Deleted File Recovery Tool Testing Results Jim Lyle NIST 2/21/13AAFS -- Washington 1.

Slides:



Advertisements
Similar presentations
The Impact of Logical and Physical Fragmentation in a Virtual Environment Presented by Raxco Software, Inc. October 29, 2009.
Advertisements

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
A Strategy for Testing Hardware Write Block Devices James R Lyle National Institute of Standards and Technology.
COMP091 – Operating Systems 1
Testing Write Blockers James R Lyle CFTT Project NIST/ITL/SDCT November 06, 2006.
Jim Lyle National Institute of Standards and Technology.
Creating Deleted File Recovery Tool Testing Images Jim Lyle National Institute of Standards and Technology.
Disclaimer Certain trade names and company products are mentioned in the text or identified. In no case does such identification imply recommendation.
1 X-Ways Security: Permanent Erasure Supervised By: Dr. Lo’ai Tawalbeh Prepared By :Murad M. Ali.
The Evolution of File Carving Presenters: Muhammad Mohsin Butt(g ) COE589 Paper Presentation.
14 May 2010Montana Supreme Court Spring Training Conference 1 Verification of Digital Forensic Tools Jim Lyle Project Leader: Computer Forensic Tool Testing.
File Systems Examples.
Ext2/Ext3 Linux File System Reporter: Po-Liang, Wu.
File System Analysis.
Forensic Tool Testing Results Jim Lyle National Institute of Standards and Technology.
Federated Testing: Well-Tested Tools, Shared Test Materials & Shared Test Reports; The Computer Forensics Tool Catalog Website: Connecting Forensic Examiners.
1 EXT4NTFS 6FAT32 Allocation method IndexedIndexed, by “runs”Linked File representation i-node (default size 256KB) MFT record (default size 1Kb) Chain.
Day 29 File System.
Windows XP File System Management Group D. 3 Layers of Drivers Filter Drivers Filter Drivers –Virus protection, compression, encryption File System Drivers.
Agenda Safe disposal practices for computers and information: –Removing files and folders –Disposing of computers –Disposing of other electronic devices.
Lecture 10: The FAT, VFAT, and NTFS Filesystems 6/17/2003 CSCE 590 Summer 2003.
Connecting with Computer Science, 2e
COS/PSA 413 Day 15. Agenda Assignment 3 corrected –5 A’s, 4 B’s and 1 C Lab 5 corrected –4 A’s and 1 B Lab 6 corrected –A, 2 B’s, 1 C and 1 D Lab 7 write-up.
Basic File Recovery Techniques BACS 371 Computer Forensics.
Graphic File Carving Tool Testing Jenise Reyes-Rodriguez National Institute of Standards and Technology AAFS - February 19 th, 2015.
Mobile Device Forensics Rick Ayers. Disclaimer  Certain commercial entities, equipment, or materials may be identified in this presentation in order.
Mobile Device Forensics - Tool Testing Richard Ayers.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas File Systems and Forensics Tools September 20, 2013.
COEN 252 Computer Forensics
Computer Forensics Tool Catalog: Connecting Users With the Tools They Need AAFS –February 21, 2013 Ben Livelsberger NIST Information Technology Laboratory.
Forensic analysis of Windows hosts using UNIX-based tools Source : Digital Investigation (2004) 1, Writer : Cory Altheide Reporter : Yao Professor.
MHDD Data Recovery & Forensics v15 - © 2009 MHDD 1 Hard Drive Kung Fu Magic MFT & File Based Imaging Data Recovery Forensics by Scott A. Moulton
Quirks Uncovered While Testing Forensic Tool Jim Lyle Information Technology Laboratory Agora March 28, 2008.
FGDC Standards Process Review Survey Results Summary Julie Binder Maitra FGDC Standards Coordinator April 13, 2010 Coordination.
NIST CFTT: Testing Disk Imaging Tools James R. Lyle National Institute of Standards and Technology Gaithersburg Md.
Objectives Learn what a file system does
BACS 371 Computer Forensics
 FILE S SYSTEM  DIFFERENT FILE SYSTEMS  FILE SYSTEM COMPONENTS  FILE OPERATIONS  LOG STRUCTERD FILE SYSTEM  FILE EXAMPLES.
1 File Systems Chapter Files 6.2 Directories 6.3 File system implementation 6.4 Example file systems.
Ben Livelsberger NIST Information Technology Laboratory, CFTT Program
SSD Data Evaporation DEF CON 21 August 3, Bio.
Digital Forensics and Demonstration of Basic Forensic Techniques Thanks to… Jim Gordon MSc MBCS Worcester University 12th Nov 2012 Digital Infrastructure.
Data Recovery Techniques Florida State University CIS 4360 – Computer Security Fall 2006 December 6, 2006 Matthew Alberti Horacesio Carmichael.
File Systems in Real-Time Embedded Applications March 4th Eric Julien Introduction to File Systems 1.
Component 4: Introduction to Information and Computer Science Unit 4: Application and System Software Lecture 3 This material was developed by Oregon Health.
Disclaimer Certain trade names and company products are mentioned in the text or identified. In no case does such identification imply recommendation or.
Windows NTFS Introduction to Operating Systems: Module 15.
THE ALTERNATIVE UNIVERSE. DISCLAIMER: Futures and options trading involves substantial risk of loss and is not suitable for every investor. The valuation.
Using Model Checking to Find Serious File System Errors StanFord Computer Systems Laboratory and Microsft Research. Published in 2004 Presented by Chervet.
Module 4.0: File Systems File is a contiguous logical address space.
Chapter 18 ©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved. Forensic Examination of UNIX Systems.
NTFS 5.0 By Jeffrey Richter and Luis Felipe Cabrera From the Microsoft Systems Journal Presented by Stylianos Paparizos.
Lecture 20 FSCK & Journaling. FFS Review A few contributions: hybrid block size groups smart allocation.
NTFS Filing System CHAPTER 9. New Technology File System (NTFS) Started with Window NT in 1993, Windows XP, 2000, Server 2003, 2008, and Window 7 also.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 File Systems September 22, 2008.
Chapter 8 File Systems FAT 12/16/32. Defragmentation Defrag a hard drive – Control Panel  System and Security  Administration tools  Defrag hard drive.
COEN 252 Computer Forensics Forensic Duplication of Hard Drives.
Mobile Device Data Population for Tool Testing Rick Ayers.
Defining, Measuring and Mitigating Errors for Digital Forensic Tools Jim Lyle, Project Leader NIST Computer Forensics Tool Testing Feb 25, 2016AAFS - Las.
Silberschatz, Galvin and Gagne ©2011 Operating System Concepts Essentials – 8 th Edition Chapter 3: Windows7 Part 3.
JTAG Tool Testing Jenise Reyes-Rodriguez National Institue of Standards and Technology AAFS – February 25 th, 2016.
Digital Forensics Anthony Lawrence. Overview Digital forensics is a branch of forensics focusing on investigating electronic devises. Important in for.
Efficient Drive forensics – and it’s free!
Introduction to Computers
File Systems Implementation
Job Seeker Career Path Planner Advanced degree College Degree
Digital Forensics Dr. Bhavani Thuraisingham
Digital Forensics Andrew Schierberg, Fort Mitchell Police, Schierberg LAw Jay Downs, Kenton County Police.
Data Recovery: Why Secure Deletion is so Important.
Chapter 5 File Systems -Compiled for MCA, PU
Presentation transcript:

