• No results found

Graphic File Carving Tool Testing

N/A
N/A
Info
Download
Protected

Academic year: 2022

Share "Graphic File Carving Tool Testing "

Copied!
31
0
0

Loading.... (view fulltext now)

Download now ( 31 Page )

Full text

(1)

Graphic File Carving Tool Testing

Jenise Reyes-Rodriguez

National Institute of Standards and Technology

AAFS  -­‐  February  19th,  2015  

(2)

Disclaimer

Certain company products may be mentioned or identified. Such identification does not

imply recommendation or endorsement by the National Institute of Standards and

Technology, nor does it imply that these

products are necessarily the best available for

the purpose.

(3)

Outline

v  Computer Forensic Tool Testing Program (CFTT) v  Why test carving tools?

v  File Carving vs Deleted File Recovery v  Brainstorming before testing

v  Testing Methodology

v  Results Overview

3

(4)

Computer Forensic Tool Testing Program (CFTT)

v  Validate tools used in computer-based crime investigations

v  Steering Committee

v  Sponsors: Law Enforcement Standards Office,

Department of Homeland Security, Federal Bureau of Investigations, National Institute of Justice, among

other agencies

(5)

CFTT Methodology

Step 1

Test

Specification

- Requirements:

. Core . Optional

Step 2

Test Plan

- Test Cases - Assertions

Step 3

Setup and Test

Procedures

- Third Parties could replicate test cases if

desired

Step 4

Test Reports

- Summary of results - Tool tested

- Test case definition - Results Summary - Execution

Environment - Detailed results

5

(6)

Outline

v  Computer Forensic Tool Testing Program (CFTT) v  Why test carving tools?

v  File Carving vs Deleted File Recovery v  Brainstorming before testing

v  Testing Methodology

v  Results Overview

(7)

Why test file carving tools?

v  To provide the law enforcement community valuable information so they can choose tools they

can rely on.

v  Help vendors to improve their tools

v  Inform the users of the tools capabilities

7

(8)

Outline

v  Computer Forensic Tool Testing Program (CFTT) v  Why test carving tools?

v  File Carving vs Deleted File Recovery

v  Brainstorming before testing

v  Testing Methodology

v  Results Overview

(9)

File Carving vs Deleted File Recovery

File Carving

v  Reconstruct deleted files from unallocated storage based on file content, absent file system meta-data

 

Deleted File Recovery

v  Reconstruct deleted files from unallocated

storage based on file system meta-data

9

(10)

Outline

v  Computer Forensic Tool Testing Program (CFTT) v  Why test carving tools?

v  File Carving vs Deleted File Recovery v  Brainstorming before testing

v  Testing Methodology

v  Results Overview

(11)

Carving graphic files:

things to consider

v  Multiple graphic file types – test them all?

v  File type specifics

v  header and footer

v  thumbnails (embedded files) v  header only

v  Testing multiple tools

11

(12)

v  Tools support different parameters

v  Smart Carving

v  File systems behavior

Carving graphic files:

more to consider

(13)

Our focus

v  Default settings

v  Completion of the files v  Fragmentation

v  Thumbnails

v  Files landing in/out sector boundary

13

(14)

Outline

v  Computer Forensic Tool Testing Program (CFTT) v  Why test carving tools?

v  File Carving vs Deleted File Recovery v  Brainstorming before testing

v  Testing Methodology

v  Results Overview

(15)

Data Sets (Test Cases) Creation

v  Graphic files selection – most common v  File types used:

v  .gif .bmp .png v  .jpg .tiff

v  8 files of each type were selected

v  7 thumbnails (.jpg)

15

(16)

Data Sets (Test Cases) Creation

dd

(command)

dd image

(17)

Test Cases: 1 & 2

v 

No Padding - no fill

v  Cluster Padded - basic

 

Zero fill to end of last sector

cluster sized blocks of text between pictures

 

17  

17

(18)

Test Cases: 3 & 4

cluster sized blocks of text fragmenting pictures in order

 

v  Fragmented in order

v  Incomplete

 

A B A B A B

cluster sized blocks of text between pictures with missing fragments

B C A C A B

18  

(19)

Test Cases: 5 & 6

cluster sized blocks of text fragmenting pictures in disorder

 

v  Fragmented out of order

v  Braided

 

A A A

B C B C B

A1 B1 A2 B2

19  

19

(20)

Test Cases: 7

v  Byte Shifted

 

dd image starts here

20  

(21)

Tools Testing

v  We had

v  7 test cases v  11 tools to test

21

(22)

Measuring Methods

v  Visibility of files carved

v  Is the data in a usable format? - viewable

v  Data recovered analysis

v  Is the data a 100% match?

