SlideShare a Scribd company logo

Digital Forensic Tools - Application Specific.

Download as PPT, PDF
G
guestcf6f5b

The document discusses the methodology and importance of testing computer forensic tools at NIST, emphasizing the need for tools that are accurate, reliable, and admissible in court. It outlines the process of tool testing, which includes peer review and public commentary, and identifies the main tasks involved such as specifying forensics functions and developing test methodologies. Additionally, it highlights current activities and challenges in the field of computer forensics, including the lack of standards and the need for robust specifications.

Technology
1 of 38
Downloaded 38 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
Computer Forensics Tool Testing at NIST Jim Lyle Information Technology Laboratory Phone: (301) 975-3207 E-mail: [email_address] WWW: http://www.cftt.nist.gov
Computers &The Internet Marvelous tools Improve quality of life Enable global communication Improve productivity Makes many activities easer, faster, … … even criminal activity
A Shocking Revelation . . . Computers can be involved in crime … As a victim As a weapon As a witness As a record As contraband
Outline of an Investigation Get proper authorization Seize evidence (Hard drives, floppies …) Create duplicates for analysis Analyze the duplicates Exclude known benign files Examine obvious files Search for hidden evidence Report results
Investigators Need … Computer forensic investigators need tools that … Work as they should Produce results admissible in court
Admissible Results Software tools must meet Daubert criteria Tested: accurate, reliable & repeatable Peer reviewed Generally accepted methodology
Response to Problem Independent testing of forensic tools Public review of results Apply black box testing theory to tools
Goals of CF at NIST Establish methodology for testing computer forensic tools (CFTT) Provide international standard reference data that tool makers and investigators can use in an investigations (NSRL)
Why NIST/ITL is involved Mission: Assist federal, state & local agencies NIST is a neutral organization – not law enforcement or vendor NIST provides an open, rigorous process
Project Sponsors NIST/OLES (Program management) NIJ (Major funding) FBI (Additional funding) DOD (Equipment and support) Homeland Security (Technical input) State & Local agencies (Technical input)
Project Tasks Identify forensics functions e.g., Disk imaging, Hard drive write protect, Deleted file recovery String searching Develop specification for each function Peer review of specification Test methodology for each function Test Tools (by function) & Report results
Current Activities Hard drive imaging tools Software hard drive write protect Hardware hard drive write protect Deleted file recovery String Searching
Challenges No standards or specifications for tools Arcane knowledge domain (e.g. DOS, Windows drivers) Reliably faulty hardware Many versions of each tool
Overview of Methodology CFTT directed by Steering Committee Functionality driven Specifications developed for specific categories of activities, e.g., disk imaging, hard drive write protect, etc. Test methodology developed for each category
Developing a Specification After tool function selected by SC … Focus group (law enforcement + NIST) develop tool function specification Spec posted to web for public comment Comments incorporated Develop test environment
Tool Test Process After SC selects a tool … Acquire tool & review documentation Select test cases Execute test cases Produce test report
Disk Imaging Test Parameters Value Parameter Yes, no Remote access Disk, FAT12/16/32, NT, Ext2 Object type None, Src Rd, Dst Wt, Img R/W/C Errors Src=Dst, Src<Dst, Src>Dst Relative size Dst interface BIOS to IDE, BIOS to SCSI, ATA, ASPI, Legacy BIOS Source interface Copy, Image, Verify Functions
Capabilities to test disk imaging Accuracy of copy Compare disks Initialize disk sectors to unique content Verify source disk unchanged Corrupt an image file Error handling: reliably faulty disk
Test Case Structure: Setup 1.      Record details of source disk setup. 2.      Initialize the source disk to a known value. 3.      Hash the source disk and save hash value. 4.      Record details of test case setup. 5.      Initialize a destination disk. 6.      If the test requires a partition, create and format a partition on the destination disk. 7.      If the test uses an image file, partition and format a disk for the image file.
Test Case Structure: Run Tool If required, setup I/O error If required, create image file If required, corrupt image file Create destination
Test Case Structure: Measure Compare Source to Destination Rehash the Source
Test Logging Log everything, automatically if practical Hardware, Software, Versions Time/date Operator
Legacy BIOS Quirks Some may under report drive size Example, Quantum SIROCCO1700A has 3335472 sectors 3309/16/63 spc 1008 BIOS: 3,330,432 sectors with geometry 826/64/63 spc 4032 BIOS under reports by 1.25 logical cyls and 5 physicals
Evaluating Test Results If a test exhibits an anomaly … Look for hardware or procedural problem Anomaly seen before If unique, look at more cases Examine similar anomalies
Refining the Test Procedure During dd testing some results seemed to indicate that the Linux environment was making a change to the source disk. After investigation we found that the problem was actually the test procedure.
Hard Drive Write Protect Can be done either in hardware or software Software write protection limited to specific environment: BIOS access or device driver Hardware write protection more general
Hard Drive BIOS Access
SWB Tool Operation
Test Harness Operation
HWB Testing CPU Device Send I/O CMD to Device Return result to CPU BUS1 BUS 2 PROTOCOL ANALYZER Monitor Bus Traffic BUS HWB
Impact Release 18 (Feb 2001) - A US government organization was doing some testing and uncovered an issue under a specific set of circumstances. Linux doesn’t use the last sector if odd Several vendors have made product or documentation changes CFTT cited in some high profile court cases
Available Specifications Hard Drive Imaging (e.g., Safeback, EnCase, Ilook, Mares imaging tool) Write Block Software Tools (e.g., RCMP HDL, Pdblock, ACES) Write Block Hardware Devices (A-Card, FastBlock, NoWrite) – not final
Specifications Under Development String Searching Deleted File Recovery Revised Disk Imaging
Available Test Reports Sydex SafeBack 2.0 NTI Safeback 2.18 EnCase 3.20 GNU dd 4.0.36 (RedHat 7.1) FreeBSD 4.4 dd RCMP HDL V0.8
Test Reports in Production RCMP HDL V0.4 RCMP HDL V0.5 RCMP HDL V0.7
Available Testing Software FS-TST – tools to test disk imaging: drive wipe, drive compare, drive hash (SHA1), partition compare. (DCCI uses these tools) SWBT – tools to test interrupt 13 software write blockers
Benefits of CFTT Benefits of a forensic tool testing program Users can make informed choices Neutral test program (not law enforcement) Reduce challenges to admissibility of digital evidence Tool creators make better tools
Contacts Jim Lyle Doug White www.cftt.nist.gov www.nsrl.nist.gov [email_address] [email_address] Mark Skall Chief, Software Diagnostics & Conformance Testing Div. www.itl.nist.gov/div897 [email_address] Sue Ballou, Office of Law Enforcement Standards Steering Committee Rep. For State/Local Law Enforcement susan.ballou@nist.gov

