Presentation is loading. Please wait.

Presentation is loading. Please wait.

NIST CFTT: Testing Disk Imaging Tools James R. Lyle National Institute of Standards and Technology Gaithersburg Md.

Published byBarbra Hamilton Modified over 8 years ago

Similar presentations

Presentation on theme: "NIST CFTT: Testing Disk Imaging Tools James R. Lyle National Institute of Standards and Technology Gaithersburg Md."— Presentation transcript:

1 NIST CFTT: Testing Disk Imaging Tools James R. Lyle National Institute of Standards and Technology Gaithersburg Md

2 DFRWS 7 Aug 02NIST/ITL/SDCT/CFTT2 Talk Overview Project Background Test methodology Creating the disk imaging specification Testing imaging tools Current CFTT status Future directions

3 DFRWS 7 Aug 02NIST/ITL/SDCT/CFTT3 DISCLAIMER Certain trade names and company products are mentioned in the text or identified. In no case does such identification imply recommendation or endorsement by the National Institute of Standards and Technology, nor does it imply that the products are necessarily the best available for the purpose.

4 DFRWS 7 Aug 02NIST/ITL/SDCT/CFTT4 Goals of CFTT Problem: Computer forensic investigators need tools that … Work well and Produce results admissible in court Response: Establish a testing methodology by developing for forensic tools … Specifications Test procedures Test cases

5 DFRWS 7 Aug 02NIST/ITL/SDCT/CFTT5 Why is NIST involved? Mission: Assist federal, state & local agencies NIST is a neutral organization – not law enforcement or vendor NIST provides an open, rigorous process

6 DFRWS 7 Aug 02NIST/ITL/SDCT/CFTT6 Overview of Methodology CFTT directed by Steering Committee Functionality driven Specifications developed for specific categories of activities, e.g., disk imaging, hard drive write protect, etc. Test methodology developed for each category

7 DFRWS 7 Aug 02NIST/ITL/SDCT/CFTT7 Developing a Specification After tool category selected by SC … Focus group (law enforcement + ITL) develop tool category specification Spec posted to web for public comment Comments incorporated Develop test environment

8 DFRWS 7 Aug 02NIST/ITL/SDCT/CFTT8 Tool Test Process After SC selects a tool … Acquire tool & review documentation Select test cases Execute test cases Produce test report

9 DFRWS 7 Aug 02NIST/ITL/SDCT/CFTT9 Capabilities to test disk imaging Accuracy of copy –Compare disks –Initialize disk sectors to unique content Verify source disk unchanged Corrupt an image file Error handling: reliably faulty disk

10 DFRWS 7 Aug 02NIST/ITL/SDCT/CFTT10 Test Case Structure: Setup 1. Record details of source disk setup. 2. Initialize the source disk to a known value. 3. Hash the source disk and save hash value. 4. Record details of test case setup. 5. Initialize a destination disk. 6. If the test requires a partition, create and format a partition on the destination disk. 7. If the test uses an image file, partition and format a disk for the image file.

11 DFRWS 7 Aug 02NIST/ITL/SDCT/CFTT11 Test Case Structure: Run Tool 8.If required, setup I/O error 9.If required, create image file 10.If required, corrupt image file 11.Create destination

12 DFRWS 7 Aug 02NIST/ITL/SDCT/CFTT12 Test Case Structure: Measure 12.Compare Source to Destination 13.Rehash the Source

13 DFRWS 7 Aug 02NIST/ITL/SDCT/CFTT13 Disk Imaging Test Parameters ParameterValue FunctionsCopy, Image, Verify Source interfaceBIOS to IDE, BIOS to SCSI, ATA, ASPI, Legacy BIOS Dst interface Relative sizeSrc=Dst, Src Dst ErrorsNone, Src Rd, Dst Wt, Img R/W/C Object typeDisk, FAT12/16/32, NT, Ext2 Remote accessYes, no

14 DFRWS 7 Aug 02NIST/ITL/SDCT/CFTT14 Evaluating Test Results If a test exhibits an anomaly … 1.Look for hardware or procedural problem 2.Anomaly seen before 3.If unique, look at more cases 4.Examine similar anomalies

15 DFRWS 7 Aug 02NIST/ITL/SDCT/CFTT15 Refining the Test Procedure During dd testing some results seemed to indicate that the Linux environment was making a change to the source disk. After investigation we found that the problem was actually the test procedure.

