Presentation is loading. Please wait.

Presentation is loading. Please wait.

Graphic File Carving Tool Testing Jenise Reyes-Rodriguez National Institute of Standards and Technology AAFS - February 19 th, 2015.

Published byOsborne Sanders Modified over 8 years ago

Similar presentations

Presentation on theme: "Graphic File Carving Tool Testing Jenise Reyes-Rodriguez National Institute of Standards and Technology AAFS - February 19 th, 2015."— Presentation transcript:

1 Graphic File Carving Tool Testing Jenise Reyes-Rodriguez National Institute of Standards and Technology AAFS - February 19 th, 2015

2 Disclaimer Certain company products may be mentioned or identified. Such identification does not imply recommendation or endorsement by the National Institute of Standards and Technology, nor does it imply that these products are necessarily the best available for the purpose. 2

3 Outline  Computer Forensic Tool Testing Program (CFTT)  Why test carving tools?  File Carving vs Deleted File Recovery  Brainstorming before testing  Testing Methodology  Results Overview 3

4 Computer Forensic Tool Testing Program (CFTT)  Validate tools used in computer-based crime investigations  Steering Committee  Sponsors: Law Enforcement Standards Office, Department of Homeland Security, Federal Bureau of Investigations, National Institute of Justice, among other agencies 4

5 CFTT Methodology Step 1 Test Specification - Requirements:. Core. Optional Step 2 Test Plan - Test Cases - Assertions Step 3 Setup and Test Procedures - Third Parties could replicate test cases if desired Step 4 Test Reports - Summary of results - Tool tested - Test case definition - Results Summary - Execution Environment - Detailed results 5

6 Outline  Computer Forensic Tool Testing Program (CFTT)  Why test carving tools?  File Carving vs Deleted File Recovery  Brainstorming before testing  Testing Methodology  Results Overview 6

7 Why test file carving tools?  To provide the law enforcement community valuable information so they can choose tools they can rely on.  Help vendors to improve their tools  Inform the users of the tools capabilities 7

8 Outline  Computer Forensic Tool Testing Program (CFTT)  Why test carving tools?  File Carving vs Deleted File Recovery  Brainstorming before testing  Testing Methodology  Results Overview 8

9 File Carving vs Deleted File Recovery File Carving  Reconstruct deleted files from unallocated storage based on file content, absent file system meta-data Deleted File Recovery  Reconstruct deleted files from unallocated storage based on file system meta-data 9

10 Outline  Computer Forensic Tool Testing Program (CFTT)  Why test carving tools?  File Carving vs Deleted File Recovery  Brainstorming before testing  Testing Methodology  Results Overview 10

11 Carving graphic files: things to consider  Multiple graphic file types – test them all?  File type specifics  header and footer  thumbnails (embedded files)  header only  Testing multiple tools 11

12  Tools support different parameters  Smart Carving  File systems behavior Carving graphic files: more to consider 12

13 Our focus  Default settings  Completion of the files  Fragmentation  Thumbnails  Files landing in/out sector boundary 13

14 Outline  Computer Forensic Tool Testing Program (CFTT)  Why test carving tools?  File Carving vs Deleted File Recovery  Brainstorming before testing  Testing Methodology  Results Overview 14

15 Data Sets (Test Cases) Creation  Graphic files selection – most common  File types used: .gif.bmp.png .jpg.tiff  8 files of each type were selected  7 thumbnails (.jpg) 15

16 Data Sets (Test Cases) Creation dd (command) dd image 16

17 Test Cases: 1 & 2  No Padding - no fill  Cluster Padded - basic Zero fill to end of last sector cluster sized blocks of text between pictures 17

18 Test Cases: 3 & 4 cluster sized blocks of text fragmenting pictures in order  Fragmented in order  Incomplete A A A B BB cluster sized blocks of text between pictures with missing fragments B CA C AB 18

19 Test Cases: 5 & 6 cluster sized blocks of text fragmenting pictures in disorder  Fragmented out of order  Braided A A A BB BC C A1A1 A2A2 B1B1 B2B2 19

20 Test Cases: 7  Byte Shifted dd image starts here 20

21 Tools Testing  We had  7 test cases  11 tools to test 21

22 Measuring Methods  Visibility of files carved  Is the data in a usable format? - viewable  Data recovered analysis  Is the data a 100% match? 22

23 Visibility Categories and Definitions  Viewable Complete – minor alteration Original Files Files Recovered 23

24 Visibility Categories and Definitions  Viewable Incomplete – major alteration File Recovered Original File 24

25 Visibility Categories and Definitions  Not Viewable  False Positive File Recovered Original File 25

26 Outline  Computer Forensic Tool Testing Program (CFTT)  Why test carving tools?  File Carving vs Deleted File Recovery  Brainstorming before testing  Testing Methodology  Results Overview 26

