Home > Article > Test Results for Digital Data Acquisition Tool FTK Imager CLI 2 9 0 Debian

Test Results for Digital Data Acquisition Tool FTK Imager CLI 2 9 0 Debian

US

Department of JusticeOffice of justice P810 Seventh Street NwEric H Holder, JMary Lou LearyActing Assistant Attorney GeneraGreg RidgewayActing Director, National Institute of Justiceother publications and products oOffice of Justice ProgramsSafer Neighborhoods

est Results for Digital Data Acquisition ToolTool TesteFTK Imager CLISoftware version: 290 DebianDebian Live 604 and Ubuntu 10 04 LtsvironmentAddress384 South 400 West Suite 200Lindon ut 84042 USA5410801-765-4370supportaccessdatacomResults siAccess Data's FTK Imager CLI v29 Debian is designed to image and restore hard drivesand other secondary storage It uses the Debian command line interface to image, cloneand restore acquired data Except for the case where a drive with faulty sectors wasimaged(test case DA-09), the tool acquired all sectors of the test media completely andA-17 that measure how a tool behaves when thedestination media has insufficient space for a clone or restore task, the tool failed todisplay a message indicating that the destination drive had insufficient spacections 3 1 and 3 2 for additdetails on test cases da-04

da-17 and da2 Test case selectionTest cases used to test disk imaging tools are defined in Digital Data Acquisition ToAssertions and test plan version 0 To test a tool test casesd from the tesPlan document based on the features offered by the tool Not all test cases or testssertions are appropriate for all tools There is a core set of base cases(eg, DA-06 andDA-07) that are executed for every tool tested Tool features guide the selectionadditional test cases If a given toolnts a feature then the testlinked to thatsts the testable features of ftk imager cli v29 Debian and thenked test cases selected for execution Table 2 lists the features not available in ftKImager cli v29 Debian and the test cases not executedTable 1 selected test casesSupported Optional FeatureCases Selected for ExecutionCreate a clone dl01Create an unaligned clone from a digital source 02May 2013of 119FTK Imager CLI 290 Debian

ed optionaCases Selected for ECreate a truncated clone from a physical device0406&Read error d09Create an image file in more than one formatsufficient space for image file14&17Detect a corrupted (or changed)image file 24&25Convert an image file from one format toUnsupported Optional FeatureCases Omitted( Not Executed)Device lO error generator available&Create an image of a drive with hidden sectors 08Destination device switchina clone from a subset of an image file 16Fill excess sectors on a clone acquisitionexcess sectors on a clone device22&23Some test cases have different forms to accommodate parameters within test assertionsThese variations cover the acquisition interface to the source media, the type of digitabject acquired and image file formatThe following source interfaces were tested USB, ATA28, ATA48, FW, SATA28SATA48 and scsi these are noted as variations on testDA-O1 and DA-OThe following digital source types were tested: partitions(FAT16, FAT32, NTFS, EXTEXT4), compact flash(CF)and thumb drive(Thumb) These digital source types areoted as variations on test cases da-02 and da-07The following image file types are supported by the tool: SMART ew-compressed, E0nd encrypted These were tested as alternate image file formats and are noted as3 Results by Test AssertionA test assertion is a verifiable statement about a single condition after an actioperformed by thection of a single execution of the tool under test test assertions are defined and linkednmarizes the test results for all the test cases by assertion

The column labeledAssertions Tested gives the text of each assertion The column labeled Tests gives theMay 2013FTK Imager CLI 290 Debian

number of test cases that use the given assertion The column labeled anomaly gives thesection number in this report where any observed anomalies are discusseTable 3 Assertion TestedAM-OI Thees access interface SRC-al to access the digitalAM-02 The tool acquires digital source DSAM-03 The tool executes in execution environment XE