More Related Content

PDF
Accessing Forensic Images
CTIN
 
PPTX
Forensic imaging
DINESH KAMBLE
 
PDF
Forensics of a Windows System
Conferencias FIST
 
PPTX
Forensic imaging tools
Dr. Richard Adams
 
ODP
Introduction to forensic imaging
Marco Alamanni
 
PPTX
Open Source Forensics
CTIN
 
PPTX
Unmasking Careto through Memory Forensics (video in description)
Andrew Case
 
PDF
SACON - Windows Forensic (Dr. Phil Polstra)
Priyanka Aash
 
Accessing Forensic Images
CTIN
 
Forensic imaging
DINESH KAMBLE
 
Forensics of a Windows System
Conferencias FIST
 
Forensic imaging tools
Dr. Richard Adams
 
Introduction to forensic imaging
Marco Alamanni
 
Open Source Forensics
CTIN
 
Unmasking Careto through Memory Forensics (video in description)
Andrew Case
 
SACON - Windows Forensic (Dr. Phil Polstra)
Priyanka Aash
 

What's hot (20)

PDF
(SACON) Dr. Phil Polstra - windows & linux forensics
Priyanka Aash
 
PPTX
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
44CON
 
PPTX
The Forensic Lab
primeteacher32
 
PPTX
Msra 2011 windows7 forensics-troyla
CTIN
 
ODP
File carving tools
Marco Alamanni
 
PDF
SANS Windows Artifact Analysis 2012
Rian Yulian
 
PDF
DefCon 2012 - Anti-Forensics and Anti-Anti-Forensics
Michael Smith
 
PPT
Digital Forensics in the Archive
GarethKnight
 
PPTX
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Andrew Case
 
PPTX
Forensic Memory Analysis of Android's Dalvik Virtual Machine
Source Conference
 
