James R. Lyle and Paul E. Black, Testing BIOS Interrupt 0x13 Based Software Write Blockers, Proc. of ECCE 05, to be published, Monaco, March 2005.

    This paper reports observations and experience in the Computer Forensics Tool Testing (CFTT) project while developing methodologies for testing software write block (SWB) tools. A write blocker allows access to all digital data on a storage device while not allowing any changes to the storage device. The basic strategy is for a filter to intercept I/O commands sent to the hard drive and only allow commands that make no changes to the device. While such a filter can be either software or in hardware, this paper only discusses testing interrupt 0x13 based software write blockers.
    Although simple enough in the abstract, the details of the SWB tool behavior specification had subtleties. Even after developing a specification, deciding the number, type, and constitution of test cases was challenging.
    For testing, a driver sends BIOS interrupt 0x13 commands to the SWB tool. A monitor intercepts and counts the commands allowed by the SWB tool. Additional scripts automated much of the testing and program invocation.
    We have tested seven software write block tools: four versions of one tool and three versions of another. More importantly, no two versions behaved in exactly the same way. We found other anomalies, too.
    The driver and monitor themselves were validated separately with an emphasis on watching for errors that may allow invalid results. Although we wrote a few simple programs to exercise the pieces of the test harness, we felt that manual code review by experienced programmers was the most productive and illuminating strategy. The coding anomalies found would not cause invalid testing results.

Get the paper in RTF (141k), PDF (67k), or ASCII text (26k).

Get presentation slides (228k) or poster (169k).

This page's URL is /~black/Papers/testSWB_ECCE05.html

Updated Fri Apr 15 12:36:30 2005

by Paul E. Black  (paul.black@nist.gov)

Go to Black's papers or NIST home page.