The try_read, try_write and write_verify test support programs for testing hardware write blockers were developed at NIST by Ben Livelsberger for the CFTT project.  They make use of an extended version of the ataraw-0.2.1 library developed by Kyle Sanders at the Naval Post Graduate School (see http://afflib.org/downloads/ataraw-0.2.1.tar.gz) and are designed to run from the Linux command line. While the programs have been tested, this is a developmental release; an official version of the tools will be released at a later date.

The programs were developed in Ubuntu 11.10, compiled using the gcc version 4.6.1 compiler, and were tested using the Ubuntu 11.10, Ubuntu 9.04, and Fedora Core 15 environments.  They were tested using blockers from various manufacturers for the USB, FireWire, and eSATA host-to-blocker interfaces and the ATA and SATA blocker-to-destination interfaces.

COMPILING THE TOOLS
Executables of the try_write, try_read, and write_verify programs were compiled in Ubuntu 11.10 using the gcc version 4.6.1 compiler and are included with the program source in the hwb_dev_120222.zip archive.  The programs may also be compiled from source using the included makefile (e.g., `make try_read`). 

PROGRAM DESCRIPTIONS AND RUNNING THE TOOLS
command line: 'diskwipe test host-name user-initials /dev/sda FF' where "FF" is any two digit hex pattern and "/dev/sda" is the Linux device name for the drive that the program will wipe.

The diskwipe program is used to initialize each sector of a hard drive with unique content. The diskwipe executable is included in the hwb_dev_120222.zip archive.  Its source may be downloaded from http://www.cftt.nist.gov/fs-tst20-with-src.zip as part of the FS-TST 2.0 Linux Test Support Tools.

example: `diskwipe test LabDell brl /dev/sda FF` - wipe the /dev/sda drive with the 0xFF hex pattern

command line: `try_read [-as] /dev/sda` 

try_read tries to send all SCSI or all ATA read commands to a drive.  The command set sent (SCSI or ATA) is selected from the command line. The "-a" switch specifies that all ATA read commands be sent, "-s" specifies that all SCSI read commands be sent.  The "-s" switch should be used if the host computer connection is SCSI, FireWire, or USB (interfaces that use the SCSI command set).  The "-a" switch should be used if the connection is ATA or SATA.

For a given read command, a status of "SUCCESS" in the program output indicates that 1) the command completed without error and 2) that the command correctly read back the target sector's contents.  A status of "FAIL" indicates that the command returned with an error and/or  that the command did not read back the the correct content for sector read.

example: `try_read -s /dev/sda` - send all defined SCSI read commands to device /dev/sda

command line: `try_write [-as] /dev/sda`

try_write tries to send all SCSI or all ATA write commands to a drive.  Each write command attempts to write a repeating pattern of "0000000 " to a sector address unique to that command based on it's opcode.  The command set sent (SCSI or ATA) is selected from the command line. The "-a" switch specifies that all ATA write commands be sent, "-s" specifies that all SCSI write commands be sent.  The "-s" switch should be used if the host computer connection is SCSI, FireWire, or USB (interfaces that use the SCSI command set).  The "-a" switch should be used if the connection is ATA or SATA. 

For a given write command, a status code of '0' indicates that the command returned w/o error.  

example: `try_write -a /dev/sda` - send all defined ATA read commands to device /dev/sda

command line: `write_verify /dev/sda`

write_verify measures whether any hard drive sectors have been successfully written to.  It does this by reading the sector contents for the unique address associated with each write command.  It checks to see if they still have the pattern that diskwipe initialized them to.  For each write command, write_verify will report a status of "changed" or "unchanged".  

USING THE NIST PROGRAMS TO TEST A WRITE BLOCKER
The NIST tools can be used to test a write blocker as follows:
1. For each hard drive interface supported by the write blocker (e.g., ATA,SAS,SATA), initialize a drive to known content using the diskwipe program.
2.     Calculate a "before" reference hash for each drive.
3.     For each permutation of host-to-blocker and blocker-to-drive interfaces execute the try_read and try_write programs.
4.     Calculate an "after" reference hash for each drive.
5.     Execute write_verify for each drive. Use the write_verify output along with the reference hashes to measure whether any sectors on the test drives have changed.


CONTACT INFO
Comments, questions, and feedback can be sent to benjamin.livelsberger@nist.gov.

Ben Livelsberger, Computer Forensic Tool Testing project, National Institute of Standards and Technology