The Computer Forensic Tool Testing Project
Objective: The objective of the Computer Forensics
Tool Testing project is to provide a measure of assurance
that the tools used in computer forensics investigations produce
accurate results. This is accomplished by developing specifications
and test methods for computer forensics tools and then testing
specific tools to those specifications. The test results provide
the information necessary for toolmakers to improve tools,
for users to make informed choices about acquiring and using
computer forensics tools, and for the legal community and
others to understand the tools' capabilities. Our approach
for testing computer forensic tools is based on well recognized
methodologies for conformance testing and quality testing.
Who is behind the CFTT? The CFTT is a joint project
of the National Institute of Justice, the National
Institute of Standards and Technology, and other agencies,
such as the Department of Defense and the Technical
Support Working Group. The entire computer forensics community
can help develop the specifications and test methods by commenting
on drafts as they are published on the NIST CFTT
Web site.
Status
Initial work has focused on testing hard disk imaging and
write blocker tools. Specifications, test assertions and methodologies
have been developed and are available.
Hard Disk Imaging: The Disk
Imaging Tool Specification identifies the top level disk
imaging tool requirements as:
- The tool shall make a bit stream duplicate or an image
of an original disk or partition.
- The tool shall not alter the original disk.
- The tool shall log I/O errors.
- The tool's documentation shall be correct.
The test methodology is for software tools that copy or image
hard disk drives. It does not cover analog media or digital
media such as cell phones or PDAs.
For each product tested, there will be a test
report and a report of the specific procedures used to
test the product.
Hard Disk Write Block: The revised
Hard Disk Write Block Tool Specification (version 2.0,
May 02) identifies the top level requirements (plus test assertions):
- The tool shall not allow a protected disk to be changed.
- The tool shall not prevent obtaining any information from
or about any disk.
- The tool shall not prevent any changes to a disk that
is not protected.
The scope of this specification is limited to software tools
that protect a hard disk attached to a PC from unintended
modification. No test results are available at this time.
Hard
Posted
Test Results
As test results are finalized, N I J will post them here.
- Test
Results for Software Write Block Tools: RCMP HDL VO.4,
August 2004
- Test
Results for Software Write Block Tools: RCMP HDL VO.5,
August 2004
- Test
Results for Software Write Block Tools: RCMP HDL VO.7,
August 2004
- Test
Results for Software Write Block Tools: RCMP HDL VO.8,
February 2004
- Test
Results for Disk Imaging Tools: dd Provided with FreeBSD
4.4, January 2004
- Test
Results for Disk Imaging Tools: SafeBack 2.18, June
2003
-
Test Results for Disk Imaging Tools: EnCase 3.20, June
2003
- Partial
Results from Prototype Testing Efforts for Disk Imaging
Tools: SafeBack 2.0, April 2003
- Test
Results for Disk Imaging Tools: Red Hat Linux dd Version:
7.1 GNU fileutils 4.0.36, August 2002
- Workaround Solution for dd: Test results from the Computer
Forensic Tools Testing project (CFTT) identified that some
Linux kernels (including Redhat's 2.4 kernel) cannot access
the last sector on a drive or partition if that sector is
an odd numbered sector. If a device, either a disk or a
partition, is encountered with an odd number of sectors,
the odd sector can be captured utilizing a DOS bootdisk
in conjunction with Norton's Diskedit program to view and
copy the last sector on the evidentiary device. Other options
to be considered, are switching to an execution environment
that does not have this problem or writing a small program
which will copy the last sector and append it to the dd
image file. Further information regarding this situation
can be obtained at: www.cftt.nist.gov/testdocs.html
Top of Page
|