Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Testing BIOS Interrupt 0x13 Based Software Write Blockers



James R. Lyle, Paul E. Black


We report observations and experience in the Computer Forensics Tool Testing (CFTT) project while developing methodologies to test interrupt 0x13 based software write block (SWB) tools. A write blocker allows access to all data on a storage device while not allowing any changes to the device. A write blocker is typically used either to protect a hard drive during preview of the drive contents prior to acquiring the contents or to protect the drive during acquisition. The basic strategy is to place a filter between application programs and the storage device to be protected. The filter intercepts commands to the hard drive and only allows those that do not change the device. Such a filter can be implemented either in software or in hardware. A software program has advantages over a hardware device, but also has disadvantages. A two-piece test harness tests the SWB. The driver piece sends commands to the SWB tool. The monitor piece intercepts and counts the commands allowed by the SWB tool. The test harness itself was validated separately. Although we wrote a few simple programs to exercise the test harness, we relied mainly on manual code reviews. The anomalies found would not cause invalid testing results. Seven software write block tools have been tested: four versions of one tool, HDL, and three versions of another, PDBLOCK. No two versions behaved in exactly the same way, partly because the philosophy of write blockers has evolved. The original design of only block known writes has given way to a only allow known reads design. The latter is safer, for instance, when a new write command is added. All tools tested blocked the same core set of write commands, but there were minor variations in other categories of commands.
Proceedings Title
Proceedings of E-Crime and Computer Evidence Conference (ECCE2005)
Conference Dates
March 1, 2005
Conference Location
Monaco, MO
Conference Title
E-Crime and Computer Evidence Conference


acquistion of digital data, forensic tool testing, software testing, write blocking


Lyle, J. and Black, P. (2005), Testing BIOS Interrupt 0x13 Based Software Write Blockers, Proceedings of E-Crime and Computer Evidence Conference (ECCE2005), Monaco, MO (Accessed April 14, 2024)
Created March 1, 2005, Updated February 17, 2017