(23)

Visibility Categories and Definitions

v  Viewable Complete – minor alteration

 

Original  Files   Files  Recovered  

23

(24)

Visibility Categories and Definitions

v  Viewable Incomplete – major alteration

 

File  Recovered   Original  File  

(25)

Visibility Categories and Definitions

v  Not Viewable

v False Positive

 

File  Recovered   Original  File  

25

(26)

Outline

v  Computer Forensic Tool Testing Program (CFTT) v  Why test carving tools?

v  File Carving vs Deleted File Recovery v  Brainstorming before testing

v  Testing Methodology

v  Results Overview

(27)

Files Recovered per Tool

NO  PADDING  /  47   CLUSTER  

PADDED  /  47   FRAG  IN  ORDER  /  

47   INCOMPLETE  /  45   FRAG  DISORDER  /  

41   BRAIDED  /  23   SHIFTED  /  47  

54   53   53   39   44   25   28  

62   62   62  

49   52  

31   62  

39   39   39  

24   24  

17  

39  

47   47   27  

21   15  

17  

0  

38   38  

32  

24   26  

17  

0  

38   38  

32  

25   25  

16   0  

186   186  

186  

93   65  

34  

186  

47   47  

40  

35  

41  

23  

57  

FILES  CARVED  

TEST  CASE  NAME  /  KNOWN  FILES  

Tool  A   Tool  B   Tool  C   Tool  D   Tool  E   Tool  F   Tool  G   Tool  H  

27

(28)

100%   100%  

81%   76%  

0.4%  

76%  

0%  

0.003%   0.002%   0.001%   0%   0%   0.003%   0.002%  

FILES  CARVED  

TEST  CASE  NAME  /  KNOWN  FILES   Tool  D   Tool  I  

(29)

Results Overview

v  10 reports published at http://www.cyberfetch.org/

v  Interesting findings

v  multiple files but only one file is viewable

v  same tool, 2 different versions = close results?

29

(30)

62   62   62   49   52   31   62   8946   8964   9118  

6191  

5612  

1746  

9073  

Old  Version   New  Version  

TEST  CASE  NAME  /  KNOWN  FILES  

FILES  CARVED  

(31)

Contacts

James Lyle (project leader) Rick Ayers

james.lyle@nist.gov richard.ayers@nist.gov

Jenise Reyes-Rodriguez jenise.reyes@nist.gov

www.cftt.nist.gov www.cfreds.nist.gov http://www.cyberfetch.org/

 

References

Download now ( PDF - 31 Page - 11.19 MB )

Related documents

Digital Forensics File Carving Advances

We used sliding entropy graphs to see if we could determine the portion to trim out using do_itrim. Notice the portion on the right that seems out of

File carving

– A method for carving files out of raw data using a distinct header (start of file marker) and a maximum (file) size. This approach works because many file formats (e.g. JPEG,

FILE FORMATS

The pointers to these pages are stored as record numbers, that is, the page offset is calculated by multiplying the record number by the record length of 512 bytes.. (In clipper

Influence of institutional shareholders on CEO compensation in Sweden

This effect can be explained with findings of some researchers presented above, that imply that large shareholders are much concerned with corporate governance of

Äktenskapet och det förändrade samhället : en kvalitativ studie om den förändrade giftermålsfrekvensen under 1900-talet

Före 1800-talet var alla kvinnor omyndig förklarade, oavsett gifta eller ogifta och sedan år 1858 infördes lagen att ogifta kvinnor hade möjlighet att söka myndighet efter att

HKHristning Aock carving

In the table at the end of this paper the young herrings are divided into seven different groups with regard to their food content:.. Containing copepod

CARVING STEEL

A set called ‘Nox’ was created, which was made by forging out a rough shape, plasma cutting the surface and colour it with something from the working process, including heat colours

Detta ledde oss in på vårt ämne för den avslutande C-uppsatsen: file carving

Ett exempel på en sådan situation kan vara likt huvudscenariot i detta arbete, där verktyget snabbt måste kunna både återskapa raderad data, men också presentera den på