Computer forensic tool testing at nist l.jpg
1 / 31

Computer Forensic Tool Testing at NIST.


68 views
Uploaded on:
Category: Animals / Pets
Description
Computer Forensic Tool Testing at NIST. Jim Lyle Information Technology Laboratory Digital Forensics Forum 6 Feb 2008. DISCLAIMER.
Transcripts
Slide 1

PC Forensic Tool Testing at NIST Jim Lyle Information Technology Laboratory Digital Forensics Forum 6 Feb 2008

Slide 2

DISCLAIMER Certain exchange names and organization items are said in the content or recognized. For no situation does such recognizable proof suggest proposal or support by the National Institute of Standards and Technology, nor does it infer that the items are essentially the best accessible for the reason. PC Forensics Show

Slide 3

Outline Overview of PC legal sciences at NIST Description of CFTT undertaking Specifications Test statements Anomalies Questions and answers Computer Forensics Show

Slide 4

Where is CFTT? US government, official branch Department of Commerce (DOC) National Institute of Standards and Technology (NIST) Information Technology Lab (ITL) Software Diagnostics and Conformance Testing Division (SDCT) Computer Forensics: Tool Testing Project (CFTT) Also, the Office of Law Enforcement Standards (OLES) at NIST gives venture information Computer Forensics Show

Slide 5

Goals of CF at NIST/ITL Establish technique for testing PC criminological devices (CFTT) Provide universal standard reference information that instrument producers and specialists can use in examinations (NSRL, CFReDS) Computer Forensics Show

Slide 6

Project Sponsors (otherwise known as Steering Committee) NIST/OLES (Program administration) National Institute of Justice (Major financing) FBI (Additional subsidizing) Department of Defense, DCCI (Equipment and bolster) Homeland Security (Technical info) State & Local offices (Technical info) Internal Revenue, IRS (Technical information) Computer Forensics Show

Slide 7

Other Related Projects at NIST NSRL - Hash (MD5, SHA1) document signature information base, redesigned 4 times each year (Doug White) [TODAY @ 3:30, here] PDAs and Cell Phones, NIST (Rick Ayers) SAMATE - Software Assurance Metrics and Tool Evaluation (Paul E. Dark) CFReDS - Computer Forensics Reference Data Sets (Jim Lyle) Computer Forensics Show

Slide 8

Forensic Tool Features … resemble a Swiss armed force blade for cutting Punch for making gaps Scissors for cutting paper Cork screw for opening Chianti Forensic devices can do one or a greater amount of … Image a circle (advanced information procurement) Search for strings Recover erased records Computer Forensics Show

Slide 9

Testing a Swiss Army Knife How ought to instruments with a variable arrangement of elements be tried? All together or by components? Test by highlight has an arrangement of tests for every element: securing, seeking, recuperation Examples: EnCase obtaining, iLook string seek, FTK record recuperation Computer Forensics Show

Slide 10

Conformance Testing Start with a standard or particular Develop Test Assertions Develop Test Suite Identify testing labs to complete tests If accreditation coveted Identify affirmation power Identify subsidizing Computer Forensics Show

Slide 11

CFTT Model: Test Report To deliver a CFTT test report we require … Forensic device under test (bear in mind there might be a few forms and discharges) Set of experiments (Defined in an experiment doc) Validated estimation apparatuses (test bridle, client manual, outline archive, test tackle prerequisites, V&V arrangement for test outfit and V&V report for the test saddle) Test statements (characterize what ought to be measured in a test declaration archive) Specification (Defines device highlight necessities) Resolution of remarks record Computer Forensics Show

Slide 12

Creating a Specification (casual) versus Standard (Formal ISO process) Steering board of trustees chooses theme NIST researches: instruments, merchants, clients NIST drafts introductory determination Post detail on web for open remark Resolve remarks, post last form Computer Forensics Show

Slide 13

Test Case An experiment for circle imaging Create an objective test drive (unmistakable divisions just) Calculate a hash of the test drive Image the test drive with the device under test Based on how device reports comes about, measure comes about Sound criminological practice is frequently not great testing hone Computer Forensics Show

Slide 14

Evaluating Test Results If a test displays an abnormality … Look for equipment or procedural issue Anomaly seen before If one of a kind, take a gander at more cases Examine comparative oddities Computer Forensics Show

Slide 15

Test Case Example: Setup NTFS parcel MD5: 92b27b30bee8b0ffba8c660fa1590d49 27,744,192 areas Each segment loaded with segment LBA & plate ID Acquire allotment Total Sectors:27,744,191 494A6ED8A827AD9B5403E0CC89379956 Rehash (less last segment) - still no match Computer Forensics Show

Slide 16

Example Continued Restore picture to NTFS segment Compare to unique Sectors vary: 47 Restore was in Windows XP … Restore once more, unpower drive, no framework shutdown. Contrast with unique Sectors vary: 8 Diffs range: 27,744,184-27,744,191 Computer Forensics Show

