unblocking from the topology viewer.

Technical Details

Write Block Method
IOCTL_DISK_SET_DISK_ATTRIBUTES per physical disk. Surgical per-device blocking, not a global registry toggle. Each disk gets its own read-only attribute set independently.
Device Detection
PnP arrival notification via Windows device management APIs. Devices detected the millisecond the bus enumerates them. Race-window timing recorded for every block event.
Scope
Blocks USB mass storage class devices (flash drives, external hard drives, USB-connected card readers). Full topology view shows every USB device on the bus including HIDs, audio, cameras and printers. MTP and PTP devices use different protocols and are not write-blocked.
Shadow Mode
Bundled ImDisk virtual disk driver creates a read-only virtual mount of the source disk. Source disk goes offline before mount to prevent duplicate-signature collisions. Works on all Windows editions.
Admin Privileges
Required. IOCTL disk operations and shadow mode driver registration require administrator elevation. The tool prompts for UAC consent on launch.
Audit Trail
Ed25519-signed hash-chained JSONL audit log at %PROGRAMDATA%\Sherlock\usb-blocker\audit.jsonl. Every action timestamped to the millisecond. Public key embedded for downstream verification. Exportable as PDF or JSON forensic report (Pro).

Evidence Integrity

Why Forensic Examiners Need Write Blocking

Write blocking is a foundational requirement in digital forensics. When a USB device is connected to a Windows computer without write protection, the operating system can modify the device in ways that compromise evidentiary value. Windows may update access timestamps, create Recycle Bin metadata, write System Volume Information folders or trigger autorun processes. Any of these modifications can alter the hash value of the original evidence and undermine its admissibility in court.

Evidence Integrity

Forensic evidence must remain unaltered from the moment of seizure through final presentation in court. Write blocking ensures that no bits are changed on the suspect device during examination. The forensic image hash will match the original device hash, proving the evidence has not been tampered with. Standards from NIST CFTT and SWGDE require demonstrable write protection during evidence acquisition.

Chain of Custody

Chain of custody documentation must account for every interaction with evidence. Using a write blocker provides a documented control that proves no modifications occurred during your examination. Defense attorneys routinely challenge digital evidence by questioning whether proper handling procedures were followed. A write blocker eliminates the most common attack vector against digital evidence authenticity. See our chain of custody software for complete evidence tracking.

Court Admissibility

Courts in the United States, Canada and most common law jurisdictions expect forensic examiners to use write blocking during evidence acquisition. The Daubert standard requires that forensic methods follow accepted practices in the field. Write blocking is a universally accepted practice. Failure to use write protection can result in evidence being excluded, case dismissal or expert testimony being challenged under cross-examination.

Compare

Hardware vs Software Write Blockers

FeatureSherlock Forensics USB Write Blocker (Software)Hardware Write Blocker (Tableau/CRU)
Protection levelOperating system (registry)Hardware controller
CostFree$200 to $500+
Court acceptanceAccepted in many jurisdictionsGold standard
PortabilitySoftware only, no hardware neededRequires physical device
USB supportAll USB mass storageAll USB mass storage
SATA/IDE supportNoYes (model dependent)
Bypass riskPossible via admin access or malwareNo software bypass possible
Setup timeOne clickPhysical connection required
NIST CFTT testedNoYes (select models)

When to Use Each Approach

Hardware write blockers from Tableau (now OpenText) and CRU provide the strongest forensic guarantee because they operate below the operating system level. No software exploit or malware can bypass a hardware write blocker. For criminal cases, litigation with high financial stakes or any matter where evidence may face aggressive legal challenge, a hardware write blocker is the recommended approach. Sherlock Forensics USB Write Blocker fills a different role: immediate write protection when a hardware blocker is unavailable, for preliminary triage in the field, for incident response situations where speed matters or for training and education environments. Many examiners use both: software write blocking for initial triage and hardware write blocking for formal acquisition.

Procedure

Recommended Forensic Acquisition Procedure

Follow this step-by-step procedure when using Sherlock Forensics USB Write Blocker for forensic USB device acquisition. Document each step in your case notes.

