We report observations and experience in the Computer Forensics Tool Testing (CFTT) project while developing methodologies to test interrupt 0x13 based software write block (SWB) tools. A write blocker allows access to all data on a storage device while not allowing any changes to the device. A write blocker is typically used either to protect a hard drive during preview of the drive contents prior to acquiring the contents or to protect the drive during acquisition. The basic strategy is to place a filter between application programs and the storage device to be protected. The filter intercepts commands to the hard drive and only allows those that do not change the device. Such a filter can be implemented either in software or in hardware. A software program has advantages over a hardware device, but also has disadvantages. A two-piece test harness tests the SWB. The driver piece sends commands to the SWB tool. The monitor piece intercepts and counts the commands allowed by the SWB tool. The test harness itself was validated separately. Although we wrote a few simple programs to exercise the test harness, we relied mainly on manual code reviews. The anomalies found would not cause invalid testing results. Seven software write block tools have been tested: four versions of one tool, HDL, and three versions of another, PDBLOCK. No two versions behaved in exactly the same way, partly because the philosophy of write blockers has evolved. The original design of only block known writes has given way to a only allow known reads design. The latter is safer, for instance, when a new write command is added. All tools tested blocked the same core set of write commands, but there were minor variations in other categories of commands.
Proceedings of E-Crime and Computer Evidence Conference (ECCE2005)
March 1, 2005
E-Crime and Computer Evidence Conference
acquistion of digital data, forensic tool testing, software testing, write blocking