Forensic Tool Testing Results Jim Lyle National Institute of Standards and Technology.

Slides:

Advertisements

Similar presentations

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.

Advertisements

A Strategy for Testing Hardware Write Block Devices James R Lyle National Institute of Standards and Technology.

Lectures on File Management

Jim Lyle National Institute of Standards and Technology.

Deleted File Recovery Tool Testing Results Jim Lyle NIST 2/21/13AAFS -- Washington 1.

Creating Deleted File Recovery Tool Testing Images Jim Lyle National Institute of Standards and Technology.

Disclaimer Certain trade names and company products are mentioned in the text or identified. In no case does such identification imply recommendation.

Module 1: Installing Windows XP Professional

1 In-Process Metrics for Software Testing Kan Ch 10 Steve Chenoweth, RHIT Left – In materials testing, the goal always is to break it! That’s how you know.

14 May 2010Montana Supreme Court Spring Training Conference 1 Verification of Digital Forensic Tools Jim Lyle Project Leader: Computer Forensic Tool Testing.

Lecture 12 Page 1 CS 111 Online Devices and Device Drivers CS 111 On-Line MS Program Operating Systems Peter Reiher.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

Federated Testing: Well-Tested Tools, Shared Test Materials & Shared Test Reports; The Computer Forensics Tool Catalog Website: Connecting Forensic Examiners.

Guide to Computer Forensics and Investigations Fourth Edition

Agenda Safe disposal practices for computers and information: –Removing files and folders –Disposing of computers –Disposing of other electronic devices.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.

Lecture 10: The FAT, VFAT, and NTFS Filesystems 6/17/2003 CSCE 590 Summer 2003.

Connecting with Computer Science, 2e

Software Testing. “Software and Cathedrals are much the same: First we build them, then we pray!!!” -Sam Redwine, Jr.

Systems Analysis I Data Flow Diagrams

COMPUTER BACKUP A disaster will happen to you one day…an accidentally deleted file, a new program that caused problems or a virus that wreaked havoc, wiping.

1 Chapter Overview Managing Compression Managing Disk Quotas Increasing Security with EFS Using Disk Defragmenter, Check Disk, and Disk Cleanup.

Operating Systems.

Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.

Graphic File Carving Tool Testing Jenise Reyes-Rodriguez National Institute of Standards and Technology AAFS - February 19 th, 2015.

Atola Insight Data Recovery Suite Dmitry Postrigan Atola Technology, Ukraine.

Mobile Device Forensics Rick Ayers. Disclaimer  Certain commercial entities, equipment, or materials may be identified in this presentation in order.

Mobile Device Forensics - Tool Testing Richard Ayers.

COEN 252 Computer Forensics

1 Functional Testing Motivation Example Basic Methods Timing: 30 minutes.

Computer Forensics Tool Catalog: Connecting Users With the Tools They Need AAFS –February 21, 2013 Ben Livelsberger NIST Information Technology Laboratory.

Hands-on: Capturing an Image with AccessData FTK Imager

Quirks Uncovered While Testing Forensic Tool Jim Lyle Information Technology Laboratory Agora March 28, 2008.

NIST CFTT: Testing Disk Imaging Tools James R. Lyle National Institute of Standards and Technology Gaithersburg Md.

Objectives Learn what a file system does

By Donald Wood CSS 350. Overview Forensic tools are an important part of the computer forensic investigator’s ability to perform his/her job. Imaging.

Drive Imaging Joe Cicero Northeast Wisconsin Technical College.

IT Essentials 1 v4.0 Chapters 4 & 5 JEOPARDY RouterModesWANEncapsulationWANServicesRouterBasicsRouterCommands RouterModesWANEncapsulationWANServicesRouterBasicsRouterCommands.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 5: Managing File Access.

© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 1 Third Edition Chapter 5 Windows XP Professional McGraw-Hill.

Segmentation & O/S Input/Output Chapter 4 & 5 Tuesday, April 3, 2007.

Ben Livelsberger NIST Information Technology Laboratory, CFTT Program

SSD Data Evaporation DEF CON 21 August 3, Bio.

Data Recovery Techniques Florida State University CIS 4360 – Computer Security Fall 2006 December 6, 2006 Matthew Alberti Horacesio Carmichael.

Component 4: Introduction to Information and Computer Science Unit 4: Application and System Software Lecture 3 This material was developed by Oregon Health.

Disclaimer Certain trade names and company products are mentioned in the text or identified. In no case does such identification imply recommendation or.

File System Management File system management encompasses the provision of a way to store your data in a computer, as well as a way for you to find and.

Managing Disks and Drives Chapter 13 powered by dj.