  1. Enable Write Protection. Launch Sherlock Forensics USB Write Blocker with administrator privileges. Arm the protection. The tool activates PnP arrival monitoring and will apply per-disk IOCTL write blocking to every USB storage device the moment it is detected. The live pristine pulse confirms zero bytes written.
  2. Confirm Protection Status. Verify the status bar shows ARMED with a green protection indicator. The race-window timing in the audit log confirms how fast the block was applied. Screenshot or export the audit log for your case file.
  3. Insert the Suspect USB Device. Plug the suspect device into a USB port. Windows will detect and mount the device in read-only mode. You will be able to browse files and read data but all write operations will be blocked by the operating system.
  4. Verify the Device is Listed. Open Windows Explorer or Disk Management and confirm the suspect device appears. Verify you can browse its contents. Attempt to create a test file on the device to confirm write operations are blocked. Document the device serial number, capacity and filesystem type.
  5. Acquire the Forensic Image. Use your forensic imaging tool (FTK Imager, dd, Guymager or similar) to create a bit-for-bit image of the suspect device. Calculate and record the hash (MD5 and SHA256) of both the source device and the acquired image. The hashes must match to confirm evidence integrity.

Limitations

Known Limitations

Sherlock Forensics USB Write Blocker v1.1.0 uses per-disk IOCTL write blocking with race-window timing. These are the limitations forensic examiners should understand.

Software-Level Protection
v1.1.0 uses IOCTL_DISK_SET_DISK_ATTRIBUTES for per-physical-disk write blocking at the Windows kernel level. This is stronger than the old registry approach but still operates above the hardware layer. A rootkit or kernel-level exploit could theoretically bypass it. For criminal cases or high-stakes litigation where absolute hardware-level guarantees are required, pair with a hardware write blocker. The race-window timing in the audit log provides court evidence of protection speed.
MTP and PTP Devices
Write blocking targets USB mass storage class devices (external drives, USB sticks, SD card readers). Smartphones connected via MTP (Media Transfer Protocol) and cameras using PTP (Picture Transfer Protocol) use different protocols that are not blocked by disk-level IOCTL. Use the topology viewer to identify device classes before handling.
Windows Only
IOCTL disk attributes and the ImDisk shadow mode driver are Windows-specific. This tool does not work on macOS or Linux. For those platforms, use mount -o ro or a hardware write blocker.
Requires Admin Privileges
Per-disk IOCTL operations and the shadow mode driver require administrator access. The tool will prompt for UAC elevation on launch. It cannot run under a standard user account.
Shadow Mode Driver
The bundled ImDisk virtual disk driver installs as a Windows service on first use. While it works on every Windows edition (Home, Pro, Enterprise, Education), the driver registration requires a one-time admin approval. The driver is BSD-licensed open source and installs under a Sherlock-specific service name to avoid conflicts with existing ImDisk Toolkit installs.

Use Cases

Who Uses Sherlock Forensics USB Write Blocker

Forensic Examiners

Digital forensic professionals use write blocking as standard practice during evidence acquisition. Sherlock Forensics USB Write Blocker provides immediate protection for field triage when a hardware blocker is unavailable or impractical.

Law Enforcement

Police and federal investigators seize USB devices during search warrants and investigations. Write blocking ensures evidentiary value is preserved from the moment of seizure through courtroom presentation.

IT Administrators

System administrators use write blocking to safely examine USB devices found in corporate environments. Investigate potential data exfiltration or malware delivery without risking modification of the original device.

Incident Responders

DFIR teams responding to security incidents need to preserve USB evidence quickly. Software write blocking provides immediate protection during the critical first hours of an incident response engagement.

v1.1.0 Features

What Ships in v1.1.0

Protection

Per-disk IOCTL Write Blocking

Intercepts I/O control requests at the device driver level. Selectively protect individual evidence drives while keeping other USB devices writable.

Race-window Timing

Eliminates the gap between device insertion and protection activation. Write blocking engages before the filesystem driver can issue any write command.

Live Pristine Pulse

Continuous background verification confirms the evidence drive remains unmodified. Any unexpected change triggers an immediate alert in the audit log.

PnP Arrival Detection

Hooks into the Windows Plug and Play subsystem to detect USB device insertion at the earliest possible moment. Protection activates before the device is fully enumerated.

PANIC LOCKDOWN

One-click emergency lockdown blocks all USB write operations system-wide. Use when you suspect active tampering or need immediate protection across every connected device.

USB Intelligence

Full USB Topology View

Displays every USB hub, port and connected device in a hierarchical tree. See exactly what is plugged in and where it connects in the USB chain.

Device History Database

Maintains a persistent record of every USB device that has connected to the system. Includes serial numbers, vendor IDs, first-seen and last-seen timestamps.

Auto-recognize Evidence Drives

Tag known evidence drives so the tool automatically applies the correct protection profile when they are inserted. Reduces human error during repetitive acquisitions.

