Write Blocking and le Mal d’Légal

The Forensic Ouroboros

The Forensic Ouroboros

An archives is in many chases defined by what it excludes more than what it includes. Sometimes referred to as archival silences, these exclusions articulate and express the power dynamics extant in the culture (understood broadly) of which the archive is an expression. On the one hand we might think of the silences and exclusions as overt political acts, as they surely were during the period of European colonial expansion, and more recently exemplified in the damning colonial archival records the UK government successfully kept out of the public eye for decades. However, such exclusions may also be technical in nature; that is, the structures, policies, and systemic workings of institutions and archivists may pose barriers to certain types of information. In a digital context this systemic, rather than political, act of technical exclusion is observable in the object of the forensic write blocker—a device that intercedes between digital carrier media such as flash drives and hard drives and the digital storage of the archive. As the name implies, the write blocker “blocks” data from being written back to the original media in an effort to guarantee the authenticity of the bitstream, the pattern of ones and zeros read from the media. This inbetweenness invites us to think about the write blocker at the level of topos and its uniquely situated space between the archive proper and the original object. Considered in terms of Jacques Derrida’s Archive Fever, the write-blocker performs the tension Derrida examines between topology and nomology, location and law.

Write blockers are used by digital archivists as they read electronic data stored on volatile media and move that data to a more sustainable environment, usually a digital repository of some type. Because computers function by default in a read/write mode, simply connecting a hard drive or flash drive to a computer can cause data to be written to the drive, potentially overwriting deleted or temporary files. An archivist concerned with maintaining an authentic copy of the original media will work to ensure that such writings back do no occur during the capture process. To facilitate this authentic transfer, digital archivists have borrowed from the digital forensics community and employed hardware and software write protection. My comments here will focus on hardware write blockers, the physical devices that intercede between the original media and the archivist’s workstation.

Forensic write blockers emerged out of a need by law enforcement to ensure that in their investigation they do not contaminate the data contained on digital media gathered from a crime scene. Their need is twofold: First, the examiner knows that any incriminating data recovered from a hard drive or other carrier media will likely be found in the digital traces of deleted files or swap space (the “virtual memory” a computer uses when it runs out of RAM). An incautious approach could inadvertently overwrite this content because its location on the physical media it is considered blank by the file system, and therefore available for new data. Not attaching a write blocker before capturing data from a suspect’s carrier media would be tantamount to sweeping the floor of a crime scene before beginning the examination. Second, in the event that the examiner finds incriminating evidence on the carrier media, they must be able to demonstrate to the satisfaction of a jury that their process was sufficiently cautious and did not affect the original data. I recount this here in order to link the write blocker used in a digital archives to its nomological origin. A write blocker carries with it the signifiers of law enforcement, performing in an archival setting Derrida’s contention that archives function as “the intersection of the topological and the nomological,” which he subsequently shorthands “topo-nomology” (3).

There are three ways to consider the topology of a forensic write blocker in the context of a digital archive. First, is the write blocker’s physical inclusion in the substrate that compose the digital archive. Second, the space it occupies in the input/output (IO) system. And third as an abstracted object that is represented in an archival workflow. I have alluded to the significance of the physical object adopted into the digital archives from the digital forensics world above, so let me address the second two topologies in further detail. Write blockers vary in type, but essentially they function by providing connectivity between IO systems. For example, typical hard drives have one of two IO systems: an IDE data bus, or a SATA data bus. A hard drive write blocker includes the proper power and data bus cabling that allows a drive to connect to the write blocker as an input device. Data that passes through the write blocker is then output through a USB cable to the computer where the disk capture is being performed. In addition to its named function, a write blocker also serves as a translator of sorts, meshing two disparate IO systems and allowing data to flow between them. Thus the write blocker inhabits an  intersticial topos, a space that simultaneously facilitates data transfer while, ironically, also preventing it.

