Graphic File Carving Tool Testing Jenise Reyes-Rodriguez National Institute of Standards and Technology AAFS - February 19 th, 2015.

Slides:



Advertisements
Similar presentations
Intro to WinHex CSC 414.
Advertisements

A Strategy for Testing Hardware Write Block Devices James R Lyle National Institute of Standards and Technology.
Jim Lyle National Institute of Standards and Technology.
Deleted File Recovery Tool Testing Results Jim Lyle NIST 2/21/13AAFS -- Washington 1.
Creating Deleted File Recovery Tool Testing Images Jim Lyle National Institute of Standards and Technology.
Disclaimer Certain trade names and company products are mentioned in the text or identified. In no case does such identification imply recommendation.
The Evolution of File Carving Presenters: Muhammad Mohsin Butt(g ) COE589 Paper Presentation.
Microsoft Office Illustrated Fundamentals Unit M: Creating a Presentation.
14 May 2010Montana Supreme Court Spring Training Conference 1 Verification of Digital Forensic Tools Jim Lyle Project Leader: Computer Forensic Tool Testing.
File System Analysis.
Forensic Tool Testing Results Jim Lyle National Institute of Standards and Technology.
Federated Testing: Well-Tested Tools, Shared Test Materials & Shared Test Reports; The Computer Forensics Tool Catalog Website: Connecting Forensic Examiners.
Guide to Computer Forensics and Investigations Fourth Edition
Computer & Network Forensics
Mobile Device Forensics Rick Ayers. Disclaimer  Certain commercial entities, equipment, or materials may be identified in this presentation in order.
Mobile Device Forensics - Tool Testing Richard Ayers.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #12 Computer Forensics Analysis/Validation and Recovering Graphic.
Computer Forensics Tool Catalog: Connecting Users With the Tools They Need AAFS –February 21, 2013 Ben Livelsberger NIST Information Technology Laboratory.
July 9, National Software Reference Library Douglas White Information Technology Laboratory July 2004.
Quirks Uncovered While Testing Forensic Tool Jim Lyle Information Technology Laboratory Agora March 28, 2008.
Use a Large Bold Type for the Main Title Use Smaller Type for the Subtitle. Above type is 96 pt, this type is 66 pt Make Authors’ names smaller. This is.
NIST CFTT: Testing Disk Imaging Tools James R. Lyle National Institute of Standards and Technology Gaithersburg Md.
Texas House of Representatives Committee on Criminal Jurisprudence Testimony of Randall S. James Banking Commissioner Texas Department of Banking August.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Working Group: Practical Policy Rainer Stotzka, Reagan Moore.
Digital Crime Scene Investigative Process
Ben Livelsberger NIST Information Technology Laboratory, CFTT Program
CS526: Information Security Chris Clifton December 4, 2003 Forensics.
Microsoft Publisher 2010 Chapter 4 Creating a Custom Publication from Scratch.
Disclaimer Certain trade names and company products are mentioned in the text or identified. In no case does such identification imply recommendation or.
Guide to Computer Forensics and Investigations Fourth Edition
Investigation of a USB Storage Device (FAT16)
1 Chapter Overview Preparing to Upgrade Performing a Version Upgrade from Microsoft SQL Server 7.0 Performing an Online Database Upgrade from SQL Server.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #4 Data Acquisition September 8, 2008.
Chapter 2 Understanding Computer Investigations Guide to Computer Forensics and Investigations Fourth Edition.
Selective and Intelligent Imaging Using Digital Evidence Bags.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 File Systems September 22, 2008.
When Is Full Blown Forensics Necessary? John Rosenthal, Esq. Partner, Winston Strawn DC Office Chris H. Paskach Partner KPMG LLP Patrick Oot, Esq Vice.
Mobile Device Data Population for Tool Testing Rick Ayers.
Defining, Measuring and Mitigating Errors for Digital Forensic Tools Jim Lyle, Project Leader NIST Computer Forensics Tool Testing Feb 25, 2016AAFS - Las.
JTAG Tool Testing Jenise Reyes-Rodriguez National Institue of Standards and Technology AAFS – February 25 th, 2016.
Digital Forensics Anthony Lawrence. Overview Digital forensics is a branch of forensics focusing on investigating electronic devises. Important in for.
1 View drawing guides 1. Click View menu 2. Set check on Guides Insert Presentation title 1. Choose Insert in the top menu 2. Click on Header and Footer.
A UNIVERSAL CARVING APPROACH FOR DATABASE FORENSIC ANALYSIS James Wagner, Alexander Rasin, Jonathan Grier.
Efficient Drive forensics – and it’s free!
Permeability (% of Control)
Permeability (% of Control)
Objectives At the end of this session, students will be able to:
Lesson 4 Working with a Presentation Outline
Lesson 4 Working with a Presentation Outline
The Need For Forensic Capabilities In The Commercial Sector
CHFI & Digital Forensics [Part.1] - Basics & FTK Imager
Forensic Concept of Data
Lesson 4 Working with a Presentation Outline
Lesson 4 Working with a Presentation Outline
Interpreting Binary Data
Federal Law Enforcement
Digital Forensics Dr. Bhavani Thuraisingham
Lesson 4 Working with a Presentation Outline
1 Advanced Cyber Security Forensics Training for Law Enforcement Building Advanced Forensics & Digital Evidence Human Resource in the Law Enforcement sector.
Computer Forensics Lab 1 INFORMATION TECHNOLOGY DEPARTMENT LEBANESE FRENCH UNIVERSITY (LFU) COURSE CODE: IT402CF 1.
Digital Forensics Andrew Schierberg, Fort Mitchell Police, Schierberg LAw Jay Downs, Kenton County Police.
Microsoft Office Illustrated Fundamentals
Lesson 4: Working with a Presentation Outline
Use a Large Bold Type for the Main Title (80 pt):
Permeability (% of Control)
Use a Large Bold Type for the Main Title (80 pt):
Use a Large Bold Type for the Main Title (70 pt):
Permeability (% of Control)
Use a Large Bold Type for the Main Title (70 pt):
Presentation transcript:

Graphic File Carving Tool Testing Jenise Reyes-Rodriguez National Institute of Standards and Technology AAFS - February 19 th, 2015

Disclaimer Certain company products may be mentioned or identified. Such identification does not imply recommendation or endorsement by the National Institute of Standards and Technology, nor does it imply that these products are necessarily the best available for the purpose. 2

Outline  Computer Forensic Tool Testing Program (CFTT)  Why test carving tools?  File Carving vs Deleted File Recovery  Brainstorming before testing  Testing Methodology  Results Overview 3

Computer Forensic Tool Testing Program (CFTT)  Validate tools used in computer-based crime investigations  Steering Committee  Sponsors: Law Enforcement Standards Office, Department of Homeland Security, Federal Bureau of Investigations, National Institute of Justice, among other agencies 4

CFTT Methodology Step 1 Test Specification - Requirements:. Core. Optional Step 2 Test Plan - Test Cases - Assertions Step 3 Setup and Test Procedures - Third Parties could replicate test cases if desired Step 4 Test Reports - Summary of results - Tool tested - Test case definition - Results Summary - Execution Environment - Detailed results 5

Outline  Computer Forensic Tool Testing Program (CFTT)  Why test carving tools?  File Carving vs Deleted File Recovery  Brainstorming before testing  Testing Methodology  Results Overview 6

Why test file carving tools?  To provide the law enforcement community valuable information so they can choose tools they can rely on.  Help vendors to improve their tools  Inform the users of the tools capabilities 7

Outline  Computer Forensic Tool Testing Program (CFTT)  Why test carving tools?  File Carving vs Deleted File Recovery  Brainstorming before testing  Testing Methodology  Results Overview 8

File Carving vs Deleted File Recovery File Carving  Reconstruct deleted files from unallocated storage based on file content, absent file system meta-data Deleted File Recovery  Reconstruct deleted files from unallocated storage based on file system meta-data 9

Outline  Computer Forensic Tool Testing Program (CFTT)  Why test carving tools?  File Carving vs Deleted File Recovery  Brainstorming before testing  Testing Methodology  Results Overview 10

Carving graphic files: things to consider  Multiple graphic file types – test them all?  File type specifics  header and footer  thumbnails (embedded files)  header only  Testing multiple tools 11

 Tools support different parameters  Smart Carving  File systems behavior Carving graphic files: more to consider 12

Our focus  Default settings  Completion of the files  Fragmentation  Thumbnails  Files landing in/out sector boundary 13

Outline  Computer Forensic Tool Testing Program (CFTT)  Why test carving tools?  File Carving vs Deleted File Recovery  Brainstorming before testing  Testing Methodology  Results Overview 14

Data Sets (Test Cases) Creation  Graphic files selection – most common  File types used: .gif.bmp.png .jpg.tiff  8 files of each type were selected  7 thumbnails (.jpg) 15

Data Sets (Test Cases) Creation dd (command) dd image 16

Test Cases: 1 & 2  No Padding - no fill  Cluster Padded - basic Zero fill to end of last sector cluster sized blocks of text between pictures 17

Test Cases: 3 & 4 cluster sized blocks of text fragmenting pictures in order  Fragmented in order  Incomplete A A A B BB cluster sized blocks of text between pictures with missing fragments B CA C AB 18

Test Cases: 5 & 6 cluster sized blocks of text fragmenting pictures in disorder  Fragmented out of order  Braided A A A BB BC C A1A1 A2A2 B1B1 B2B2 19

Test Cases: 7  Byte Shifted dd image starts here 20

Tools Testing  We had  7 test cases  11 tools to test 21

Measuring Methods  Visibility of files carved  Is the data in a usable format? - viewable  Data recovered analysis  Is the data a 100% match? 22

Visibility Categories and Definitions  Viewable Complete – minor alteration Original Files Files Recovered 23

Visibility Categories and Definitions  Viewable Incomplete – major alteration File Recovered Original File 24

Visibility Categories and Definitions  Not Viewable  False Positive File Recovered Original File 25

Outline  Computer Forensic Tool Testing Program (CFTT)  Why test carving tools?  File Carving vs Deleted File Recovery  Brainstorming before testing  Testing Methodology  Results Overview 26

Files Recovered per Tool 27

Percentage of usable data 28

Results Overview  10 reports published at  Interesting findings  multiple files but only one file is viewable  same tool, 2 different versions = close results? 29

Files recovered by same tool TEST CASE NAME / KNOWN FILES FILES CARVED 30

Contacts James Lyle (project leader)Rick Ayers Jenise Reyes-Rodriguez

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.