Chapter Eight Exploring the UNIX Utilities. 2 Lesson A Using the UNIX Utilities.

Guide to Computer Forensics and Investigations Fourth Edition

Getting Started Additional information. Important DOS Commands Getting Started dirlists disk directories verdisplays OS version clsclear command prompt.

Robert Crawford, MBA West Middle School.  Explain how the binary system is used by computers.  Describe how software is written and translated  Summarize.

Module 1: Installing Microsoft Windows XP Professional.

I/O Computer Organization II 1 Introduction I/O devices can be characterized by – Behavior: input, output, storage – Partner: human or machine – Data rate:

The Operating System ICS3M.  The operating system (OS) provides a consistent environment for other software programs to execute commands.  It gives.

Guide To UNIX Using Linux Third Edition Chapter 8: Exploring the UNIX/Linux Utilities.

Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #4 Data Acquisition September 8, 2008.

GCSE ICT 3 rd Edition The system life cycle 18 The system life cycle is a series of stages that are worked through during the development of a new information.

Hands-On Microsoft Windows Server 2008 Chapter 7 Configuring and Managing Data Storage.

Computer Operating Systems And Software applications.

Chapter 8 Forensic Duplication Spring Incident Response & Computer Forensics.

Mobile Device Data Population for Tool Testing Rick Ayers.

Defining, Measuring and Mitigating Errors for Digital Forensic Tools Jim Lyle, Project Leader NIST Computer Forensics Tool Testing Feb 25, 2016AAFS - Las.

JTAG Tool Testing Jenise Reyes-Rodriguez National Institue of Standards and Technology AAFS – February 25 th, 2016.

Digital Forensics Anthony Lawrence. Overview Digital forensics is a branch of forensics focusing on investigating electronic devises. Important in for.

GNS 312 (DIGITAL SKILL ACQUISITION)

CS703 - Advanced Operating Systems

COEN 252: Computer Forensics

Operating Systems Tasks 17/02/2019.

COMP755 Advanced Operating Systems

Presentation transcript:

Forensic Tool Testing Results Jim Lyle National Institute of Standards and Technology

Sep 14, 2010NeFX Georgetown University2 Disclaimer Certain trade names and company products are mentioned in the text or identified. In no case does such identification imply recommendation or endorsement by the National Institute of Standards and Technology, nor does it imply that the products are necessarily the best available for the purpose.

Sep 14, 2010NeFX Georgetown University3 Project Sponsors  NIST/OLES (Program management)  National Institute of Justice (Major funding)  FBI (Additional funding)  Department of Defense, DCCI (Equipment and support)  Homeland Security (Major funding)  State & Local agencies (Technical input)  Internal Revenue, IRS (Technical input)

Sep 14, 2010NeFX Georgetown University4 Overview  Mostly high level thoughts and a few details about testing at CFTT  Conformance testing as used by CFTT  Some challenges for writing requirements and test cases  Selecting test cases  Thoughts on testing acquisition tools, write blocker tools and disk wiping tools

Sep 14, 2010NeFX Georgetown University5 General CFTT Method: Conformance Testing  Requirements specification  Background & definitions  Core behaviors for all tools  Optional features and behaviors  Test Assertions -- atomic tests  Test Cases -- each case evaluates some subset of the assertions  Test procedures -- how to run tests  Test Reports

Sep 14, 2010NeFX Georgetown University6 CFTT Reports (since Aug 2002) Tool TypePublishedTesting/Drafting Disk imaging152 Software Blocker90 Hardware Blocker210 Mobile Devices106 Drive erase/wipe44

Sep 14, 2010NeFX Georgetown University7 Challenges to Creating a Specification  Diversity of tool features  May not be one correct behavior  Write blocker behavior  Deleted file recovery  File Carving  Some actions not exactly repeatable, e.g., memory acquire  Needs to allow for evolution of technology

Sep 14, 2010NeFX Georgetown University8 Challenges to Creating Test Cases  Many errors only manifest if there is a specific set of conditions.  Combinatorics -- testing enough combinations of parameters & possible values  Example (creating a disk image)  Partition: FAT, NTFS, ext3, HFS  Physical: ATA, SCSI, USB, 1394  Destination: image, clone  Error: none, bad sector, out of space  4x4x2x3 = 96 runs -- at 3 hours/run hours or 36 days or about 7 weeks

Sep 14, 2010NeFX Georgetown University9 Selecting Test Cases  When are you done?  One test for each assertion may not be enough.  One test for every combination of test parameters and parameter values is too many.  Pair-wise test case -- usually enough to trigger most combination based faults  Fault based testing -- what mistakes might the programmer make  Some test cases are templates for a set of similar runs (case variations over some parameter, e.g., interface: ATA, USB, etc.)