In this intersticial space the write blocker performs an archival silencing by eliding its own presence in the archival record. In this sense write blockers (and write blocking) exemplify Derrida’s concern with the death drive within an archives. After recounting Freud’s practice of questioning if anything he wrote actually needed to be written down, or published, or archived, Derrida considers Freud’s self-effacing impulse by comparing it to the psychoanalytic concept of the death drive. He writes, “[The death drive] is at work, but since it always operates in silence, it never leaves any archives of its own. It destroys in advance its own archive, as if that were in truth the very motivation of its most proper movement. It works to destroy the archive: on the condition of effacing but also with a view to effacing its own ‘proper’ traces” (10). Such is the role of the write blocker in a digital archive because any write blocker that would leave an archives of its own activity would cease to function as a write blocker. This small, seemingly insignificant device becomes the example par excellence of what Derrida means by “archive fever.” For, as he writes later, “The death drive is not a principle. It ever threatens every principality, every archontic primacy, every archival desire. It is what we will call, later on, le mal d’archive, archive fever” (12). That part of the archive that prevents the archivization of itself–the archival death drive–finds its digital surrogate in the forensic write blocker, an ouroboros figure eternally consuming itself.

It is not inconsequential here that Derrida sees the death drive effacing what he calls a “proper trace,” which begs the question: what then counts as an improper trace? What an improper trace my look like I will set aside for now, but this emphasis on traces returns us to the  nomological role of the write blocker. As mentioned above, a write blocker that leaves a trace of its own intervention would cease to be a write blocker. This self-negation has a second theoretical resonance when considered in the context of forensic science. Specifically and ironically, write blockers actively work to disprove or side-step the forensic axiom that “every contact leads a trace” (known as “Locard’s exchange principle,”  named for forensic science grandee Edmond Locard ). And yet here is a tool developed for and by the digital forensics profession that actively contradicts one of its founding principles. Thus, in either an archival or criminal investigatory setting, the write blocker’s first priority is to elide itself, to disprove the maxim which ultimately lead to its creation. By standing as an obvious yet necessary contradiction to the Locard principal, the write blocker demonstrates the role of the death drive not just in archival science, but in forensic science as well, a le mal d’légal if you will.[1]

A third topos occupied by the forensic write blocker in a digital archives is its position on the workflows and processing documents of collecting institutions. Despite the abstracted nature of this topos, it is here that the forensic write blocker has its most pronounced effect on the archive. In its physical form and as a tool of the digital archivist, the write blocker demonstrates the topo-nomological nature of the archive by merging the legal substrate from which a write blocker emerges and the situatedness of the write blocker in archival practice. However, when we abstract out the idea of the write blocker and consider it in terms of a step in a workflow, we see how Derrida’s sense of technology’s influence on the archive is played out.

For Derrida, technology is more than a convenience or tool for increased efficiency. Rather, technology has the capacity to completely reshape our understanding of the archive. We see this in his analysis of e-mail and the potential email has to radically reshape psychoanalysis. Derrida writes, “[P]sychoanalysis would not have been what it was (any more than so many other things) if E-mail, for example, had existed. And in the future it will no longer be what Freud and so many psychoanalysts have anticipated, from the moment E-mail, for example, became possible” (17). Derrida argues that because so much of psychoanalysis research came in the form of hand written letters between practitioners, had technologies such as e-mail existed during the early development of the field, they would have rendered what we now consider psychoanalysis unrecognizable. Likewise, from the moment e-mail emerged as a dominant form of communication, psychoanalysis’s future diverted from whatever intellectual trajectory  it may have been on to one now influenced and facilitated by the new communication technology, much like the ever evolving alternate timelines spinning out of the Star Trek universe.

Of course, the advent of e-mail has been disruptive well beyond the confines of psychoanalytical thought—it has had profound effects on all aspects of human communication, particularly in the archive. Derrida notes this significance by writing, “[E]lectronic mail today […] is on the way to transforming the entire public and private space of humanity. […] It is not only a technique, in the ordinary and limited sense of the term: an unprecedented rhythm, in quasi-instantaneous fashion, this instrumental possibly of production, of printing, of conversation, and of destruction of the archive must inevitably be accompanied by juridical and this political transformations” (17). E-mail is more than a convenience, it reshapes how we represent and record the world, and as such it must have profound legal (nomological) implications as well. Though this is something of a dated example twenty years on, replace “e-mail” with “twitter” or any other disruptive communication technology and the argument still holds. E-mail here serves only as an example of how interventions of what Derrida calls “archival technologies” can radically reshape not just the archive, but archivization itself.