PPT
Live data collection_from_windows_system
Maceni Muse
 
PPT
3871778
Christiaan Beek
 
PDF
Memory Analysis of the Dalvik (Android) Virtual Machine
Andrew Case
 
PDF
File000173
Desmond Devendran
 
PPTX
Scan disk
Von Alvarez
 
PPT
Live Memory Forensics on Android devices
Nikos Gkogkos
 
PDF
Next Generation Memory Forensics
Andrew Case
 
PPT
Forensics of a Windows Systems
Conferencias FIST
 
PPTX
Remnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Rhydham Joshi
 
PDF
Dfrws eu 2014 rekall workshop
Tamas K Lengyel
 
(SACON) Dr. Phil Polstra - windows & linux forensics
Priyanka Aash
 
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
44CON
 
The Forensic Lab
primeteacher32
 
Msra 2011 windows7 forensics-troyla
CTIN
 
File carving tools
Marco Alamanni
 
SANS Windows Artifact Analysis 2012
Rian Yulian
 
DefCon 2012 - Anti-Forensics and Anti-Anti-Forensics
Michael Smith
 
Digital Forensics in the Archive
GarethKnight
 
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Andrew Case
 
Forensic Memory Analysis of Android's Dalvik Virtual Machine
Source Conference
 
Live data collection_from_windows_system
Maceni Muse
 
3871778
Christiaan Beek
 
Memory Analysis of the Dalvik (Android) Virtual Machine
Andrew Case
 
File000173
Desmond Devendran
 
Scan disk
Von Alvarez
 
Live Memory Forensics on Android devices
Nikos Gkogkos
 
Next Generation Memory Forensics
Andrew Case
 
Forensics of a Windows Systems
Conferencias FIST
 
Remnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Rhydham Joshi
 
Dfrws eu 2014 rekall workshop
Tamas K Lengyel
 
Ad

Viewers also liked (20)

PPT
CóMo Escribir Un Texto Escrito
Vladimir Humberto Clobares Sánchez
 
PPT
Evaluation
birch_17
 
PPT
G R U P O V I R T U A L
eliza19
 
PPT
Present
guest796d9e0
 
PPT
No3
Amadora Empreende
 
PPT
GoogleSky Status at Google
Alberto Conti
 
PDF
2
guest59352db
 
PPT
Peligroso Plastico
ANACV
 
PPT
Introdução ao marketing de busca
Rafael Damasceno
 
PDF
Diploma Project - Poster
ercumentsonmez
 
PPT
Techlace
Amadora Empreende
 
PPT
D I G I T A L B E T A
Jose Gaitan
 
PDF
PáGina Crianças7 03 09 Pdf[1].Asp
mrvpimenta
 
PPS
Abortion - Sensetive
angelheartnel
 
PPT
Reflexionmauriciovelasco
maovelasco
 
PDF
Informations Management
Tamas Csaki
 
PPT
Cogigo De Barras Mily
milyxit
 
PPT
3 Sesion
luzamanda
 
PPT
Grupo3 Henrike 8ºB
Ana Carlão
 
PPT
Fotos de España
Emilio Gil (unjubilado)
 
CóMo Escribir Un Texto Escrito
Vladimir Humberto Clobares Sánchez
 
Evaluation
birch_17
 
G R U P O V I R T U A L
eliza19
 
Present
guest796d9e0
 
No3
Amadora Empreende
 
GoogleSky Status at Google
Alberto Conti
 
2
guest59352db
 
Peligroso Plastico
ANACV
 
Introdução ao marketing de busca
Rafael Damasceno
 
Diploma Project - Poster
ercumentsonmez
 
Techlace
Amadora Empreende
 
D I G I T A L B E T A
Jose Gaitan
 
PáGina Crianças7 03 09 Pdf[1].Asp
mrvpimenta
 
Abortion - Sensetive
angelheartnel
 
Reflexionmauriciovelasco
maovelasco
 
Informations Management
Tamas Csaki
 
Cogigo De Barras Mily
milyxit
 
3 Sesion
luzamanda
 
Grupo3 Henrike 8ºB
Ana Carlão
 
Fotos de España
Emilio Gil (unjubilado)
 
Ad

Similar to Digital Forensic Tools - Application Specific. (20)

PPT
Lecture 8 comp forensics 03 10-18 file system
Alchemist095
 
PDF
kbrgwillis.pdf
Kblblkb
 
PDF
Foundation of Digital Forensics
Victor C. Sovichea
 
PDF
Guide to Computer Forensics'.pdf
LaceyTatum1
 
PPT
1234567NeFX-10-lyle-CFTT-test-strategy.ppt
ijaz342
 
PPTX
computer forensic tools-Hardware & Software tools
N.Jagadish Kumar
 
PPTX
First Responder Course - Session 10 - Static Evidence Collection [2004]
Phil Huggins FBCS CITP
 
PPT
Current Computer Forensics Tools in Cyber forensics.ppt
ChSamson2
 
PPT
Forensic Lab Development
amiable_indian
 
DOCX
841- Advanced Computer ForensicsUnix Forensics LabDue Date.docx
evonnehoggarth79783
 
