Presentation is loading. Please wait.

Presentation is loading. Please wait.

Forensic Tool Testing Results Jim Lyle National Institute of Standards and Technology.

Published byJuliana Preston Modified over 9 years ago

Similar presentations

Presentation on theme: "Forensic Tool Testing Results Jim Lyle National Institute of Standards and Technology."— Presentation transcript:

1 Forensic Tool Testing Results Jim Lyle National Institute of Standards and Technology

2 Sep 14, 2010NeFX Georgetown University2 Disclaimer Certain trade names and company products are mentioned in the text or identified. In no case does such identification imply recommendation or endorsement by the National Institute of Standards and Technology, nor does it imply that the products are necessarily the best available for the purpose.

3 Sep 14, 2010NeFX Georgetown University3 Project Sponsors  NIST/OLES (Program management)  National Institute of Justice (Major funding)  FBI (Additional funding)  Department of Defense, DCCI (Equipment and support)  Homeland Security (Major funding)  State & Local agencies (Technical input)  Internal Revenue, IRS (Technical input)

4 Sep 14, 2010NeFX Georgetown University4 Overview  Mostly high level thoughts and a few details about testing at CFTT  Conformance testing as used by CFTT  Some challenges for writing requirements and test cases  Selecting test cases  Thoughts on testing acquisition tools, write blocker tools and disk wiping tools

5 Sep 14, 2010NeFX Georgetown University5 General CFTT Method: Conformance Testing  Requirements specification  Background & definitions  Core behaviors for all tools  Optional features and behaviors  Test Assertions -- atomic tests  Test Cases -- each case evaluates some subset of the assertions  Test procedures -- how to run tests  Test Reports

6 Sep 14, 2010NeFX Georgetown University6 CFTT Reports (since Aug 2002) Tool TypePublishedTesting/Drafting Disk imaging152 Software Blocker90 Hardware Blocker210 Mobile Devices106 Drive erase/wipe44

7 Sep 14, 2010NeFX Georgetown University7 Challenges to Creating a Specification  Diversity of tool features  May not be one correct behavior  Write blocker behavior  Deleted file recovery  File Carving  Some actions not exactly repeatable, e.g., memory acquire  Needs to allow for evolution of technology

8 Sep 14, 2010NeFX Georgetown University8 Challenges to Creating Test Cases  Many errors only manifest if there is a specific set of conditions.  Combinatorics -- testing enough combinations of parameters & possible values  Example (creating a disk image)  Partition: FAT, NTFS, ext3, HFS  Physical: ATA, SCSI, USB, 1394  Destination: image, clone  Error: none, bad sector, out of space  4x4x2x3 = 96 runs -- at 3 hours/run -- 288 hours or 36 days or about 7 weeks

9 Sep 14, 2010NeFX Georgetown University9 Selecting Test Cases  When are you done?  One test for each assertion may not be enough.  One test for every combination of test parameters and parameter values is too many.  Pair-wise test case -- usually enough to trigger most combination based faults  Fault based testing -- what mistakes might the programmer make  Some test cases are templates for a set of similar runs (case variations over some parameter, e.g., interface: ATA, USB, etc.)

10 Sep 14, 2010NeFX Georgetown University10 Testing Acquisition Tools  Use case variations to vary some parameters like --  Source interface: ATA28, ATA48, SATA, USB, FW, SCSI  Destination File system: FAT32, NTFS, HFS  Type of hidden area: HPA, DCO, HPA+DCO  Partition Type: FAT16, FAT32, NTFS, ext3  Use pair-wise case selection to reduce total number of cases

11 Sep 14, 2010NeFX Georgetown University11 Testing Write Blockers  Use cmd generator to send all possible I/O commands (even undefined commands)  Monitor blocker output to characterize tool behavior (preferred measurement method)  All writes must be blocked  At least one read cmd must be allowed  Just report on behavior for anything else  Alternate test cases (using different measurements) if can’t use generator or monitor

12 Sep 14, 2010NeFX Georgetown University12 Forensic Media Preparation  Disk wiping for internal reuse (not for disposal)  For disposal see: NIST SP-88 Guidelines for Media Sanitization: Recommendations of the National Institute of Standards and Technology  Write vs SECURE ERASE

13 Sep 14, 2010NeFX Georgetown University13 Disk Wipe Requirements  Method: WRITE or SECURE ERASE  ERASE support: not all drives do it  What to wipe: visible (yes) DCO/HPA ?  HPA/DCO: remove or replace?  Notify if there is a write error?  Yes, of course notify the user  Could be hard to test reliably - skip for now  Multi-pass or verify? no - not testable

14 Sep 14, 2010NeFX Georgetown University14 Wipe Test Issues  Reporting final state of HPA/DCO: removed or in place  Reporting Drive size with HPA  Linux may remove an HPA  Bridges and blockers too  Reporting result of attempt to use ERASE on non-supporting drive  What should drive be wiped with: zeros, ones, user specified pattern, random values?

