Professional Documents
Culture Documents
Disclaimer
Certain company products may be mentioned
or identified. Such identification does not
imply recommendation or endorsement by the
National Institute of Standards and
Technology, nor does it imply that these
products are necessarily the best available for
the purpose.
3
Outline
v Computer Forensic Tool Testing Program (CFTT)
v Why test carving tools?
v File Carving vs Deleted File Recovery
v Brainstorming before testing
v Testing Methodology
v Results Overview
4
v Steering Committee
CFTT Methodology
Step 1 Step 2 Step 3 Step 4
Test Plan Setup and
Test Test Reports
- Test Cases
Test
Specification - Assertions - Summary of results
Procedures - Tool tested
- Requirements:
- Third Parties could - Test case definition
. Core
replicate test cases if - Results Summary
. Optional desired - Execution
Environment
- Detailed results
6
Outline
v Computer Forensic Tool Testing Program (CFTT)
v Why test carving tools?
v File Carving vs Deleted File Recovery
v Brainstorming before testing
v Testing Methodology
v Results Overview
7
Outline
v Computer Forensic Tool Testing Program (CFTT)
v Why test carving tools?
v File Carving vs Deleted File Recovery
v Brainstorming before testing
v Testing Methodology
v Results Overview
9
Outline
v Computer Forensic Tool Testing Program (CFTT)
v Why test carving tools?
v File Carving vs Deleted File Recovery
v Brainstorming before testing
v Testing Methodology
v Results Overview
Carving graphic files: 11
things to consider
v Multiple graphic file types – test them all?
Our focus
v Default settings
v Fragmentation
v Thumbnails
Outline
v Computer Forensic Tool Testing Program (CFTT)
v Why test carving tools?
v File Carving vs Deleted File Recovery
v Brainstorming before testing
v Testing Methodology
v Results Overview
15
v 7 thumbnails (.jpg)
16
dd
(command)
dd image
17
17
18
A B A B A B
cluster sized blocks of text fragmenting pictures in order
v Incomplete
B C A C A B
cluster sized blocks of text between
pictures with missing fragments
18
19
B A C A B A C B
cluster sized blocks of text fragmenting pictures in disorder
v Braided
A1 B1 A2 B2
19
20
Test Cases: 7
v Byte Shifted
20
21
Tools Testing
v We had
v 7 test cases
v 11 tools to test
22
Measuring Methods
v Visibility of files carved
v Is the data in a usable format? - viewable
Files Recovered
Original
Files
24
v Not Viewable
vFalse Positive
26
Outline
v Computer Forensic Tool Testing Program (CFTT)
v Why test carving tools?
v File Carving vs Deleted File Recovery
v Brainstorming before testing
v Testing Methodology
v Results Overview
27
Files Recovered per Tool
Tool
A
Tool
B
Tool
C
Tool
D
Tool
E
Tool
F
Tool
G
Tool
H
47
47
40
FILES
CARVED
186
186
186
57
35
41
38
38
38
38
32
93
65
186
32
47
47
27
25
25
23
24
26
34
39
39
39
15
0
21
16
24
24
17
39
62
62
62
17
49
52
17
62
31
54
53
53
39
44
25
28
NO
PADDING
/
47
CLUSTER
FRAG
IN
ORDER
/
INCOMPLETE
/
45
FRAG
DISORDER
/
BRAIDED
/
23
SHIFTED
/
47
PADDED
/
47
47
41
Results Overview
v 10 reports published at http://www.cyberfetch.org/
v Interesting findings
v multiple files but only one file is viewable
v same tool, 2 different versions = close results?
30
Files recovered by same tool
8946
8964
9118
9073
FILES
CARVED
6191
5612
Old
Version
1746
New
Version
62 62 62 49 52 31 62
Jenise Reyes-Rodriguez
jenise.reyes@nist.gov
www.cftt.nist.gov
www.cfreds.nist.gov
http://www.cyberfetch.org/