All forensicForensic disk controllers work byintercept capturingwrite commands from the host [[operating system]] that request the drive to overwrite sectors, and preventing them from reaching the drive. Whenever the host [[Bus (computing)|bus]] architecture supports it, the forensiccontroller reports that the drive is read-only. The disk controller reportscan either deny all writes to the hostdisk operatingand systemreport thatthem theas drivefailures, isor readuse on-onlyboard memory to cache the writes for the duration of the session.
A forensic disk controller works in one of two ways. The disk controller can either deny all writes to the disk and report them as failures, or use on-board memory to cache the writes for the duration of the session.
A disk controller that denies all writes will likely not be tolerated by an operating system that assumes that all hard disks can be written to. Although the controller could report the writes as successful, subsequent reads will return the original data, which will be unexpected by the operating system and which will cause it to malfunction due to the internal inconsistency between the operating system and the drive's actual state.
