14 May 2010Montana Supreme Court Spring Training Conference 1 Verification of Digital Forensic Tools Jim Lyle Project Leader: Computer Forensic Tool Testing.

Slides:



Advertisements
Similar presentations
The Modern Control Boot Disk. 2 What do we mean by a Modern control boot disk? In your previous lectures you learned about the original DOS control boot.
Advertisements

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
A Strategy for Testing Hardware Write Block Devices James R Lyle National Institute of Standards and Technology.
Collaboration Model for Law Enforcement X-Ways Investigator (investigator version of X-Ways Forensics)
Jim Lyle National Institute of Standards and Technology.
Deleted File Recovery Tool Testing Results Jim Lyle NIST 2/21/13AAFS -- Washington 1.
Creating Deleted File Recovery Tool Testing Images Jim Lyle National Institute of Standards and Technology.
Disclaimer Certain trade names and company products are mentioned in the text or identified. In no case does such identification imply recommendation.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
Forensic Tool Testing Results Jim Lyle National Institute of Standards and Technology.
Computer & Mobile Forensics Standards Barbara Guttman October 1, 2009.
Federated Testing: Well-Tested Tools, Shared Test Materials & Shared Test Reports; The Computer Forensics Tool Catalog Website: Connecting Forensic Examiners.
Guide to Computer Forensics and Investigations, Second Edition
MD5 Summary and Computer Examination Process Introduction to Computer Forensics.
Guide to Computer Forensics and Investigations Fourth Edition
Guide to Computer Forensics and Investigations Fourth Edition
Computer & Network Forensics
Guide to Computer Forensics and Investigations Third Edition
COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.
Graphic File Carving Tool Testing Jenise Reyes-Rodriguez National Institute of Standards and Technology AAFS - February 19 th, 2015.
Mobile Device Forensics Rick Ayers. Disclaimer  Certain commercial entities, equipment, or materials may be identified in this presentation in order.
Mobile Device Forensics - Tool Testing Richard Ayers.
Data Acquisition Chao-Hsien Chu, Ph.D.
COEN 252 Computer Forensics Forensic Duplication of Hard Drives.
COEN 252 Computer Forensics
Computer Forensics Tool Catalog: Connecting Users With the Tools They Need AAFS –February 21, 2013 Ben Livelsberger NIST Information Technology Laboratory.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 14: Problem Recovery.
Guide to Computer Forensics and Investigations, Second Edition Chapter 9 Data Acquisition.
July 9, National Software Reference Library Douglas White Information Technology Laboratory July 2004.
Quirks Uncovered While Testing Forensic Tool Jim Lyle Information Technology Laboratory Agora March 28, 2008.
Alternate Version of STARTING OUT WITH C++ 4 th Edition Chapter 1 Introduction to Computers and Programming.
NIST CFTT: Testing Disk Imaging Tools James R. Lyle National Institute of Standards and Technology Gaithersburg Md.
IT GOVERNANCE AND CYBERCRIME Open Source Forensic Tools 19/04/10.
Administering Windows 7 Lesson 11. Objectives Troubleshoot Windows 7 Use remote access technologies Troubleshoot installation and startup issues Understand.
Chapter 9 Computer Forensics Analysis and Validation Guide to Computer Forensics and Investigations Fourth Edition.
Ben Livelsberger NIST Information Technology Laboratory, CFTT Program
Data Recovery Techniques Florida State University CIS 4360 – Computer Security Fall 2006 December 6, 2006 Matthew Alberti Horacesio Carmichael.
An Introduction to Computer Forensics Jim Lindsey Western Kentucky University.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 Computer Forensics Data Recovery and Evidence Collection September.
Disclaimer Certain trade names and company products are mentioned in the text or identified. In no case does such identification imply recommendation or.
1 IT Investigative Tools Tools and Services for the Forensic Auditor.
Guide to Computer Forensics and Investigations Fourth Edition
Module 13: Computer Investigations Introduction Digital Evidence Preserving Evidence Analysis of Digital Evidence Writing Investigative Reports Proven.
Chapter 9 Computer Forensics Analysis and Validation Guide to Computer Forensics and Investigations Fourth Edition.
Fundamental Programming: Fundamental Programming K.Chinnasarn, Ph.D.
1J. M. Kizza - Ethical And Social Issues Module 13: Computer Investigations Introduction Introduction Digital Evidence Digital Evidence Preserving Evidence.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #4 Data Acquisition September 8, 2008.
MD5 Summary and Computer Examination Process Introduction to Computer Forensics.
Chapter 5 Processing Crime and Incident Scenes Guide to Computer Forensics and Investigations Fourth Edition.
IST 222 Day 3. Homework for Today Take up homework and go over Go to Microsoft website and check out their hardware compatibility list.
 Forensics  Application of scientific knowledge to a problem  Computer Forensics  Application of the scientific method in reconstructing a sequence.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 File Systems September 22, 2008.
Brief Version of Starting Out with C++ Chapter 1 Introduction to Computers and Programming.
Hands-On Microsoft Windows Server 2008 Chapter 7 Configuring and Managing Data Storage.
COEN 252 Computer Forensics Forensic Duplication of Hard Drives.
By: Jeremy Henry. Road Map  What is a cybercrime?  Statistics.  Tools used by an investigator.  Techniques and procedures used.  Specific case.
Computer Forensics Tim Foley COSC 480 Nov. 17, 2006.
Forensic Investigation Techniques Michael Jones. Overview Purpose People Processes Michael Jones2Digital Forensic Investigations.
Chapter 8 Forensic Duplication Spring Incident Response & Computer Forensics.
Mobile Device Data Population for Tool Testing Rick Ayers.
Defining, Measuring and Mitigating Errors for Digital Forensic Tools Jim Lyle, Project Leader NIST Computer Forensics Tool Testing Feb 25, 2016AAFS - Las.
Computer Forensics. OVERVIEW OF SEMINAR Introduction Introduction Defining Cyber Crime Defining Cyber Crime Cyber Crime Cyber Crime Cyber Crime As Global.
Digital Forensics Anthony Lawrence. Overview Digital forensics is a branch of forensics focusing on investigating electronic devises. Important in for.
Creighton Barrett Dalhousie University Archives
Chapter Objectives In this chapter, you will learn:
Digital Forensics Dr. Bhavani Thuraisingham
Digital Forensics CJ
1 Advanced Cyber Security Forensics Training for Law Enforcement Building Advanced Forensics & Digital Evidence Human Resource in the Law Enforcement sector.
Digital Forensics Andrew Schierberg, Fort Mitchell Police, Schierberg LAw Jay Downs, Kenton County Police.
1 Guide to Computer Forensics and Investigations Sixth Edition Chapter 6 Current Digital Forensics Tools.
Presentation transcript:

14 May 2010Montana Supreme Court Spring Training Conference 1 Verification of Digital Forensic Tools Jim Lyle Project Leader: Computer Forensic Tool Testing (CFTT) Information Technology Laboratory National Institute of Standards and Technology

14 May 2010Montana Supreme Court Spring Training Conference 2 Disclaimer Certain trade names and company products are mentioned in the text or identified. In no case does such identification imply recommendation or endorsement by the National Institute of Standards and Technology, nor does it imply that the products are necessarily the best available for the purpose.

14 May 2010 Montana Supreme Court Spring Training Conference 3 Introduction The computer is ubiquitous in both civil and criminal cases. BTK was solved by digital clues on a floppy disk that pointed to Dennis Rader: Police found metadata embedded in a deleted Microsoft Word document that was, unbeknownst to Rader, on the disk. The metadata, recovered using the forensic software EnCase, contained "Christ Lutheran Church", and the document was marked as last modified by "Dennis". A search of the church website turned up Dennis Rader as president of the congregation council. What are the components used to extract digital evidence? How reliable is digital evidence?

14 May 2010Montana Supreme Court Spring Training Conference 4 Outline Overview of CFTT Digital Forensic Tools Test results –Data acquisition tools –Write Block Tools Error rates Summary

14 May 2010Montana Supreme Court Spring Training Conference 5 Goals of NIST Computer Forensics Projects Support use of automated processes into the computer forensics investigations Provide stable foundation built on scientific rigor to support the introduction of evidence and expert testimony in court

14 May 2010Montana Supreme Court Spring Training Conference 6 Project Sponsors (aka Steering Committee) National Institute of Justice (Major funding) FBI (Additional funding) Department of Defense, DCCI (Equipment and support) Homeland Security (Major funding, Technical input) State & Local agencies (Technical input) Internal Revenue, IRS (Technical input) NIST/OLES (Additional funding & Program management)