16 DFRWS 7 Aug 02NIST/ITL/SDCT/CFTT16 Current Status Test reports for Linux dd & SafeBack 2.18 in final review Developing test cases for software hard drive write protect specification Running EnCase tests

17 DFRWS 7 Aug 02NIST/ITL/SDCT/CFTT17 Future Tasks Deleted file recovery specification Hardware hard disk write protect device specification Testing other disk imaging tools

Download ppt "NIST CFTT: Testing Disk Imaging Tools James R. Lyle National Institute of Standards and Technology Gaithersburg Md."

Similar presentations

The Modern Control Boot Disk. 2 What do we mean by a Modern control boot disk? In your previous lectures you learned about the original DOS control boot.

The Modern Control Boot Disk. 2 What do we mean by a Modern control boot disk? In your previous lectures you learned about the original DOS control boot.
A Strategy for Testing Hardware Write Block Devices James R Lyle National Institute of Standards and Technology.

A Strategy for Testing Hardware Write Block Devices James R Lyle National Institute of Standards and Technology.
Write Blocking CSC 485/585.

Write Blocking CSC 485/585.
Collaboration Model for Law Enforcement X-Ways Investigator (investigator version of X-Ways Forensics)

Collaboration Model for Law Enforcement X-Ways Investigator (investigator version of X-Ways Forensics)
Jim Lyle National Institute of Standards and Technology.

Jim Lyle National Institute of Standards and Technology.
Deleted File Recovery Tool Testing Results Jim Lyle NIST 2/21/13AAFS -- Washington 1.

Deleted File Recovery Tool Testing Results Jim Lyle NIST 2/21/13AAFS -- Washington 1.
Creating Deleted File Recovery Tool Testing Images Jim Lyle National Institute of Standards and Technology.

Creating Deleted File Recovery Tool Testing Images Jim Lyle National Institute of Standards and Technology.
Disclaimer Certain trade names and company products are mentioned in the text or identified. In no case does such identification imply recommendation.

Disclaimer Certain trade names and company products are mentioned in the text or identified. In no case does such identification imply recommendation.
14 May 2010Montana Supreme Court Spring Training Conference 1 Verification of Digital Forensic Tools Jim Lyle Project Leader: Computer Forensic Tool Testing.

14 May 2010Montana Supreme Court Spring Training Conference 1 Verification of Digital Forensic Tools Jim Lyle Project Leader: Computer Forensic Tool Testing.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
Forensic Tool Testing Results Jim Lyle National Institute of Standards and Technology.

Forensic Tool Testing Results Jim Lyle National Institute of Standards and Technology.
Slides by Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA 16802

Slides by Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA 16802
Federated Testing: Well-Tested Tools, Shared Test Materials & Shared Test Reports; The Computer Forensics Tool Catalog Website: Connecting Forensic Examiners.

Federated Testing: Well-Tested Tools, Shared Test Materials & Shared Test Reports; The Computer Forensics Tool Catalog Website: Connecting Forensic Examiners.
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Guide to Computer Forensics and Investigations Third Edition Chapter 7 Current Computer Forensics Tools.

Guide to Computer Forensics and Investigations Third Edition Chapter 7 Current Computer Forensics Tools.
Guide to Computer Forensics and Investigations Third Edition

Guide to Computer Forensics and Investigations Third Edition
Testing - an Overview September 10, 2008 1. What is it, Why do it? Testing is a set of activities aimed at validating that an attribute or capability.

Testing - an Overview September 10, What is it, Why do it? Testing is a set of activities aimed at validating that an attribute or capability.
Encase Overview. What is Encase EnCase Forensic is the industry standard in computer forensic investigation technology. Encase is a single tool, capable.

Encase Overview. What is Encase EnCase Forensic is the industry standard in computer forensic investigation technology. Encase is a single tool, capable.
Graphic File Carving Tool Testing Jenise Reyes-Rodriguez National Institute of Standards and Technology AAFS - February 19 th, 2015.

Graphic File Carving Tool Testing Jenise Reyes-Rodriguez National Institute of Standards and Technology AAFS - February 19 th, 2015.

Similar presentations

Ads by Google