The profoundness of these changes are not simply that they necessitate a change in process, but that they necessitate a change in the fundamental logics that frame a discipline. In an almost heretical tone, Derrida writes, “[I]f the upheavals in progress affected the very structures of the psychic apparatus, […] it would be a question no longer of simple continuous progress in presentation, in the representative value of the model, but rather an entirely different logic” (15). Technological upheavals, then, have the capacity to force psychoanalysis to do more than seek better models, better representations; they have the capacity to necessitate the abnegation of the model itself. Out with the id, ego, and super ego, and in with  the… what? What logic will pertain after a theory of the psyche is filtered through a new technological apparatus?

While not as significant or transformative a technology as e-mail, the forensic write blocker carries with it its own potential to reshape archival theory and practice. A common point in a digital preservation workflow reads, “connect to write blocker,” usually before a carrier media is connected to a workstation for data capture. In the context of Derrida’s analysis of e-mail, it is not unreasonable to ask the questions: 1) what was the standard practice before forensic write blockers became a common tool in a digital archive? And, 2) if there had never been a point where digital forensics tools and practices had been adopted by digital archivists, how would that affect both past and future collections? To address the first question, there are undoubtedly digital collections captured without the application of a write blocker. Those collections stand in contrast to post-write blocker processed collections in that the act of collection itself is now visible, now leaves a trace on the original media and on the captured bitstream. Data of either trivial or significant quality has been overwritten in the capture process, fundamentally altering the object of capture, especially in the occluded spaces behind the file system’s veil. This alteration may be a product of ignorance, of a fundamental misunderstanding of the nature the digital object, but it is also a repudiation of the self-effacing death drive that Derrida identifies as “archive fever.” The archive archives itself when the write blocker is absent and the digital capture includes a record of itself.

Of the second question, what would be the effect if a digital forensics sensibility hadn’t made its way into archival theory and practice? Absent a digital forensics—a nomological—understanding of digital objects, there would be no need for a forensic write blocker. If there is no need for a write blocker, then digital archival theory and practice would by default adopt a sense that only data represented by the file system is significant. The traces and inscriptions we know to be fundamental to digital representations would be overlooked in favor of their abstracted representation, and, to borrow from Derrida above, such a destruction of the physical inscriptions “must inevitably be accompanied by juridical and political transformations.” If the power of the archive is to define what can and cannot be archived, then the adoption of a file system-centric approach to digital archives abdicates staggering power to corporate and governmental institutions that design and propagate those file systems. The potential for such an abdication is not mere speculation; the current debate in the United States over whether or not Apple Computers must provide a “back door” into their encrypted iOS file system for the purpose of law enforcement demonstrates just how much power is bound up in the representation and structuring of digital data. Thus, the presence of “connect to write blocker” in a digital preservation workflow carries with it the weight of a digital forensics ethic and understanding that values the physical inscription, however inaccessible and problematic, as the primary archival record rather than its abstracted representation. Understood together, the answers to these two questions demonstrate just how, like e-mail, the past and future of the archive are radically reshaped by the advent and inclusion of the forensic write blocker in archival workflows.

Because of its unique positioning as both a physical object and as a theoretical principle, the forensic write blocker helps us contextualize Derrida’s theory of the archive in a digital sphere. At the level of practice, the write blocker’s inclusion in the space of the archive builds into the substrate of the archive the forensics law enforcement from which it emerges, in a sense performing Derrida’s hyphenation of topo and nomology. More significantly, however, the presence of the write blocker—or the concept of write blocking—signifies an archival practice that has discarded a file system-centric approach, and one that seeks a its object the inscriptions and material traces of digital memory, but it does so only at the cost of its own archivizaton—a digital le mal d’archive.

[1] Surprisingly, there is no clear translation of “forensic” in French. The term is usually coupled with a specific purpose, such as “médico-légal” for medical examiner.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s