Slide 17

Example Resolution Examine the eight segments Last segment not imaged Other seven are a second duplicate of seven segments beginning at balance 27,744,120 - Know this in light of the fact that every segment is labeled with LBA Verification: Acquisition hash: 494a6ed8a827ad9b5403e0cc89379956 xena:/Users/jimmy root# dd bs=512 if=/dev/disk2s11 of=~jimmy/nt.dd xena.local(1009)==> dd if=nt.dd bs=512 skip=27744120 count=7 of=end.dd xena.local(1012)==> dd if=nt.dd bs=512 count=27744184 of=chunk.dd xena.local(1013)==> feline chunk.dd end.dd | md5 494a6ed8a827ad9b5403e0cc89379956 xena.local(1022)==> md5 nt.dd MD5 (nt.dd) = 92b27b30bee8b0ffba8c660fa1590d49 Computer Forensics Show

Slide 18

Current Activities Hard drive imaging devices Software hard drive compose secure Hardware hard drive compose ensure Deleted record recuperation String Searching Computer Forensics Show

Slide 19

Acquisition Anomalies Last division of parcel or drive procure skipped in Linux 2.4 Some areas adjacent to a flawed segments filled instead of obtained In a legacy BIOS obtaining (DOS), last fractional barrel not gained Last halfway chamber of drive not utilized as a part of a reestablish Computer Forensics Show

Slide 20

Impact Release 18 (Feb 2001) - A US government association was doing some testing and revealed an issue under a particular arrangement of circumstances. A few sellers have rolled out item or documentation improvements CFTT refered to in some prominent court cases Computer Forensics Show

Slide 21

Available Specifications Hard Drive Imaging (e.g., Safeback, EnCase, Ilook, Mares imaging instrument) Write Block Software Tools (e.g., RCMP HDL, Pdblock, ACES) Write Block Hardware Devices (A-Card, FastBloc, NoWrite) Cell telephone securing apparatuses GSM Mobile Device and Associated Media Tool Specification Draft GSM Mobile Device and Associated Media Tool Specification and Test Plan Computer Forensics Show

Slide 22

Specifications Under Development String looking Deleted record recuperation Computer Forensics Show

Slide 23

Available Imaging Test Reports IXimager (Version 2.0, Feb-01 2006), April 2007 DCCIdd Version 2.0, Jan 2008 dd Provided with FreeBSD 4.4, January 2004 SafeBack 2.18, June 2003 EnCase 3.20, June 2003 SafeBack 2.0, April 2003 Red Hat Linux dd Version: 7.1 GNU fileutils 4.0.36, August 2002 Computer Forensics Show

Slide 24

Software Write Block Reports Test Results for Software Write Block Tools: PDBLOCK Version 1.02 (PDF-LITE) Test Results for Software Write Block Tools: PDBLOCK Version 2.00 Test Results for Software Write Block Tools: PDBLOCK Version 2.01 Test Results for Software Write Block Tools: RCMP HDL VO.4. Test Results for Software Write Block Tools: RCMP HDL VO.5. Test Results for Software Write Block Tools: RCMP HDL VO.7. Test Results for Software Write Block Tools: RCMP HDL VO.8. ACES Software Write Block Tool Test Report: Writeblocker Windows 2000 V5.02.00, January 2008 ACES Software Write Block Tool Test Report: Writeblocker Windows XP V6.10.0, January 2008 Computer Forensics Show

Slide 25

Write Block Devices FastBloc FE (USB Interface) FastBloc FE (FireWire Interface) Tableau T5 Forensic IDE Bridge (USB Interface) Tableau T5 Forensic IDE Bridge (FireWire Interface) Tableau Forensic SATA Bridge T3u (USB Interface) Tableau Forensic SATA Bridge T3u (FireWire Interface) Tableau Forensic IDE Pocket Bridge T14 (FireWire Interface) WiebeTech Forensic SATADock (FireWire Interface) WiebeTech Forensic SATADock (USB Interface) FastBloc IDE (Firmware Version 16) MyKey NoWrite (Firmware Version 1.05) ICS ImageMasster DriveLock IDE (Firmware Version 17) WiebeTech FireWire DriveDock Combo (FireWire Interface) WiebeTech Forensic ComboDock (USB Interface) WiebeTech Forensic ComboDock (FireWire Interface) WiebeTech Bus Powered Forensic ComboDock (USB Interface) WiebeTech Bus Powered Forensic ComboDock (FireWire Interface) Digital Intelligence UltraBlock SATA (USB Interface) Digital Intelligence UltraBlock SATA (FireWire Interface) Digital Intelligence Firefly 800 IDE (FireWire Interface) Computer Forensics Show

Slide 26

Test Reports in the not so distant future EnCase 4.22a (Drafting report) Linen 5.05f (Drafting report) EnCase 5.05f (Drafting report) FTK imager 2.5.3.14 (Drafting report) Encase 6.??/Linen 6.?? (Checking on test reuns) Macquisition (Running tests now) X-ways, Talon beginning soon Computer Forensics Show

Slide 27

Available Testing Software FS-TST – instruments to test circle imaging: drive wipe, drive look at, drive hash (SHA1), allotment think about. (DCCI utilizes these instruments) SWBT – devices to test intrude on 13 programming compose blockers Computer Forensics Show

Slide 28

Benefits of CFTT Benefits of a scientific apparatus testing program Users can settle on educated decisions Neutral test program (not law requirement) Reduce difficulties to suitability of computerized proof Tool makers improve devices Computer Forensics Show

Slide 29

Other Testing Activities PDAs and Cell Phones, (Rick Ayers) DCCI (Department of Defense) not openly accessible DFTT on source manufacture (Brian Carrier) simply test information, not