NIST CFTT: Testing Disk Imaging Tools James R. Lyle National Institute of Standards and Technology Gaithersburg Md.

Slides:



Advertisements
Similar presentations
The Modern Control Boot Disk. 2 What do we mean by a Modern control boot disk? In your previous lectures you learned about the original DOS control boot.
Advertisements

A Strategy for Testing Hardware Write Block Devices James R Lyle National Institute of Standards and Technology.
Write Blocking CSC 485/585.
Collaboration Model for Law Enforcement X-Ways Investigator (investigator version of X-Ways Forensics)
Jim Lyle National Institute of Standards and Technology.
Deleted File Recovery Tool Testing Results Jim Lyle NIST 2/21/13AAFS -- Washington 1.
Creating Deleted File Recovery Tool Testing Images Jim Lyle National Institute of Standards and Technology.
Disclaimer Certain trade names and company products are mentioned in the text or identified. In no case does such identification imply recommendation.
14 May 2010Montana Supreme Court Spring Training Conference 1 Verification of Digital Forensic Tools Jim Lyle Project Leader: Computer Forensic Tool Testing.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
Forensic Tool Testing Results Jim Lyle National Institute of Standards and Technology.
Slides by Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA 16802
Federated Testing: Well-Tested Tools, Shared Test Materials & Shared Test Reports; The Computer Forensics Tool Catalog Website: Connecting Forensic Examiners.
Guide to Computer Forensics and Investigations Fourth Edition
Guide to Computer Forensics and Investigations Fourth Edition
Guide to Computer Forensics and Investigations Third Edition Chapter 7 Current Computer Forensics Tools.
Guide to Computer Forensics and Investigations Third Edition
Testing - an Overview September 10, What is it, Why do it? Testing is a set of activities aimed at validating that an attribute or capability.
Encase Overview. What is Encase EnCase Forensic is the industry standard in computer forensic investigation technology. Encase is a single tool, capable.
Graphic File Carving Tool Testing Jenise Reyes-Rodriguez National Institute of Standards and Technology AAFS - February 19 th, 2015.
Mobile Device Forensics Rick Ayers. Disclaimer  Certain commercial entities, equipment, or materials may be identified in this presentation in order.
Mobile Device Forensics - Tool Testing Richard Ayers.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas File Systems and Forensics Tools September 20, 2013.
Guide to Computer Forensics and Investigations, Second Edition
Mohd Taufik Abdullah Department of Computer Science
COEN 252 Computer Forensics Forensic Duplication of Hard Drives.
COEN 252 Computer Forensics
Computer Forensics Tool Catalog: Connecting Users With the Tools They Need AAFS –February 21, 2013 Ben Livelsberger NIST Information Technology Laboratory.
July 9, National Software Reference Library Douglas White Information Technology Laboratory July 2004.
Quirks Uncovered While Testing Forensic Tool Jim Lyle Information Technology Laboratory Agora March 28, 2008.
With Microsoft Windows 7© 2012 Pearson Education, Inc. Publishing as Prentice Hall1 PowerPoint Presentation to Accompany GO! with Microsoft ® Windows 7.
Linux Booting Procedure
Guide to Linux Installation and Administration, 2e1 Chapter 3 Installing Linux.
Drive Imaging Joe Cicero Northeast Wisconsin Technical College.
IT Essentials 1 v4.0 Chapters 4 & 5 JEOPARDY RouterModesWANEncapsulationWANServicesRouterBasicsRouterCommands RouterModesWANEncapsulationWANServicesRouterBasicsRouterCommands.
Teaching Digital Forensics w/Virtuals By Amelia Phillips.
Disaster Recovery Strategies & criteria for evaluation of information management strategies.
Preserving Evidence ● Number one priority ● Must also find incriminating evidence ● Must search the contents of the hard drive ● Can not change the hard.
Ben Livelsberger NIST Information Technology Laboratory, CFTT Program
How Hardware and Software Work Together
Data Recovery Techniques Florida State University CIS 4360 – Computer Security Fall 2006 December 6, 2006 Matthew Alberti Horacesio Carmichael.
Disclaimer Certain trade names and company products are mentioned in the text or identified. In no case does such identification imply recommendation or.
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. System Forensics, Investigation, and Response.
CLOUD COMPUTING Overview on cloud computing. Cloud vendors. Cloud computing is a type of internet based computing where we use a network of remote servers.
Guide to Computer Forensics and Investigations Fourth Edition
14 Step-by-Step Instructions for an Upgrade Installation n Prepare for the installation Verify that all devices and applications are Windows 2000 compatible.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #4 Data Acquisition September 8, 2008.
Chapter 5 Processing Crime and Incident Scenes Guide to Computer Forensics and Investigations Fourth Edition.
CJ 317 – Computer Forensics
COEN 252 Computer Forensics Forensic Duplication of Hard Drives.
By: Jeremy Henry. Road Map  What is a cybercrime?  Statistics.  Tools used by an investigator.  Techniques and procedures used.  Specific case.
Mobile Device Data Population for Tool Testing Rick Ayers.
Defining, Measuring and Mitigating Errors for Digital Forensic Tools Jim Lyle, Project Leader NIST Computer Forensics Tool Testing Feb 25, 2016AAFS - Las.
NON STANDARD HARDWARE By the end of this lesson you will be able to: 1. Identify non standard computer hardware 2. Understand ACRONYMS used to describe.
GUIDE TO COMPUTER FORENSICS AND INVESTIGATIONS FOURTH EDITION CHAPTER 7 CURRENT COMPUTER FORENSICS TOOLS.
JTAG Tool Testing Jenise Reyes-Rodriguez National Institue of Standards and Technology AAFS – February 25 th, 2016.
1 Presented by David Thompson, TIA December 14, 2005 NFPA 1600 and Emergency Communications.
Creighton Barrett Dalhousie University Archives
Encase Overview.
Chapter 5 EnCase Concepts.
CHFI & Digital Forensics [Part.1] - Basics & FTK Imager
Computer Fundamentals
Digital Forensics Dr. Bhavani Thuraisingham
Digital Forensics Chris Rozic.
Operating Systems Tasks 17/02/2019.
Modern PC operating systems
Digital Forensics CJ
Overview of Computer system
1 Guide to Computer Forensics and Investigations Sixth Edition Chapter 6 Current Digital Forensics Tools.
Presentation transcript:

NIST CFTT: Testing Disk Imaging Tools James R. Lyle National Institute of Standards and Technology Gaithersburg Md

DFRWS 7 Aug 02NIST/ITL/SDCT/CFTT2 Talk Overview Project Background Test methodology Creating the disk imaging specification Testing imaging tools Current CFTT status Future directions

DFRWS 7 Aug 02NIST/ITL/SDCT/CFTT3 DISCLAIMER Certain trade names and company products are mentioned in the text or identified. In no case does such identification imply recommendation or endorsement by the National Institute of Standards and Technology, nor does it imply that the products are necessarily the best available for the purpose.

DFRWS 7 Aug 02NIST/ITL/SDCT/CFTT4 Goals of CFTT Problem: Computer forensic investigators need tools that … Work well and Produce results admissible in court Response: Establish a testing methodology by developing for forensic tools … Specifications Test procedures Test cases

DFRWS 7 Aug 02NIST/ITL/SDCT/CFTT5 Why is NIST involved? Mission: Assist federal, state & local agencies NIST is a neutral organization – not law enforcement or vendor NIST provides an open, rigorous process

DFRWS 7 Aug 02NIST/ITL/SDCT/CFTT6 Overview of Methodology CFTT directed by Steering Committee Functionality driven Specifications developed for specific categories of activities, e.g., disk imaging, hard drive write protect, etc. Test methodology developed for each category

DFRWS 7 Aug 02NIST/ITL/SDCT/CFTT7 Developing a Specification After tool category selected by SC … Focus group (law enforcement + ITL) develop tool category specification Spec posted to web for public comment Comments incorporated Develop test environment

DFRWS 7 Aug 02NIST/ITL/SDCT/CFTT8 Tool Test Process After SC selects a tool … Acquire tool & review documentation Select test cases Execute test cases Produce test report

DFRWS 7 Aug 02NIST/ITL/SDCT/CFTT9 Capabilities to test disk imaging Accuracy of copy –Compare disks –Initialize disk sectors to unique content Verify source disk unchanged Corrupt an image file Error handling: reliably faulty disk

DFRWS 7 Aug 02NIST/ITL/SDCT/CFTT10 Test Case Structure: Setup 1. Record details of source disk setup. 2. Initialize the source disk to a known value. 3. Hash the source disk and save hash value. 4. Record details of test case setup. 5. Initialize a destination disk. 6. If the test requires a partition, create and format a partition on the destination disk. 7. If the test uses an image file, partition and format a disk for the image file.

DFRWS 7 Aug 02NIST/ITL/SDCT/CFTT11 Test Case Structure: Run Tool 8.If required, setup I/O error 9.If required, create image file 10.If required, corrupt image file 11.Create destination

DFRWS 7 Aug 02NIST/ITL/SDCT/CFTT12 Test Case Structure: Measure 12.Compare Source to Destination 13.Rehash the Source

DFRWS 7 Aug 02NIST/ITL/SDCT/CFTT13 Disk Imaging Test Parameters ParameterValue FunctionsCopy, Image, Verify Source interfaceBIOS to IDE, BIOS to SCSI, ATA, ASPI, Legacy BIOS Dst interface Relative sizeSrc=Dst, Src Dst ErrorsNone, Src Rd, Dst Wt, Img R/W/C Object typeDisk, FAT12/16/32, NT, Ext2 Remote accessYes, no

DFRWS 7 Aug 02NIST/ITL/SDCT/CFTT14 Evaluating Test Results If a test exhibits an anomaly … 1.Look for hardware or procedural problem 2.Anomaly seen before 3.If unique, look at more cases 4.Examine similar anomalies

DFRWS 7 Aug 02NIST/ITL/SDCT/CFTT15 Refining the Test Procedure During dd testing some results seemed to indicate that the Linux environment was making a change to the source disk. After investigation we found that the problem was actually the test procedure.

DFRWS 7 Aug 02NIST/ITL/SDCT/CFTT16 Current Status Test reports for Linux dd & SafeBack 2.18 in final review Developing test cases for software hard drive write protect specification Running EnCase tests

DFRWS 7 Aug 02NIST/ITL/SDCT/CFTT17 Future Tasks Deleted file recovery specification Hardware hard disk write protect device specification Testing other disk imaging tools

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.