14 May 2010Montana Supreme Court Spring Training Conference 7 Current NIST Activities Provide international standard reference data to support investigations and research (NSRL) Establish computer and mobile device forensic tool testing methodology (CFTT) Provide test material for proficiency testing and lab-based tool testing (CFReDs)

14 May 2010Montana Supreme Court Spring Training Conference 8 CFTT Products Forensic Tool Requirements Forensic Tool Test Plan –List of test cases –Test data sets (via CFReDS) –Test support & analysis software Forensic Tool Test Reports (submitted to NIJ for publication)

14 May 2010Montana Supreme Court Spring Training Conference 9 Test Reports Published Data acquisition: EnCase, FTK, SafeBack, MFL, dd, Macquisition, IxImager, … Software write block: HDL, PDBLOCK & ACES Hardware write block: MyKey, Tableau, WiebeTech, DiskJocky, DriveLock, & FastBlock Mobile Device (cell phone): Paraben, BitPim, MOBILedit, Neutrino, GSM XRY, … Drive wipe: Boot & Nuke, Voom, Drive eRazer

14 May 2010Montana Supreme Court Spring Training Conference 10 What’s Next for CFTT Additional tools such as... –Deleted file recovery (searching trash can) –File carving (searching the dumpster) –String search –Volatile acquisition of memory & disk –etc Test methodology and report sharing

14 May 2010Montana Supreme Court Spring Training Conference 11 Four Main Sources of DE Hard drive –Static: easy to reacquire Live memory –Dynamic: frequent change Mobile device: cell phone, PDA, iphone –Almost static: examination introduces changes Network tools –Dynamic: like a flowing stream

14 May 2010Montana Supreme Court Spring Training Conference 12 Tool Testing is Analogous to a Court Trial StatutesTool requirements Detective/DATest operator DefendantTool under test Guilty verdictTool violates at least one requirement Not guilty verdictTool not observed to violate any requirement

14 May 2010Montana Supreme Court Spring Training Conference 13 Tool Testing Strategy Digital forensic tools are often multi- function Testing is organized by function Develop requirements for a single function Test tools for a single function at a time

14 May 2010Montana Supreme Court Spring Training Conference 14 Good News & Disappointing News Good News: Forensic tools as tested work with some minor problems –Usually something is omitted –Nothing extra (incriminating or not) is created Disappointing News: Error rates are hard to define & quantify

14 May 2010Montana Supreme Court Spring Training Conference 15 Tool Functions Data acquisition Data protection (write blocking to protect original) Data erasing (disk wiping to ensure against cross contamination between cases) Data extraction (recovering infromation from mobile devices) File reconstruction (under development) String searching (under development)

14 May 2010Montana Supreme Court Spring Training Conference 16 Data Acquisition Requirements Entire drive or partition is acquired All data is acquired matches original Any omitted (e.g., bad sector) data is: 1.Identified 2.Replaced with benign replacement Tool log is accurate

14 May 2010Montana Supreme Court Spring Training Conference 17 Testing Data Acquisition Tool acquires either – entire drive (physical drive) – partition (logical drive) Evaluate the acquisition by either … –Hash of data acquired –Compare source to a restore

14 May 2010Montana Supreme Court Spring Training Conference 18 Data Acquisition Test Results Sectors at end of drive omitted –Tool dd, using Linux kernel 2.4, with a drive with an odd number of sectors, omits the last sector (512 bytes). The last sector is not used. –Tool EnCase version 3, using BIOS access, on hard drives with certain geometry, using a computer with a certain BIOS, omits the last 5,040 sectors. –Tool SafeBack version 2, with same setup omits the last 1,008 sectors. –Both SafeBack & EnCase, using DIRECT access, no sectors omitted.

14 May 2010Montana Supreme Court Spring Training Conference 19 More Data Acquisition Results Acquiring an image of an NTFS partition FTK omits the last 8 sectors EnCase: 1.Omits the last sector 2.Replaces the 7 sectors just before the last sector with 7 sectors acquired earlier. However, those last 8 sectors are not used to store user data.