PDF
CNIT 121: 11 Analysis Methodology
Sam Bowne
 
PDF
Workshop 2 revised
peterchanws
 
PPS
intro to forensics
Pardhasaradhi ch
 
PDF
the Cyber - Forensics - Lab - Manual . pdf
22cc005
 
PDF
Debian Linux as a Forensic Workstation
Vipin George
 
PPTX
CSE4004_Module4_1.pptx
HARIKETSUKESHKUMARSH
 
DOCX
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx
christinemaritza
 
PPTX
The design of forensic computer workstations
jkvr100
 
PPTX
Digital Forensics by William C. Barker (NIST)
AltheimPrivacy
 
PDF
What the Heck Just Happened?
Ken Evans
 
Lecture 8 comp forensics 03 10-18 file system
Alchemist095
 
kbrgwillis.pdf
Kblblkb
 
Foundation of Digital Forensics
Victor C. Sovichea
 
Guide to Computer Forensics'.pdf
LaceyTatum1
 
1234567NeFX-10-lyle-CFTT-test-strategy.ppt
ijaz342
 
computer forensic tools-Hardware & Software tools
N.Jagadish Kumar
 
First Responder Course - Session 10 - Static Evidence Collection [2004]
Phil Huggins FBCS CITP
 
Current Computer Forensics Tools in Cyber forensics.ppt
ChSamson2
 
Forensic Lab Development
amiable_indian
 
841- Advanced Computer ForensicsUnix Forensics LabDue Date.docx
evonnehoggarth79783
 
CNIT 121: 11 Analysis Methodology
Sam Bowne
 
Workshop 2 revised
peterchanws
 
intro to forensics
Pardhasaradhi ch
 
the Cyber - Forensics - Lab - Manual . pdf
22cc005
 
Debian Linux as a Forensic Workstation
Vipin George
 
CSE4004_Module4_1.pptx
HARIKETSUKESHKUMARSH
 
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx
christinemaritza
 
The design of forensic computer workstations
jkvr100
 
Digital Forensics by William C. Barker (NIST)
AltheimPrivacy
 
What the Heck Just Happened?
Ken Evans
 

Recently uploaded (20)

PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
KodekX | Application Modernization Development
KodekX
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 

Digital Forensic Tools - Application Specific.