Shadow Mode

Bundled ImDisk Driver

Ships with the ImDisk virtual disk driver. No separate download or third-party installation required. Everything you need is in the 9.8 MB package.

One-click Install

Shadow mode setup takes a single click. The ImDisk driver installs silently and configures itself for immediate use with no reboots required.

Auto Offline-source

Automatically mounts the shadow copy as an offline source. The original evidence drive stays completely untouched while you work with a writable virtual copy.

Works on All Windows Editions

Shadow mode functions on Windows 10 Home, Pro and Enterprise as well as Windows 11. No edition restrictions or feature gating.

BadUSB Defense

HID Guard Modes

Detects USB devices that claim to be keyboards, mice or other human interface devices. Configurable modes let you block, prompt or allow based on your threat model.

Auto-quarantine HIDs

Suspicious HID devices are automatically quarantined on insertion. The device is disabled at the driver level before it can inject any keystrokes or commands.

Persistent Allow/Deny Lists

Maintain lists of trusted and blocked USB device identifiers. Known-good devices pass through instantly. Unknown devices are held for review.

Chain of Custody

Ed25519-signed Audit Log

Every action is logged and cryptographically signed with Ed25519. Any tampering with the audit trail is immediately detectable through signature verification.

PDF + JSON Report Export

Export the complete audit trail as a formatted PDF for courtroom presentation or as structured JSON for integration with case management systems.

Courtroom-deliverable Artifact

Reports include examiner credentials, case identifiers, device serial numbers and timestamped action logs. Ready for direct submission as court exhibits.

UX

Dark/Light Theme

Switch between dark and light interfaces. Dark mode reduces eye strain during extended forensic sessions. Light mode works better in well-lit lab environments.

Left Rail Navigation

Collapsible left panel organizes all features into logical groups. Access protection controls, device lists, shadow mode and reports without hunting through menus.

Auto-update

Checks for new versions on launch and applies updates automatically. Stay current with the latest protection capabilities without manual downloads.

Compare

Free vs Pro Edition

FeatureFreePro ($39)
Per-disk IOCTL write blockingYesYes
Race-window timingYesYes
Live pristine pulseYesYes
PnP arrival detectionYesYes
PANIC LOCKDOWNYesYes
Full USB topology viewYesYes
Device history databaseYesYes
Auto-recognize evidence drivesNoYes
Shadow mode (ImDisk)NoYes
HID Guard (BadUSB defense)YesYes
Auto-quarantine HIDsYesYes
Persistent allow/deny listsNoYes
Ed25519-signed audit logNoYes
PDF + JSON report exportNoYes
Courtroom-deliverable artifactNoYes
Dark/light themeYesYes
Left rail navigationYesYes
Auto-updateYesYes

$39 vs $400 Tableau

A Tableau T356789iu hardware write blocker costs $400 or more. Sherlock Forensics USB Write Blocker Pro provides per-disk IOCTL protection, BadUSB defense, shadow mode and Ed25519-signed audit logs for $39 one-time. The free edition covers core write blocking with no restrictions. Upgrade to Pro when you need court-ready reports and advanced forensic features.

Changelog

Version History

v1.1.0 (2026-05-14)

  • Per-disk IOCTL write blocking replaces registry-only approach
  • Race-window timing closes the gap between insertion and protection
  • Live pristine pulse for continuous evidence integrity monitoring
  • PnP arrival detection hooks into Plug and Play subsystem
  • PANIC LOCKDOWN for emergency system-wide write blocking
  • Full USB topology view with hierarchical device tree
  • Device history database with serial numbers and timestamps
  • Auto-recognize evidence drives with saved profiles
  • Shadow mode with bundled ImDisk driver and one-click install
  • Auto offline-source for shadow copies
  • HID Guard BadUSB defense with configurable modes
  • Auto-quarantine for suspicious HID devices
  • Persistent allow/deny lists for USB device control
  • Ed25519-signed audit log for tamper-evident chain of custody
  • PDF and JSON report export for courtroom delivery
  • Dark/light theme toggle
  • Left rail navigation with collapsible panel
  • Auto-update on launch

v1.0 (2026-04-18)

  • Per-disk IOCTL write blocking with race-window timing
  • One-click enable/disable toggle
  • Status verification display
  • UAC elevation prompt
  • Evidence drive protection for all USB mass storage devices
  • Forensic imaging preparation workflow

More Tools

Need More Forensic Tools?