Deleted File Recovery Tool Testing Results Jim Lyle NIST 2/21/13AAFS -- Washington 1

 Develop specifications for testing forensic tools  Disk Imaging  Write Blocking  Drive erase for reuse  Metadata based deleted file recovery  Other specs in development  Submit test reports to NIJ for publication ~90 2/21/13AAFS -- Washington2 CFTT

 Deleted file recovery (DFR)  Metadata based (from directory, i-node, MFT, etc.) – now  Signature based (aka file carving) – next  Tested six popular tools  Test reports are being drafted for publication later this year 2/21/13AAFS -- Washington3 Deleted File Recovery

The presentation will impact the forensic community by:  increase awareness in the community of ability of tool testing to reveal anomalies in tool behavior  help the forensic practitioner recognize tool limitations 2/21/13AAFS -- Washington4 Talk Goals

 Metadata relationships  Test suite  Identifying Supported file systems  Consider if there is fragmentation, but intact  Overwriting  Chaos  Summary 2/21/13AAFS -- Washington5 Remainder of Talk

Metadata relationships with data 2/21/13AAFS -- Washington6 Active Metadata Data Residual Metadata Data Active Metadata Data Residual Metadata Active Metadata Data Residual Metadata Data Residual Metadata

DFR-01.Recover one non-fragmented file. DFR-02.Recover file with two fragments. DFR-03.Recover file with multiple frags. DFR-04.Recover files with non-ASCII names. DFR-05.Recover several fragmented files. DFR-06.Recover one large file. DFR-07.Recover one overwritten file. DFR-08.Recover several overwritten files. DFR-09.Recover 1000 files no overwrite. 2/21/13AAFS -- Washington7 17 BaseTest Cases DFR-10.Recover 1000 files, overwritten. DFR-11.Recover one directory. DFR-12.Recover multiple directories. DFR-13.Recover random activity. DFR-14.Recover other file system object. DFR-15.List one of each object. DFR-16.List a large number of files. DFR-17.List deep file paths. At least 4 images per case: 1.FAT: FAT12, FAT16 & FAT32 2.ExFAT 3.NTFS 4.EXT: ext2, ext3 & ext4 Some one-off images: NTFS compressed NTFS file in MFT HFS+ file listing Recycle bin/trash can