14 May 2010Montana Supreme Court Spring Training Conference 20 Acquiring Bad Sectors Disk sectors do fail and become unreadable Tool dd running in Linux, omits 7 sectors around a bad sector acquired over the ATA interface. Tool dd running in Linux omits multiple of 8 sectors around a bad sector acquired over a non-ATA interface. Omitted sectors are replaced with zeros. Tool dd running in FreeBSD acquires all readable sectors but replaces bad sectors with non-zero data of unknown (to me) origin.

14 May 2010Montana Supreme Court Spring Training Conference 21 Write Block Requirements All commands that change drive content are blocked Data can be read off the drive Huh? Why not just say all READ commands are allowed?

14 May 2010Montana Supreme Court Spring Training Conference 22 Write Block Results New WRITE command not blocked Some READ commands blocked A certain READ command was replaced with a different READ command ERASE command allowed

14 May 2010Montana Supreme Court Spring Training Conference 23 As to General Observations from Daubert … known or potential error rate, and the existence and maintenance of standards controlling its operation … Usually does not apply to tools used to acquire and examine digital evidence.

14 May 2010Montana Supreme Court Spring Training Conference 24 Sources of Error An algorithm may have a theoretical error rate An implementation of an algorithm may have errors The execution of a procedure may have a blunder that affects the result

Error Example Hashes or checksums (with useful attributes) can be computed for a file. –Same files have the same hash –Different hash means files are different –However, same hash is possible for different files This can be used to determine if: –A file has changed, or –If two files might be the same with some error rate. 14 May 2010Montana Supreme Court Spring Training Conference 25

An Algorithm To Compare A Pair Of Files With Only One File A hash or checksum can be used to determine if any file in a set of files match a given file. 1.Let c be the hash of the given file 2.For each file, f, in the set … i.Compute, h, the hash of f ii.Compare c to h iii.If c matches h, then declare c equals h Hashes can collide (two different files with same hash) The error rate of the algorithm is related to the size of the hash (number of bits) 14 May 2010Montana Supreme Court Spring Training Conference 26

Error Rates for Hash Algorithms Hash algorithms are designed to essentially randomize the file content. This allows us to assume that different files behave like random data. 14 May 2010Montana Supreme Court Spring Training Conference 27 Hash AlgorithmChance of Collision CRC-161 in 32,768 CRC-321 in 2,147,483,648 MD5 (128 bits)1 in SHA-11 in SHA-2561 in 2 255

Implementation Errors A variety of implementation errors are possible, some are quite subtle. –One common error occurs as follows: Hash algorithm is implemented in a UNIX environment. It works for any file. Same program is moved to MS Windows environment. It works fine for any binary file, but computes a different (wrong) value for any text file (Windows adds a character to the end of each line of text). 14 May 2010Montana Supreme Court Spring Training Conference 28

What is the error rate? In the science of measurement error analysis this is called a systematic error. The distribution of text and binary files varies from computer to computer. There is no random distribution to the manifestation of the error. The implementation error is triggered only under some set of conditions. Errors, but no error rate. 14 May 2010Montana Supreme Court Spring Training Conference 29

Human Errors Human errors (blunders) occur Difficult to quantify Good processes have built in checks to detect blunders 14 May 2010Montana Supreme Court Spring Training Conference 30

Other Tool Testing Projects RCMP CART – FBI internal DCCC – Available on request 14 May 2010Montana Supreme Court Spring Training Conference 31

Summary & Observations Tools that have been tested so far don’t report data that isn’t there. Tools tend to have minor problems, usually omitting data, sometimes duplicating existing data. Digital forensic tools are being independently tested by several organizations. Conclusions of a test report only apply to the tool version tested. Any change to a tool or run environment requires retesting. Error rates can often be stated for algorithms, but not for implementations. Most digital forensic tool functions are simple collection, extraction or searching operations with a zero error rate for the algorithm. An implementation may have systematic errors that can be revealed by tool testing programs. 14 May 2010Montana Supreme Court Spring Training Conference 32

Resources John Robert Taylor (1999). An Introduction to Error Analysis: The Study of Uncertainties in Physical Measurements. University Science Books ISBN X.An Introduction to Error Analysis: The Study of Uncertainties in Physical MeasurementsISBN X 14 May 2010Montana Supreme Court Spring Training Conference 33

Contact Information 2/26/10AAFS34 Sue Ballou, Office of Law Enforcement Standards Steering Committee representative for State/Local Law Enforcement Jim Lyle

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.