Sherlock Forensics Disk Imager

Free

Free forensic disk imager with resumable imaging, E01 and raw dd output, three-pass SHA-256 verification and chain of custody. 4.4 MB. Integrates with USB Write Blocker for a complete forensic imaging workflow.

Sherlock Forensics PST Viewer

$67

Open and search Outlook PST files without Microsoft Outlook. Extract emails, attachments and metadata for forensic analysis and eDiscovery.

Sherlock Forensics Android Acquirer

$399

Acquire forensic images from Android devices. Extract app data, messages, call logs and file systems for mobile forensic examinations.

Download

Get Sherlock Forensics USB Write Blocker

Version 1.1.0 for Windows 10/11 (64-bit). Single executable, 9.8 MB. No license required for free edition.

File
sherlock-usb-blocker.exe (9.8 MB)
SHA256
0bab264e3988b87142e121b66a0632845ca6354982c90e2f9dc49e38ed74394e
Version
1.1.0
Platform
Windows 10/11 (64-bit)
Size
9.8 MB
Price
Free core protection. $39 one-time for Pro edition.

Questions

USB Write Blocker FAQ

What is a USB write blocker?
A USB write blocker prevents any data from being written to a USB storage device. It ensures the contents of the device remain unmodified during forensic examination. This preserves evidence integrity and maintains chain of custody for court admissibility.
How does Sherlock Forensics USB Write Blocker work?
Sherlock Forensics USB Write Blocker v1.1.0 uses IOCTL_DISK_SET_DISK_ATTRIBUTES to set per-physical-disk read-only attributes at the Windows kernel level. PnP arrival detection catches devices the millisecond they appear on the bus. Race-window timing records how fast the block was applied for court evidence. The live pristine pulse confirms zero bytes were written to the blocked drive.
Is a software write blocker admissible in court?
Software write blockers are accepted in many jurisdictions when proper procedure is documented. However, hardware write blockers from manufacturers like Tableau and CRU provide a stronger forensic guarantee because they operate at the hardware level. For high-stakes cases, use a hardware write blocker or combine both methods.
Does it work on already-mounted drives?
v1.1.0 uses PnP arrival detection to catch devices the moment they connect. For drives already mounted before protection is armed, eject and reinsert them for the IOCTL block to apply. The topology viewer shows the current state of every connected device so you can verify protection status.
Is Sherlock Forensics USB Write Blocker free?
Yes. Sherlock Forensics USB Write Blocker is completely free with no trial period, no feature restrictions and no license required. Download and use it without limitations.
What is IOCTL-level write blocking?
IOCTL-level write blocking intercepts I/O control requests at the device driver level before they reach the storage hardware. Unlike registry-based blocking that applies globally, IOCTL blocking operates per-disk so you can selectively protect individual evidence drives while keeping other USB devices writable. This provides stronger forensic protection than registry-only methods.
Does this protect against BadUSB attacks?
Yes. Sherlock Forensics USB Write Blocker v1.1.0 includes HID Guard that detects USB devices masquerading as keyboards or other human interface devices. It can auto-quarantine suspicious HIDs and maintains persistent allow/deny lists so known-good devices pass through while unknown devices are blocked.
Can I use the audit log in court?
Yes. The Pro edition generates Ed25519-signed audit logs that provide cryptographic proof of every action taken during evidence handling. The audit trail exports to PDF and JSON formats suitable for courtroom presentation. Ed25519 signatures are tamper-evident so any modification to the log is detectable.
How does shadow mode work?
Shadow mode creates a virtual copy of the evidence drive using the bundled ImDisk driver. This lets you work with a writable shadow copy while the original evidence remains completely untouched. Shadow mode works on all Windows editions and installs with one click. The virtual disk operates as an offline source for safe forensic analysis.

Get Started

Download Sherlock Forensics USB Write Blocker

Free forensic USB write blocker built by CISSP, ISSAP and ISSMP certified forensic professionals. Need a full forensic examination or incident response? Contact our team.

Since 2006CISSP, ISSAP, ISSMP certified604.229.1994

Used for: Endpoint security, compliance enforcement, data loss prevention, removable media control and air-gap protection

30-day money back guarantee on the Pro Edition. If it does not meet your needs, contact us for a full refund.

Sherlock Forensics USB Write Blocker is provided for lawful forensic use only. Ensure compliance with your jurisdiction's evidence handling requirements. Terms of Service

Download

Enter your details to download. We will send you update notifications for new versions.

Checkout - USB Write Blocker Pro

$39.00 USD one-time. License key delivered to your email.

Secure via Stripe 30-day money back $39 one-time