Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Testing BIOS Interrupt 0x13 Based Software Write Blockers

Published

Author(s)

James R. Lyle, Paul E. Black

Abstract

We report observations and experience in the Computer Forensics Tool Testing (CFTT) project while developing methodologies to test interrupt 0x13 based software write block (SWB) tools. A write blocker allows access to all data on a storage device while not allowing any changes to the device. A write blocker is typically used either to protect a hard drive during preview of the drive contents prior to acquiring the contents or to protect the drive during acquisition. The basic strategy is to place a filter between application programs and the storage device to be protected. The filter intercepts commands to the hard drive and only allows those that do not change the device. Such a filter can be implemented either in software or in hardware. A software program has advantages over a hardware device, but also has disadvantages. A two-piece test harness tests the SWB. The driver piece sends commands to the SWB tool. The monitor piece intercepts and counts the commands allowed by the SWB tool. The test harness itself was validated separately. Although we wrote a few simple programs to exercise the test harness, we relied mainly on manual code reviews. The anomalies found would not cause invalid testing results. Seven software write block tools have been tested: four versions of one tool, HDL, and three versions of another, PDBLOCK. No two versions behaved in exactly the same way, partly because the philosophy of write blockers has evolved. The original design of only block known writes has given way to a only allow known reads design. The latter is safer, for instance, when a new write command is added. All tools tested blocked the same core set of write commands, but there were minor variations in other categories of commands.
Proceedings Title
Proceedings of E-Crime and Computer Evidence Conference (ECCE2005)
Conference Dates
March 1, 2005
Conference Location
Monaco, MO
Conference Title
E-Crime and Computer Evidence Conference

Keywords

acquistion of digital data, forensic tool testing, software testing, write blocking
Created March 1, 2005, Updated February 17, 2017