27 Files Recovered per Tool 27

28 Percentage of usable data 28

29 Results Overview  10 reports published at http://www.cyberfetch.org/http://www.cyberfetch.org/  Interesting findings  multiple files but only one file is viewable  same tool, 2 different versions = close results? 29

30 Files recovered by same tool TEST CASE NAME / KNOWN FILES FILES CARVED 30

31 Contacts James Lyle (project leader)Rick Ayers james.lyle@nist.govjames.lyle@nist.gov richard.ayers@nist.govrichard.ayers@nist.gov Jenise Reyes-Rodriguez jenise.reyes@nist.gov www.cftt.nist.gov www.cfreds.nist.gov http://www.cyberfetch.org/

Download ppt "Graphic File Carving Tool Testing Jenise Reyes-Rodriguez National Institute of Standards and Technology AAFS - February 19 th, 2015."

Similar presentations

Intro to WinHex CSC 414.

Intro to WinHex CSC 414.
A Strategy for Testing Hardware Write Block Devices James R Lyle National Institute of Standards and Technology.

A Strategy for Testing Hardware Write Block Devices James R Lyle National Institute of Standards and Technology.
Jim Lyle National Institute of Standards and Technology.

Jim Lyle National Institute of Standards and Technology.
Deleted File Recovery Tool Testing Results Jim Lyle NIST 2/21/13AAFS -- Washington 1.

Deleted File Recovery Tool Testing Results Jim Lyle NIST 2/21/13AAFS -- Washington 1.
Creating Deleted File Recovery Tool Testing Images Jim Lyle National Institute of Standards and Technology.

Creating Deleted File Recovery Tool Testing Images Jim Lyle National Institute of Standards and Technology.
Disclaimer Certain trade names and company products are mentioned in the text or identified. In no case does such identification imply recommendation.

Disclaimer Certain trade names and company products are mentioned in the text or identified. In no case does such identification imply recommendation.
The Evolution of File Carving Presenters: Muhammad Mohsin Butt(g201103010) COE589 Paper Presentation.

The Evolution of File Carving Presenters: Muhammad Mohsin Butt(g ) COE589 Paper Presentation.
Microsoft Office 2010 - Illustrated Fundamentals Unit M: Creating a Presentation.

Microsoft Office Illustrated Fundamentals Unit M: Creating a Presentation.
14 May 2010Montana Supreme Court Spring Training Conference 1 Verification of Digital Forensic Tools Jim Lyle Project Leader: Computer Forensic Tool Testing.

14 May 2010Montana Supreme Court Spring Training Conference 1 Verification of Digital Forensic Tools Jim Lyle Project Leader: Computer Forensic Tool Testing.
File System Analysis.

File System Analysis.
Forensic Tool Testing Results Jim Lyle National Institute of Standards and Technology.

Forensic Tool Testing Results Jim Lyle National Institute of Standards and Technology.
Federated Testing: Well-Tested Tools, Shared Test Materials & Shared Test Reports; The Computer Forensics Tool Catalog Website: Connecting Forensic Examiners.

Federated Testing: Well-Tested Tools, Shared Test Materials & Shared Test Reports; The Computer Forensics Tool Catalog Website: Connecting Forensic Examiners.
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Computer & Network Forensics

Computer & Network Forensics
Mobile Device Forensics Rick Ayers. Disclaimer  Certain commercial entities, equipment, or materials may be identified in this presentation in order.

Mobile Device Forensics Rick Ayers. Disclaimer  Certain commercial entities, equipment, or materials may be identified in this presentation in order.
Mobile Device Forensics - Tool Testing Richard Ayers.

Mobile Device Forensics - Tool Testing Richard Ayers.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #12 Computer Forensics Analysis/Validation and Recovering Graphic.

Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #12 Computer Forensics Analysis/Validation and Recovering Graphic.
Computer Forensics Tool Catalog: Connecting Users With the Tools They Need AAFS –February 21, 2013 Ben Livelsberger NIST Information Technology Laboratory.

Computer Forensics Tool Catalog: Connecting Users With the Tools They Need AAFS –February 21, 2013 Ben Livelsberger NIST Information Technology Laboratory.
July 9, 2004 www.nsrl.nist.gov 1 National Software Reference Library Douglas White Information Technology Laboratory July 2004.

July 9, National Software Reference Library Douglas White Information Technology Laboratory July 2004.
Quirks Uncovered While Testing Forensic Tool Jim Lyle Information Technology Laboratory Agora March 28, 2008.

Quirks Uncovered While Testing Forensic Tool Jim Lyle Information Technology Laboratory Agora March 28, 2008.

Similar presentations

Ads by Google