James R. Lyle and Paul E. Black,
Testing BIOS Interrupt 0x13 Based Software Write Blockers,
Proc. of ECCE 05, to be
Monaco, March 2005.
This paper reports observations and experience in the Computer
Forensics Tool Testing (CFTT) project while developing methodologies
for testing software write block (SWB) tools. A write blocker
allows access to all digital data on a storage device while not
allowing any changes to the storage device.
The basic strategy is for a filter to intercept I/O commands sent to
the hard drive and only allow commands that make no changes to the
device. While such a filter can be either software or in hardware,
this paper only discusses testing interrupt 0x13 based software write
Although simple enough in the abstract, the details of the SWB tool
behavior specification had subtleties. Even after developing a
specification, deciding the number,
type, and constitution of test cases was challenging.
For testing, a driver sends BIOS interrupt 0x13 commands to the SWB
tool. A monitor intercepts and counts the commands allowed by the SWB
tool. Additional scripts automated much of the testing and program
We have tested seven software write block tools: four versions of one
tool and three versions of another. More importantly, no two versions
behaved in exactly the same way. We found other anomalies, too.
The driver and monitor themselves were validated separately with an
watching for errors that may allow invalid results. Although we wrote
a few simple programs to exercise the pieces of the test harness, we
felt that manual code review by experienced programmers was the most
productive and illuminating strategy. The coding anomalies found would
not cause invalid testing results.
Get the paper in
PDF (67k), or
ASCII text (26k).
slides (228k) or
This page's URL is /~black/Papers/testSWB_ECCE05.html
Fri Apr 15 12:36:30 2005
by Paul E. Black
Black's papers or
NIST home page.