Content deleted Content added
removing poorly written Lunix propaganda |
→How it works: better sectioning, remove so irrelevant detail about forensic imaging |
||
Line 17:
*''Any error condition reported by the storage device to the HWB device shall be reported to the host.''
==
All forensic disk controllers work by capturing commands from the host [[operating system]] that request the drive to overwrite sectors, and preventing them from reaching the drive. Whenever the host bus architecture supports it, the forensic disk controller reports to the host operating system that the drive is read-only.
Line 26:
A disk controller that caches writes in memory presents the appearance to the operating system that the drive is writable, and uses the memory to ensure that the operating system sees changes to the individual disk sectors it attempted to overwrite. It does this by retrieving sectors from the disk if the operating system hasn't attempted to change them, and retrieving the changed version from memory for sectors that have been changed. This method is transparent to and compatible with all operating systems, and ensures that when the device is powered off, the disk remains unchanged and in its original state. Because the operating system's internal state persists only as long as the drive is mounted or powered on, assuming none of the writes were desired there is no adverse consequence to losing the data in the change buffer.
==Uses==
Forensic disk controllers are most commonly associated with the process of creating a disk image, or acquisition, during [[digital forensic analysis]]. Their use is to prevent inadvertent modification of evidence.
==References==
| |||