When creating an image of a suspect drive, the investigator needs to insure that the evidence is not altered and it remains forensically sound. This can be done through the use of a hardware write blocker, software write blocking, or a combination of the two. It is highly recommended that all acquisitions are done using a combination of the two.
If you are using a hardware write blocker attached to your suspect drive to be acquired or examined, remembering to check the jumper settings. In most cases and with most hardware, the jumpers on the drive must be set to Master (consult the drive manufacturer's website for information on jumper settings for your specific drive model). If the drive does not appear in the device window of MacForensicsLab after a rescan (you can manually rescan the bus by selecting "Rescan" from the File menu), check to make sure that the jumper settings are set to Master on the drive/device.
To enable software write blocking, inside MacForensicsLab turn Disk Arbitration off under the popup menu that appears at the start of the application or you can select Disk Arbitration from the Window menu and disable it there. Disk Arbitration is a background application in Mac OS X that is always running. When Disk Arbitration detects a new storage device it automatically mounts it with write access if available. By disabling it you prevent the suspect drive from being mounted and insure that it cannot be written to. Disk Arbitration will be off until you enabled it again from the Window menu or you reboot.