15 Sep 14, 2010NeFX Georgetown University15 Interesting Results  HPA/DCO ignored  HPA/DCO removed, but not wiped  Erase implementation issues  Tool fails if “erase time” not supported by the drive

16 DFR Testing Overview  About 17 test cases defined (1 run for each file system family, 4 runs per case)  Is particular file system supported  Can active files be listed  Support for non-ASCII file names  Can deleted file names be recovered (maybe not)  Recover contiguous content  Recover fragmented content  Identify overwritten content Sep 14, 201016NeFX Georgetown University

17 Testing Supported File Systems  Basic Case to identify supported file systems  Test case – 1.Create three files: A, B & C 2.Delete file B 3.Capture image OSFile Systems WINFAT 12/16/32NTNTC MacHFSOSXOSX-JOSX-COSX-JC LinuxExt2Ext3Ext4 Sep 14, 201017NeFX Georgetown University

18 Supported File Systems: Results ToolActive File ListDeleted File Name Deleted File Content Tool #1FAT,HFS,OSX, OSXJ, EXT Nothing: OSXC, OSXCJ FAT, NT No name: OSX, EXT FAT, NT, ext2 (as lost file), Nothing: ext3/4, HFS, OSX/C/J Tool #2FAT, NT, HFS, OSX/C/J, EXT2/3 Nothing: ext4 FAT, NT No name: OSX, EXT FAT, NT, EXT2 No content: NTC, OSX/J/C, EXT3/4 Tool #3FAT, NT, HFS, OSX/C/J, EXT Nothing: OSXCJ FAT, NT No name: OSX, EXT FAT, NT, EXT2 No content: OXS/J/C, EXT3/4 Sep 14, 201018NeFX Georgetown University

19 Non-ASCII File Names 1.Create set of files with non-ASCII file names  European diacritical marks  Asian characters  Right to left text 2.Delete some files 3.Run tools (#1, #2 & #3) Sep 14, 201019NeFX Georgetown University

20 Non-ASCII File Names Most tools rendered non-ASCII correctly for most file systems. Two tools had problem rendering Korean text from OSX One tool could not render non-ASCII file names from EXT2 Sep 14, 201020NeFX Georgetown University

21 Sep 14, 2010NeFX Georgetown University21 Summary  Give tool opportunity to fail -- diverse test suite & fault based test cases  Case templates that vary over a parameter -- this is useful as technology evolves  Use pair-wise testing to allocate lots of parameters among a few test cases  Have alternate cases with different measurement tools if first measurement method can’t be used

22 Sep 14, 2010NeFX Georgetown University22 Contacts Jim LyleDoug White www.cftt.nist.govwww.nsrl.nist.gov cftt@nist.govnsrl@nist.gov Sue Ballou, Office of Law Enforcement Standards Steering Committee Rep. For State/Local Law Enforcement susan.ballou@nist.gov

Download ppt "Forensic Tool Testing Results Jim Lyle National Institute of Standards and Technology."

Similar presentations

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
A Strategy for Testing Hardware Write Block Devices James R Lyle National Institute of Standards and Technology.

A Strategy for Testing Hardware Write Block Devices James R Lyle National Institute of Standards and Technology.
Lectures on File Management

Lectures on File Management
Jim Lyle National Institute of Standards and Technology.

Jim Lyle National Institute of Standards and Technology.
Deleted File Recovery Tool Testing Results Jim Lyle NIST 2/21/13AAFS -- Washington 1.

Deleted File Recovery Tool Testing Results Jim Lyle NIST 2/21/13AAFS -- Washington 1.
Creating Deleted File Recovery Tool Testing Images Jim Lyle National Institute of Standards and Technology.

Creating Deleted File Recovery Tool Testing Images Jim Lyle National Institute of Standards and Technology.
Disclaimer Certain trade names and company products are mentioned in the text or identified. In no case does such identification imply recommendation.

Disclaimer Certain trade names and company products are mentioned in the text or identified. In no case does such identification imply recommendation.
Module 1: Installing Windows XP Professional

Module 1: Installing Windows XP Professional
1 In-Process Metrics for Software Testing Kan Ch 10 Steve Chenoweth, RHIT Left – In materials testing, the goal always is to break it! That’s how you know.

1 In-Process Metrics for Software Testing Kan Ch 10 Steve Chenoweth, RHIT Left – In materials testing, the goal always is to break it! That’s how you know.
14 May 2010Montana Supreme Court Spring Training Conference 1 Verification of Digital Forensic Tools Jim Lyle Project Leader: Computer Forensic Tool Testing.

14 May 2010Montana Supreme Court Spring Training Conference 1 Verification of Digital Forensic Tools Jim Lyle Project Leader: Computer Forensic Tool Testing.
Lecture 12 Page 1 CS 111 Online Devices and Device Drivers CS 111 On-Line MS Program Operating Systems Peter Reiher.

Lecture 12 Page 1 CS 111 Online Devices and Device Drivers CS 111 On-Line MS Program Operating Systems Peter Reiher.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
Federated Testing: Well-Tested Tools, Shared Test Materials & Shared Test Reports; The Computer Forensics Tool Catalog Website: Connecting Forensic Examiners.

Federated Testing: Well-Tested Tools, Shared Test Materials & Shared Test Reports; The Computer Forensics Tool Catalog Website: Connecting Forensic Examiners.
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Agenda Safe disposal practices for computers and information: –Removing files and folders –Disposing of computers –Disposing of other electronic devices.

Agenda Safe disposal practices for computers and information: –Removing files and folders –Disposing of computers –Disposing of other electronic devices.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
Lecture 10: The FAT, VFAT, and NTFS Filesystems 6/17/2003 CSCE 590 Summer 2003.

Lecture 10: The FAT, VFAT, and NTFS Filesystems 6/17/2003 CSCE 590 Summer 2003.
Connecting with Computer Science, 2e

Connecting with Computer Science, 2e
Software Testing. “Software and Cathedrals are much the same: First we build them, then we pray!!!” -Sam Redwine, Jr.

Software Testing. “Software and Cathedrals are much the same: First we build them, then we pray!!!” -Sam Redwine, Jr.
Systems Analysis I Data Flow Diagrams

Systems Analysis I Data Flow Diagrams

Similar presentations

Ads by Google