M-04 If clone creation is specified, the tool creates a clone of the 14M-05 If image file creation is specified, the tool creates an imageAM-06 All visible sectors are acquired from the digital source3232AM-08 All sectors acquired from the digital source are acquiredAM-09 If unresolved errors occur while reading from the selected2digital source, the tool notifies the user of the error type and locationwithin the digital sourceAM-10 If unresolved errors ochile reading from tldigital source, the tool uses a benign fill in the destination object inimage file is the same as the data acquired by the too nted by theAO-O1 If the tool creates an image file, the data represenAO-02 If an image file format is specified, the tool creates an image 3filee specified formatAO-04 If the tool is creating an image file and therelIchenspace on the image destination device to contain the image file, theAO-05e imageequested size thenall the individual files shall be no larger than the requested sizeAo-06 If the tool performs an image file integrity check on an imagefile that has not been changed since the file was created the tool shallAO-07 If the tool performs an image file integrity check on an image 1file that has been changed since thecreated, the tool shnotify the user that the image file has been changedAo-08 If the tool performs an image file integrity check on an imagefile that has been changed since the file was created, the tool shallnotify theof the affected locatarget image file in another format, the acquired data represented inthe target image file is the same as the acquired data in the sourceLAO-1l If requested, a clone is created during an acquisition of a14May 2013FTK Imager CLI 290 Debian

Assertions TestedTests Anomaldigital sourceLAO-12 If requested, a clone is created from an imaAO-13Areated using access interface DST-Al to write to 32the clone devicean unaligned clone is created each sector written to thelone is accurately written to the same disk address on the clone thatedAO-17 If requested, any excess sectors on a clone destination device 16are not modifiedAO-19 If thace to create a completeuncated clone is created using all available sectors of the clonAO-20 If a truncated clone is created, the tool notifies the userAO-23 If the tignificant information thenformation is accurately recorded in the log fileAO-24 If the tool executes in a forensically safe exec33ment, the digital source is unchanged by the acTwo test assertions only apply in special circumstances The assertion AO-22 is checkedls that create block hashes The assertion Ao-24 is only checked if the tooluted in a run time environment that does not modify attached storage devices, suchas MS-DOS In normal operation, an imaging tool is used in conjunction with a writeblock device to protect the source drive Table 4 lists the assertions that were not testedusually due to the tool not supporting some optional feature, eg

, creation of cylinderaligned cloneTable 4 Assertions Not TestedAssertions Not testedAM-07 All hidden sectors are acquired from the digital sourceAO-03 If there is an error while writing the image file, the tool notifies the userAo-10 If theresufficient space to contain all files of ae and ifdestination device switching is supported, the image is continued on another deviceAO-15 If an aligned clone is created, each sector within a contiguous span of sectorsthe source is accurately written to the same disk address on the clone device relative to theart of the span as the sector occupied on the original digital source A span of sectors isdefined to be either a mountable partition or a contiguous sequence of sectors not part of amountable partition Extended partitions, which may contain both mountable partitions andunallocated sectors, are not mountable partitionsAO-16 If a subset of an image or acquisition is specified, all the subset is clonedMay 2013FTK Imager CLI 290 Debian

Assertions Not TestedAo-18 If requested a benign fill is written to excess sectors of a cloneAo-21 If there is a write error during clone creation, the tool notifies the userequested, the tool calculates block hashes for a specified block size during anacquisition for each block acquired from the digital source3 1 Creating truncated clonesTest case DA-04 measured FrK Imager cli v29 Debian's behavior when askedacquire a physical device to a truncated clone Test case DA-17 tested the behavior foreating truncated clones from image files In both cases the tool did not inform the userthat a truncated clone had been created The tests ended without any message informingthe user that the destination drive was smaller than the source The tool does not logprogress information, to the screen or to file, during a clone operation It appears that theessage logging function of the tool is limited by scope to image acquisitions only3 2 Faulty sectoWhen cloning a drive with faulty sectors, test case DA-09, the tool stopped theacquisition at the first faulty sector No notification was given to the user4 Testing EnvironmentThe tests were run in the nist cftt lab This section describes the selected teS, computers available for testing, using the support software, andnotesther test hardwar4