Sep 14, 2010NeFX Georgetown University10 Testing Acquisition Tools  Use case variations to vary some parameters like --  Source interface: ATA28, ATA48, SATA, USB, FW, SCSI  Destination File system: FAT32, NTFS, HFS  Type of hidden area: HPA, DCO, HPA+DCO  Partition Type: FAT16, FAT32, NTFS, ext3  Use pair-wise case selection to reduce total number of cases

Sep 14, 2010NeFX Georgetown University11 Testing Write Blockers  Use cmd generator to send all possible I/O commands (even undefined commands)  Monitor blocker output to characterize tool behavior (preferred measurement method)  All writes must be blocked  At least one read cmd must be allowed  Just report on behavior for anything else  Alternate test cases (using different measurements) if can’t use generator or monitor

Sep 14, 2010NeFX Georgetown University12 Forensic Media Preparation  Disk wiping for internal reuse (not for disposal)  For disposal see: NIST SP-88 Guidelines for Media Sanitization: Recommendations of the National Institute of Standards and Technology  Write vs SECURE ERASE

Sep 14, 2010NeFX Georgetown University13 Disk Wipe Requirements  Method: WRITE or SECURE ERASE  ERASE support: not all drives do it  What to wipe: visible (yes) DCO/HPA ?  HPA/DCO: remove or replace?  Notify if there is a write error?  Yes, of course notify the user  Could be hard to test reliably - skip for now  Multi-pass or verify? no - not testable

Sep 14, 2010NeFX Georgetown University14 Wipe Test Issues  Reporting final state of HPA/DCO: removed or in place  Reporting Drive size with HPA  Linux may remove an HPA  Bridges and blockers too  Reporting result of attempt to use ERASE on non-supporting drive  What should drive be wiped with: zeros, ones, user specified pattern, random values?

Sep 14, 2010NeFX Georgetown University15 Interesting Results  HPA/DCO ignored  HPA/DCO removed, but not wiped  Erase implementation issues  Tool fails if “erase time” not supported by the drive

DFR Testing Overview  About 17 test cases defined (1 run for each file system family, 4 runs per case)  Is particular file system supported  Can active files be listed  Support for non-ASCII file names  Can deleted file names be recovered (maybe not)  Recover contiguous content  Recover fragmented content  Identify overwritten content Sep 14, NeFX Georgetown University

Testing Supported File Systems  Basic Case to identify supported file systems  Test case – 1.Create three files: A, B & C 2.Delete file B 3.Capture image OSFile Systems WINFAT 12/16/32NTNTC MacHFSOSXOSX-JOSX-COSX-JC LinuxExt2Ext3Ext4 Sep 14, NeFX Georgetown University

Supported File Systems: Results ToolActive File ListDeleted File Name Deleted File Content Tool #1FAT,HFS,OSX, OSXJ, EXT Nothing: OSXC, OSXCJ FAT, NT No name: OSX, EXT FAT, NT, ext2 (as lost file), Nothing: ext3/4, HFS, OSX/C/J Tool #2FAT, NT, HFS, OSX/C/J, EXT2/3 Nothing: ext4 FAT, NT No name: OSX, EXT FAT, NT, EXT2 No content: NTC, OSX/J/C, EXT3/4 Tool #3FAT, NT, HFS, OSX/C/J, EXT Nothing: OSXCJ FAT, NT No name: OSX, EXT FAT, NT, EXT2 No content: OXS/J/C, EXT3/4 Sep 14, NeFX Georgetown University

Non-ASCII File Names 1.Create set of files with non-ASCII file names  European diacritical marks  Asian characters  Right to left text 2.Delete some files 3.Run tools (#1, #2 & #3) Sep 14, NeFX Georgetown University

Non-ASCII File Names Most tools rendered non-ASCII correctly for most file systems. Two tools had problem rendering Korean text from OSX One tool could not render non-ASCII file names from EXT2 Sep 14, NeFX Georgetown University

Sep 14, 2010NeFX Georgetown University21 Summary  Give tool opportunity to fail -- diverse test suite & fault based test cases  Case templates that vary over a parameter -- this is useful as technology evolves  Use pair-wise testing to allocate lots of parameters among a few test cases  Have alternate cases with different measurement tools if first measurement method can’t be used

Sep 14, 2010NeFX Georgetown University22 Contacts Jim LyleDoug White Sue Ballou, Office of Law Enforcement Standards Steering Committee Rep. For State/Local Law Enforcement