Upload
osborne-sanders
View
217
Download
0
Tags:
Embed Size (px)
Citation preview
Graphic File Carving Tool TestingJenise Reyes-RodriguezNational Institute of Standards and Technology
AAFS - February 19th, 2015
Disclaimer
Certain company products may be mentioned or identified. Such identification does not imply recommendation or endorsement by the National Institute of Standards and Technology, nor does it imply that these products are necessarily the best available for the purpose.
2
Outline
Computer Forensic Tool Testing Program (CFTT)
Why test carving tools?
File Carving vs Deleted File Recovery
Brainstorming before testing
Testing Methodology
Results Overview
3
Computer Forensic Tool Testing Program (CFTT)
Validate tools used in computer-based crime investigations
Steering Committee
Sponsors: Law Enforcement Standards Office, Department of Homeland Security, Federal Bureau of Investigations, National Institute of Justice, among other agencies
4
CFTT Methodology
Step 1
Test Specification
- Requirements:
. Core
. Optional
Step 2
Test Plan - Test Cases
- Assertions
Step 3
Setup and Test
Procedures- Third Parties could replicate test cases if
desired
Step 4
Test Reports - Summary of results
- Tool tested
- Test case definition
- Results Summary
- Execution
Environment
- Detailed results
5
Outline
Computer Forensic Tool Testing Program (CFTT)
Why test carving tools? File Carving vs Deleted File Recovery
Brainstorming before testing
Testing Methodology
Results Overview
6
Why test file carving tools?
To provide the law enforcement community valuable
information so they can choose tools they
can rely on.
Help vendors to improve their tools
Inform the users of the tools capabilities
7
Outline
Computer Forensic Tool Testing Program (CFTT)
Why test carving tools?
File Carving vs Deleted File Recovery Brainstorming before testing
Testing Methodology
Results Overview
8
File Carving vs Deleted File Recovery
File Carving Reconstruct deleted
files from unallocated storage based on file content, absent file system meta-data
Deleted File Recovery Reconstruct deleted
files from unallocated storage based on file system meta-data
9
Outline
Computer Forensic Tool Testing Program (CFTT)
Why test carving tools?
File Carving vs Deleted File Recovery
Brainstorming before testing Testing Methodology
Results Overview
10
Carving graphic files:things to consider
Multiple graphic file types – test them all?
File type specifics
header and footer
thumbnails (embedded files)
header only
Testing multiple tools
11
Tools support different parameters
Smart Carving
File systems behavior
Carving graphic files:more to consider
12
Our focus
Default settings
Completion of the files
Fragmentation
Thumbnails
Files landing in/out sector boundary
13
Outline
Computer Forensic Tool Testing Program (CFTT)
Why test carving tools?
File Carving vs Deleted File Recovery
Brainstorming before testing
Testing Methodology Results Overview
14
Data Sets (Test Cases) Creation
Graphic files selection – most common
File types used:
.gif .bmp .png
.jpg .tiff
8 files of each type were selected
7 thumbnails (.jpg)
15
Data Sets (Test Cases) Creation
dd(command)
dd image
16
Test Cases: 1 & 2
No Padding - no fill
Cluster Padded - basic
Zero fill to end of last sector
cluster sized blocks of text between pictures
17
17
Test Cases: 3 & 4
cluster sized blocks of text fragmenting pictures in order
Fragmented in order
Incomplete
A AAB BB
cluster sized blocks of text between pictures with missing fragments
B C A C A B
18
18
Test Cases: 5 & 6
cluster sized blocks of text fragmenting pictures in disorder
Fragmented out of order
Braided
A AAB BBC C
A1 A2B1 B219
19
Test Cases: 7
Byte Shifted
dd image starts here
20
20
Tools Testing
We had
7 test cases
11 tools to test
21
Measuring Methods
Visibility of files carved
Is the data in a usable format? - viewable
Data recovered analysis
Is the data a 100% match?
22
Visibility Categories and Definitions
Viewable Complete – minor alteration
Original Files
Files Recovered
23
Visibility Categories and Definitions
Viewable Incomplete – major alteration
File Recovered
Original File
24
Visibility Categories and Definitions
Not Viewable
False Positive
File Recovered
Original File
25
Outline
Computer Forensic Tool Testing Program (CFTT)
Why test carving tools?
File Carving vs Deleted File Recovery
Brainstorming before testing
Testing Methodology
Results Overview
26
Files Recovered per Tool
No Paddin
g / 4
7
Clust
er Pa
dded / 4
7
Frag In
Ord
er / 47
Incom
plete
/ 4
5
Frag d
isord
er / 41
Braid
ed / 2
3
Shifte
d / 4
7
54 53 53 39 44 25 28
62 62 6249 52
3162
39 39 3924 24
17
39
47 47 27
21 15
17
0
38 3832
24 26
170
38 3832
25 25
16 0
186 186186
93 65
34
186
47 4740
3541
23
57
Tool A Tool B Tool C Tool D Tool E Tool F Tool G Tool H
TEST CASE NAME / Known files
FIL
ES
CA
RV
ED
27
Percentage of usable data
No Pa
ddin
g / 4
7
Clust
er P
adde
d / 4
7
Frag
In O
rder
/ 47
Inco
mpl
ete
/ 45
Frag
disor
der /
41
Brai
ded
/ 23
Shift
ed /
47
100% 100%
81% 76%
0%
76%
0%0.003% 0.002% 0.001% 0.000% 0.000% 0.003% 0.002%
Tool D Tool I
TEST CASE NAME / KNOWN FILES
FIL
ES
CA
RV
ED
28
Results Overview
10 reports published at http://www.cyberfetch.org/
Interesting findings
multiple files but only one file is viewable
same tool, 2 different versions = close results?
29
Files recovered by same tool
62 62 62 49 52 31 62
8946 8964 9118
61915612
1746
9073
Old VersionNew Version
TEST CASE NAME / KNOWN FILES
FILE
S C
AR
VE
D
30
Contacts
James Lyle (project leader) Rick Ayers
[email protected] [email protected]
Jenise Reyes-Rodriguez
www.cftt.nist.gov
www.cfreds.nist.gov
http://www.cyberfetch.org/