1 Execut

ion EnvironmentThe tool was executed in the debian Live 60 4 and Ubuntu 10 04 Lts environments42 Test ComputersTwo computers were used to run the tool: DeathStar and FrankDeathStar has the following configurationTCP Custom buProcessor Intel Core 15-25003 3GHZCDRWIDVDBIOS Version ASUS EFi Version 916201frank has the following configurationLatitude d800Processor Intel Pentium 4 340GHZAssembly, Floppy Drive, 144M, 35May 2013of 119FTK Imager CLI 290 Debian

g CDRWIDVDBIOS Version Inter version bf8651043 Support Softwarea package of programs to support test analysis, FS-TST Release 20, was used Thewarecanbeobtainedfromhttp://wwwcfttnistgov/diskimaging/fs-tst20zi4 4 Test Drive CreationThere are three ways that a hard drive may be used in a tool test case: as a source driveat is imaged by the tool, as a media drive that contains image files created by the toolunder test, or as a destination drive on which the tool under test creates a clone of thedrive In addition to the operating system drive formatting tools some too( diskwipe and diskhash) from the fs-TST package are used to setup test drivesource driveThe setup of most source drives follows the same general procedure, but there are severalsteps that may be varied depending on the needs of theThe drive is filled with known data by the diskwipe program from FS-TST Thediskwipe program writes theaddresssector in both C/his and lBaormat The remainder of the sector bytes is set to a constant fill value unique foreach drive The fill value is noted in the diskwipe tool log file2 The drive may be formatted with partitions as required for thee test case3

An operating system may optionally be installed4 A set of reference hashes is created by the FS-tST diskhash tool These includeboth shal and mds hashes In addition to full drive hashes hashes of eachartition may also be computed5 If the drive is intended for hidden area tests(DA-08), an HPA, a DCO or bothmay be createddiskhash tool is then used to calculate reference hashes ofust the visible sectors of the driveThe source drives for DA-09 are created such that there is a consistent set of faultydrive Each of these source drives is initialized with diskwipe andtheir faulty sectors are activated For each of these source drives, a duplicate drive with442 Media driveTo setup a media drive, the drive is formatted with one of the supported file systems Aayest cases4 43 Destination DriveTo setup a destination drive, the drive is filled with known data by the diskwipe programm FS-TST Partitions may be created if the test case involves restoring from the imageMay 2013of 119FTK Imager CLI 290 Debian

45 Test Drive AnalysisFor testthat createofcal device eg DA-O1 DA-04 etc thedestination drive is compared to the source drive with the diskcmp program from theTST package, for test cases that create a clone of a logical device, ie, a partition, egDA-02, DA-20, etc, the destination partition is compared to the source partition with thepartcmp program For a destination created from an image file, e g, DA-14, theefor partition clones), to the source that was acquired to create the image file

Bo Cmpdediskcmp and partcmp note differences between the source and destination If thdestination is larger than the source, it is scanned and the excess destination sectors areategorized as either undisturbed(still containing the fill pattern written by diskwipe)zero filled or changed to something elseFor test case DA-09, imaging a drive with known faulty sectors, the program ana-bad isused to compare the faulty sector reference drive to a cloned version of the faulty sectorFor test cases such as DA-06 and DA-07, any acquisition hash computed by theunder test is compared to the reference hash of the source to check that the source ismpletely and accurately acquirote on test drivesThe testing uses several test drives from a variety of vendors The drives are identifiean external label that consists of a two-digit hexadecimal value and an optional tag, e g25-SATA, The combination of hex value and tag serves as a unique identifier for eachdrive The two digit heused by the fs-tsT diskwipe program as a sector fialueThe FS-TST compare tools, diskcmp and partemp count sectors that are filledwith the source and destinatialues on a destination that is larger than the origiSource5 Test ResultThe main item of interest for interpreting the test results is determining the conformanceof the tool under test we test assertions, Conformance with each assertion tested bygiven test case is evaluated by examining the Log Highlights box of the test repor51Results Report KeyTheng table presents an explanation of each section of the test details in section52 The Tester Name, Test Host, Test Date, Drives, Source Setup and Log highlightssections for each test case are populated by excerpts taken from the log files produced bythe tool under test and the fs-tST tools that were executed in support of test case setupFirst lineTest case ID, name and version of tool testedest case sumary from Digital Data Acquisition ToolMay 2013FTK Imager CLI 290 Debian

