Forensic disk controllers intercept write commands from the host [[operating system]], preventing them from reaching the drive. Whenever the host [[Bus (computing)|bus]] architecture supports it the controller reports that the drive is read-only. The disk controller can either deny all writes to the disk and report them as failures, or use on-board memory to cache the writes for the duration of the session.
A disk controller that denies allcaches writes willin likelymemory notpresents bethe toleratedappearance byto anthe operating system that assumesthe thatdrive allis hardwritable, disksand canuses bethe writtenmemory to. ensure Althoughthat the controlleroperating couldsystem reportsees changes to the writesindividual asdisk successful,sectors subsequentit readsattempted willto returnoverwrite. theoriginalIt data,does whichthis willby beretrieving unexpectedsectors byfrom the operatingdisk systemif andthe whichoperating willsystem causehasn't itattempted to malfunctionchange duethem, toand retrieving the internalchanged inconsistencyversion betweenfrom thememory operatingfor systemsectors andthat the drive'shave actualbeen statechanged.
A disk controller that caches writes in memory presents the appearance to the operating system that the drive is writable, and uses the memory to ensure that the operating system sees changes to the individual disk sectors it attempted to overwrite. It does this by retrieving sectors from the disk if the operating system hasn't attempted to change them, and retrieving the changed version from memory for sectors that have been changed. This method is transparent to and compatible with all operating systems, and ensures that when the device is powered off, the disk remains unchanged and in its original state. Because the operating system's internal state persists only as long as the drive is mounted or powered on, assuming none of the writes were desired there is no adverse consequence to losing the data in the change buffer.