Supported File Systems 2/21/13AAFS -- Washington8 FS ext2 ✔✔✔✔✔✔ ext3 ext4 FAT ✔✔✔✔✔✔ NTFS ✔✔✔✔✔✔ ExFAT ✔✔✔✔ HFS+ Determine supported file systems by trying a simple case – Delete a single file, see if the six tools recovers anything

AB1CB2DB3EB4 2/21/13AAFS -- Washington9 FAT Fragmentation Case FAT Recover a file in 4 fragments Layout: A, C, D & E are active files; B is deleted ToolRecovered File 1B1B2B3B4 2B1 3 C(1) 4B1B2B3B4 5B1B2B3B4 6B1CB2D Results: Three tools recovered entire file One tool stopped after first cluster One tool included part of an active file One tool recovered two fragments and two clusters from active files

Fragmentation – Other File Systems 2/21/13AAFS -- Washington10  NTFS – Well behaved  Ext2 – recovered where supported  One tool had trouble with ext2 FS FAT ✔ 11A ✔✔ 2AM ExFAT ✔✗✗☐☐✔ NTFS ✔✔✔✔✔✔ ext22 ✔✔✔✔✔ ☐ -- not supported ✗ -- not recovered ✔ -- recovered Other – partial recovery

Summary for non-overwriting Cases 2/21/13AAFS -- Washington11  Best results on NTFS, all files recovered by all tools  Some tools miss a few files from ext2  All tools miss a few files from ExFAT # recovered / # deleted FS FAT807/819792/ / /819 ExFAT270/273254/273265/273 ☐☐ 270/273 NTFS273/273 ext264/273273/ /273273/273271/273

Anomalies for non-overwriting Cases by data source 2/21/13AAFS -- Washington12  Except for one file recovered by tool #5, and 3 recovered by tool #3, all recovered content came for current or previous files  Tool #3 recovered 296 of 273 deleted NTFS files # multi-src / # other src / # Active file FS FAT9/0/06/0/027/3/189/0/012/0/324/0/18 ExFAT0/0/110/0/108/0/8 ☐☐ 0/0/0 NTFS0/0/10/0/023/0/230/0/00/1/00/0/0 ext20/0/0

Overwrite Cases: Data & Metadata Available Metadata and File Block Summary Metadata ExistsMetadata Overwritten CaseDeletedIntactPartialNoneIntactPartialNone FAT ExFAT NTFS EXT

Summary for Overwriting Cases 2/21/13AAFS -- Washington14  Best results on FAT & NTFS  One tool showed poor results for ext2  Results for ExFAT vary # intact files with metadata / # deleted FS FAT (1118/2894) 885 ExFAT (376/965) ☐☐ 370 NTFS (371/965) Ext (408/956)

Anomalies for overwriting Cases by data source 2/21/13AAFS -- Washington15  Lots of recovered files include data from more than one source  NTFS seems best behaved # multi-src / # other src / # Active file FS FAT 304/4/41183/3/41309/66/ /3/0269/3/40297/81/197 ExFAT 18/14/1695/7/9489/10/ /18/16 NTFS 24/2/2421/24/029/0/2921/14/624/2/2424/0/24 ext2 107/52/925/26/0431/17/42616/8/1729/56/16229/17/24

 The residual metadata varies with the file system. For example, file names may be completely or partially lost, pointers to file blocks may be overwritten.  Only the first block of a deleted file is identified for FAT file systems. Some tools guess the location of the remainder of the deleted file; this strategy often leads to recovered files that are mixed from several original files.  The tools sometimes include blocks from active files in a recovered file.  The tools rarely include blocks that have never been allocated to the current file system, i.e., it is not likely that a block from a recovered file was not a part of some file.  Some tools attempt to identify overwritten files. The tools often identify (incorrectly) intact files as overwritten.  Support for ExFAT, ext3 and ext4 is sometimes lacking. 2/21/13AAFS -- Washington16 Summary

2/21/13AAFS -- Washington17 Project Sponsors (aka Steering Committee)  National Institute of Justice (Major funding)  Homeland Security (Major funding)  FBI (Additional funding)  Department of Defense, DCCI (Equipment and support)  State & Local agencies (Technical input)  Other federal agencies (Technical input)  NIST/OLES (Program management)

Disclaimer Certain trade names and company products are mentioned in the text or identified. In no case does such identification imply recommendation or endorsement by the National Institute of Standards and Technology, nor does it imply that the products are necessarily the best available for the purpose. 2/21/1318AAFS -- Washington

Contact Information 2/21/13AAFS -- Washington19 Sue Ballou, Office of Law Enforcement Standards Steering Committee representative for State/Local Law Enforcement Jim Lyle

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.