Y2013est Results for Digital Data Acquisition TooFTK Imager cLl 2

90 DebianNcJ242138

N丿Greg RidgewayActing Director, National Institute of JustiStandards of the nattute of standards and teagency Agreethe offPrograms, whiclJuvenile Justice and Delinquency Prevention, the office for Victims of Crime, and the office o

May 2013Test Results for diData Acquisition ToolK Imager C0 DebianStandards and TechnologyU

S Department of Commerc

ContentsHow to Read This reportResults Summary2 Test Case selection3 Results by Test Assertion31 Creating truncated clonessectors41 Execution environment43 Support Software44 Test Drive creationource drive442 Media drive777888889443 Destination drive45 Test Drive Analysis46 Note on Test drives51 Test Results Report Key0521DA-01-ATA28522DA-01-ATA48523DA-01-FW5

24DA-01-SATA2825DA-01-SATA481926 DA-OI-SCS2128DA-02CF9 DA-02-EXT0 DA-02-EXT42 DA-O2-NT5213 DA-02-THUMB5214DA-0452,16DA06-ATA48DA-06-FW5218DA-06-SATA28455219A-06-SATA4845220DA-06-SCSI221DA-06-USBA-07-CEA-07-EXT3224DA-07-EXT4

25DA07-F165226DA07-F325,227DA07-NT5228 DA-O7-THUMB5229DA-095230DA-10E70A-10-E015232DA-10-S0l5233DA-12234DA-14-ATA28236DA-14-CF237DA-14-E8DA-14-E040DA-14-EXDA-14F165242DA-14F3252

43244DA-14NT99%524DA-14-S015,2,46DA-14-SATA285247A-14-SATA481025248DA-14-SCSI5249 DA-14-THUMB5250DA-14-USB105252DA-2408254DA-26-D2EDA-26-D2E06DA-26-D2S0DA-26-E012E5259DA26-E012S015260DA-26-S012D1172615262DA26-S012E0l

ntroductioThe Computer Forensics Tool Testing(CFTT) program is a joint project of the Nationale(N), the Department of Homeland Security (DHS), and the Nationalf Standards and Technology Law Enforcement Standards Office (OLES)andInformation Technology Laboratory (ITL) CFTT is supported by other organizationsncluding the Federal Bureau of Investigation, the Us Department of Defense CybeCrime Center, USRevenue service criminalCrimes program andDepartment of homeland securitys bureauImmigration and Customs Enforcement, US Customs and border protection and UsSecret Service The objective of the Cftt program is to provide measurable assurance toactitioners researchers and other applicable users that the tools usedforensics investigations provide accurate results Accomplishing this requires thedevelopment of specifications and test methods for computer forensics tools andubsequent testing of specific tools against those specificationsTest results provide the information necessary for developers to improve tools, users tomake informed choices, and the legal community and others to understand the toolscapabilities The CFTT approach to testing computer forensics tools is based on welrecognized methodologies for confod quality testing The specifications andtestmethodsarepostedontheCfttWebsite(http://wwwcfttnistgov/)forreviewandcomment by the computer forensics communityThis document reports the results from testing FTK Imager CLI 2

90_Debian against theCfttWebsite(http://wwwcfttnistgov/da-atp-pc-0lpDfTest results from other tools can be found on Nw's computer forensics tool testing Webpagehttp://wwwoipusdoigov/nij/topics/technology/electronic-crime/cftthtlow to Read This ReportThis report is divided into five sections The first section is a summary of the results frorthe test runs This section is sufficient for most readers to assess the suitability of the toolfor the intended use The remaining sections of the report describe how the tests wereconducted, discuss any anomalies that were encountered and provide documentation oftest case run details that support the report summary Section 2 gives justification for theelection of test cases from the set of possible cases defined in the test plan for DigitalThe test caselected, in general, based on features offeredtheection 3 describes in more depth any anomalies summarized in the firstsection Section 4 lists hardware and software used to run the test cases with linksadditional information about the items used Section 5 contains a description of each tescase run The description of each test run lists all test assertions used in the test case

cted result and the actual result please refer to the vendor docuguidance on using theMay 2013FTK Imager CLI 2

90 Debian