diff --git a/hooks/live b/hooks/live
index a940846..aa7b020 100755
--- a/hooks/live
+++ b/hooks/live
@@ -174,6 +174,12 @@ then
 	copy_exec /usr/bin/wget /bin
 fi
 
+# Program: blockdev
+if [ -x /sbin/blockdev ]
+then
+	copy_exec /sbin/blockdev /sbin
+fi
+
 # FUSE kernel module
 manual_add_modules fuse
 
diff --git a/scripts/live-premount/readonly b/scripts/live-premount/readonly
new file mode 100755
index 0000000..8bed733
--- /dev/null
+++ b/scripts/live-premount/readonly
@@ -0,0 +1,35 @@
+#!/bin/sh
+
+#set -e
+
+# initramfs-tools header
+
+PREREQ="udev"
+
+prereqs()
+{
+	echo "${PREREQ}"
+}
+
+case "${1}" in
+	prereqs)
+		prereqs
+		exit 0
+		;;
+esac
+
+# live-initramfs script
+
+# make sure all harddisk devices are read-only
+# this is important for forensic investigations
+if grep -qe forensic -qe readonly /proc/cmdline
+then
+	for device in /dev/hd* /dev/sd* /dev/vd*
+	do
+		if [ -b "$device" ]
+		then
+			printf " * Setting device %-9s to read-only mode: " $device >/dev/console
+			blockdev --setro $device && printf "done [ execute \"blockdev --setrw %-9s\" to unlock]\n" $device >/dev/console || printf "failed\n" >/dev/console
+		fi
+	done
+fi