NCJ Number
220221
Date Published
January 2008
Length
151 pages
Annotation
This report presents the methodology and results of the testing of Writeblocker Windows 2000, Version 5.02.00 in accordance with the ACES Software Write Block Tool Specification & Test Plan Version 1.0, which may be found on the Computer Forensics Tool Testing (CFTT) Web site.
Abstract
The first specification of the ACES Software Write Block Tool Specification & Test Plan Version 1.0 requires that the tested tool shall not allow a protected drive to be changed; however, the tested tool failed to block some test commands from the protected categories that were sent to protected drives. The second performance specification for the tool is that it shall not prevent obtaining any information from or about any drive. The tested tool complied with this requirement, in that it did not alter or block test commands from any unprotected category that were sent to protected or unprotected drives. The third performance specification is that the tool shall not prevent any operation to a drive that is not protected. The tested tool met this requirement, in that it did not alter or block any test commands sent to unprotected drives. The tested tool, Writeblocker Windows 2000 V5.02.00, consists of two kernel mode device drivers, NTSBFS and NTWBPM, and a user mode GUI control application. The NTWBFS driver is a file system filter driver that filters file system calls, and the NTWBPM driver is a physical device filter that filters hardware I/O requests. In addition to presenting overall test results, results are summarized for each test case. The description of the testing environment encompasses the test computer, hard disk drives, test software, and run protocol selection. Appended sample logfile listings and filter driver lead orders