  • 1. Computer Forensics Tool Testing at NIST Jim Lyle Information Technology Laboratory Phone: (301) 975-3207 E-mail: [email_address] WWW: http://www.cftt.nist.gov
  • 2. Computers &The Internet Marvelous tools Improve quality of life Enable global communication Improve productivity Makes many activities easer, faster, … … even criminal activity
  • 3. A Shocking Revelation . . . Computers can be involved in crime … As a victim As a weapon As a witness As a record As contraband
  • 4. Outline of an Investigation Get proper authorization Seize evidence (Hard drives, floppies …) Create duplicates for analysis Analyze the duplicates Exclude known benign files Examine obvious files Search for hidden evidence Report results
  • 5. Investigators Need … Computer forensic investigators need tools that … Work as they should Produce results admissible in court
  • 6. Admissible Results Software tools must meet Daubert criteria Tested: accurate, reliable & repeatable Peer reviewed Generally accepted methodology
  • 7. Response to Problem Independent testing of forensic tools Public review of results Apply black box testing theory to tools
  • 8. Goals of CF at NIST Establish methodology for testing computer forensic tools (CFTT) Provide international standard reference data that tool makers and investigators can use in an investigations (NSRL)
  • 9. Why NIST/ITL is involved Mission: Assist federal, state & local agencies NIST is a neutral organization – not law enforcement or vendor NIST provides an open, rigorous process
  • 10. Project Sponsors NIST/OLES (Program management) NIJ (Major funding) FBI (Additional funding) DOD (Equipment and support) Homeland Security (Technical input) State & Local agencies (Technical input)
  • 11. Project Tasks Identify forensics functions e.g., Disk imaging, Hard drive write protect, Deleted file recovery String searching Develop specification for each function Peer review of specification Test methodology for each function Test Tools (by function) & Report results
  • 12. Current Activities Hard drive imaging tools Software hard drive write protect Hardware hard drive write protect Deleted file recovery String Searching
  • 13. Challenges No standards or specifications for tools Arcane knowledge domain (e.g. DOS, Windows drivers) Reliably faulty hardware Many versions of each tool
  • 14. Overview of Methodology CFTT directed by Steering Committee Functionality driven Specifications developed for specific categories of activities, e.g., disk imaging, hard drive write protect, etc. Test methodology developed for each category
  • 15. Developing a Specification After tool function selected by SC … Focus group (law enforcement + NIST) develop tool function specification Spec posted to web for public comment Comments incorporated Develop test environment
  • 16. Tool Test Process After SC selects a tool … Acquire tool & review documentation Select test cases Execute test cases Produce test report
  • 17. Disk Imaging Test Parameters Value Parameter Yes, no Remote access Disk, FAT12/16/32, NT, Ext2 Object type None, Src Rd, Dst Wt, Img R/W/C Errors Src=Dst, Src<Dst, Src>Dst Relative size Dst interface BIOS to IDE, BIOS to SCSI, ATA, ASPI, Legacy BIOS Source interface Copy, Image, Verify Functions
  • 18. Capabilities to test disk imaging Accuracy of copy Compare disks Initialize disk sectors to unique content Verify source disk unchanged Corrupt an image file Error handling: reliably faulty disk
  • 19. Test Case Structure: Setup 1.      Record details of source disk setup. 2.      Initialize the source disk to a known value. 3.      Hash the source disk and save hash value. 4.      Record details of test case setup. 5.      Initialize a destination disk. 6.      If the test requires a partition, create and format a partition on the destination disk. 7.      If the test uses an image file, partition and format a disk for the image file.
  • 20. Test Case Structure: Run Tool If required, setup I/O error If required, create image file If required, corrupt image file Create destination
  • 21. Test Case Structure: Measure Compare Source to Destination Rehash the Source
  • 22. Test Logging Log everything, automatically if practical Hardware, Software, Versions Time/date Operator
  • 23. Legacy BIOS Quirks Some may under report drive size Example, Quantum SIROCCO1700A has 3335472 sectors 3309/16/63 spc 1008 BIOS: 3,330,432 sectors with geometry 826/64/63 spc 4032 BIOS under reports by 1.25 logical cyls and 5 physicals
  • 24. Evaluating Test Results If a test exhibits an anomaly … Look for hardware or procedural problem Anomaly seen before If unique, look at more cases Examine similar anomalies
  • 25. Refining the Test Procedure During dd testing some results seemed to indicate that the Linux environment was making a change to the source disk. After investigation we found that the problem was actually the test procedure.
  • 26. Hard Drive Write Protect Can be done either in hardware or software Software write protection limited to specific environment: BIOS access or device driver Hardware write protection more general
  • 27. Hard Drive BIOS Access
  • 30. HWB Testing CPU Device Send I/O CMD to Device Return result to CPU BUS1 BUS 2 PROTOCOL ANALYZER Monitor Bus Traffic BUS HWB
  • 31. Impact Release 18 (Feb 2001) - A US government organization was doing some testing and uncovered an issue under a specific set of circumstances. Linux doesn’t use the last sector if odd Several vendors have made product or documentation changes CFTT cited in some high profile court cases
  • 32. Available Specifications Hard Drive Imaging (e.g., Safeback, EnCase, Ilook, Mares imaging tool) Write Block Software Tools (e.g., RCMP HDL, Pdblock, ACES) Write Block Hardware Devices (A-Card, FastBlock, NoWrite) – not final
  • 33. Specifications Under Development String Searching Deleted File Recovery Revised Disk Imaging
  • 34. Available Test Reports Sydex SafeBack 2.0 NTI Safeback 2.18 EnCase 3.20 GNU dd 4.0.36 (RedHat 7.1) FreeBSD 4.4 dd RCMP HDL V0.8
  • 35. Test Reports in Production RCMP HDL V0.4 RCMP HDL V0.5 RCMP HDL V0.7
  • 36. Available Testing Software FS-TST – tools to test disk imaging: drive wipe, drive compare, drive hash (SHA1), partition compare. (DCCI uses these tools) SWBT – tools to test interrupt 13 software write blockers
  • 37. Benefits of CFTT Benefits of a forensic tool testing program Users can make informed choices Neutral test program (not law enforcement) Reduce challenges to admissibility of digital evidence Tool creators make better tools
  • 38. Contacts Jim Lyle Doug White www.cftt.nist.gov www.nsrl.nist.gov [email_address] [email_address] Mark Skall Chief, Software Diagnostics & Conformance Testing Div. www.itl.nist.gov/div897 [email_address] Sue Ballou, Office of Law Enforcement Standards Steering Committee Rep. For State/Local Law Enforcement susan.ballou@nist.gov

Editor's Notes

  • #2: It is my pleasure to be here with you today to describe some of the significant work ongoing at NIST involving information technology and the fairly new concept of computer forensics. NIST is attempting to introduce science into the computer forensics arena by basing our work on first principles of computer science, accepted practice, peer review, and publication of results. &lt;click&gt;