Graphic File Carving Tool TestingJenise Reyes-RodriguezNational Institute of Standards and Technology

AAFS - February 19th, 2015

Disclaimer

Certain company products may be mentioned or identified. Such identification does not imply recommendation or endorsement by the National Institute of Standards and Technology, nor does it imply that these products are necessarily the best available for the purpose.

2

Outline

Computer Forensic Tool Testing Program (CFTT)

Why test carving tools?

File Carving vs Deleted File Recovery

Brainstorming before testing

Testing Methodology

Results Overview

3

Computer Forensic Tool Testing Program (CFTT)

Validate tools used in computer-based crime investigations

Steering Committee

Sponsors: Law Enforcement Standards Office, Department of Homeland Security, Federal Bureau of Investigations, National Institute of Justice, among other agencies

4

CFTT Methodology

Step 1

Test Specification

- Requirements:

. Core

. Optional

Step 2

Test Plan - Test Cases

- Assertions

Step 3

Setup and Test

Procedures- Third Parties could replicate test cases if

desired

Step 4

Test Reports - Summary of results

- Tool tested

- Test case definition

- Results Summary

- Execution

Environment

- Detailed results

5

Outline

Computer Forensic Tool Testing Program (CFTT)

Why test carving tools? File Carving vs Deleted File Recovery

Brainstorming before testing

Testing Methodology

Results Overview

6

Why test file carving tools?

To provide the law enforcement community valuable

information so they can choose tools they

can rely on.

Help vendors to improve their tools

Inform the users of the tools capabilities

7

Outline

Computer Forensic Tool Testing Program (CFTT)

Why test carving tools?

File Carving vs Deleted File Recovery Brainstorming before testing

Testing Methodology

Results Overview

8

File Carving vs Deleted File Recovery

File Carving Reconstruct deleted

files from unallocated storage based on file content, absent file system meta-data

Deleted File Recovery Reconstruct deleted

files from unallocated storage based on file system meta-data

9

Outline

Computer Forensic Tool Testing Program (CFTT)

Why test carving tools?

File Carving vs Deleted File Recovery

Brainstorming before testing Testing Methodology

Results Overview

10

Carving graphic files:things to consider

Multiple graphic file types – test them all?

File type specifics

header and footer

thumbnails (embedded files)

header only

Testing multiple tools

11

Tools support different parameters

Smart Carving

File systems behavior

Carving graphic files:more to consider

12

Our focus

Default settings

Completion of the files

Fragmentation

Thumbnails

Files landing in/out sector boundary

13

Outline

Computer Forensic Tool Testing Program (CFTT)

Why test carving tools?

File Carving vs Deleted File Recovery

Brainstorming before testing

Testing Methodology Results Overview

14

Data Sets (Test Cases) Creation

Graphic files selection – most common

File types used:

.gif .bmp .png

.jpg .tiff

8 files of each type were selected

7 thumbnails (.jpg)

15

Data Sets (Test Cases) Creation

dd(command)

dd image

16

Test Cases: 1 & 2

No Padding - no fill

Cluster Padded - basic

Zero fill to end of last sector

cluster sized blocks of text between pictures

17

17

Test Cases: 3 & 4

cluster sized blocks of text fragmenting pictures in order

Fragmented in order

Incomplete

A AAB BB

cluster sized blocks of text between pictures with missing fragments

B C A C A B

18

18

Test Cases: 5 & 6

cluster sized blocks of text fragmenting pictures in disorder

Fragmented out of order

Braided

A AAB BBC C

A1 A2B1 B219

19

Test Cases: 7

Byte Shifted

dd image starts here

20

20

Tools Testing

We had

7 test cases

11 tools to test

21

Measuring Methods

Visibility of files carved

Is the data in a usable format? - viewable

Data recovered analysis

Is the data a 100% match?

22

Visibility Categories and Definitions

Viewable Complete – minor alteration

Original Files

Files Recovered

23

Visibility Categories and Definitions

Viewable Incomplete – major alteration

File Recovered

Original File

24

Visibility Categories and Definitions

Not Viewable

False Positive

File Recovered

Original File

25

Outline

Computer Forensic Tool Testing Program (CFTT)

Why test carving tools?

File Carving vs Deleted File Recovery

Brainstorming before testing

Testing Methodology

Results Overview

26

Files Recovered per Tool

No Paddin

g / 4

7

Clust

er Pa

dded / 4

7

Frag In

Ord

er / 47

Incom

plete

/ 4

5

Frag d

isord

er / 41

Braid

ed / 2

3

Shifte

d / 4

7

54 53 53 39 44 25 28

62 62 6249 52

3162

39 39 3924 24

17

39

47 47 27

21 15

17

0

38 3832

24 26

170

38 3832

25 25

16 0

186 186186

93 65

34

186

47 4740

3541

23

57

Tool A Tool B Tool C Tool D Tool E Tool F Tool G Tool H

TEST CASE NAME / Known files

FIL

ES

CA

RV

ED

27

Percentage of usable data

No Pa

ddin

g / 4

7

Clust

er P

adde

d / 4

7

Frag

In O

rder

/ 47

Inco

mpl

ete

/ 45

Frag

disor

der /

41

Brai

ded

/ 23

Shift

ed /

47

100% 100%

81% 76%

0%

76%

0%0.003% 0.002% 0.001% 0.000% 0.000% 0.003% 0.002%

Tool D Tool I

TEST CASE NAME / KNOWN FILES

FIL

ES

CA

RV

ED

28

Results Overview

10 reports published at http://www.cyberfetch.org/

Interesting findings

multiple files but only one file is viewable

same tool, 2 different versions = close results?

29

Files recovered by same tool

62 62 62 49 52 31 62

8946 8964 9118

61915612

1746

9073

Old VersionNew Version

TEST CASE NAME / KNOWN FILES

FILE

S C

AR

VE

D

30

Contacts

James Lyle (project leader) Rick Ayers

james.lyle@nist.gov richard.ayers@nist.gov

Jenise Reyes-Rodriguez

jenise.reyes@nist.gov

www.cftt.nist.gov

www.cfreds.nist.gov

http://www.cyberfetch.org/