Forensics: Imaging Tools

The US National Institute of Justice has product a series of reports based on extensive, repeatable, scientific trials on forensic imaging tools (conducted by NIST).

Tools tested include. Linen, FTK Imager, EnCase, and Paraben Device Seizure.

All of the tests followed a set format, though it should be emphasised that the tests were sceintific, and based on the results in a lab, not how an end user ineracts with a tool on a day to day basis.

All of the tools failed to image the DCO, device configuration overlay, as would be expected.

A sample of the results is shown below:

FTK Imager Summary: FTK Imaget Full Report

Except for two test cases (DA–07 and DA–08), the tested tool acquired all visible and hidden sectors completely and accurately from the test media without any anomalies. In one test case (DA-25) image file corruption was detected, but the location of the corrupt data was not reported. The following four anomalies were observed in test cases DA–07, DA–08, and DA–25:

  • If a logical acquisition is made of an NTFS partition, the last eight sectors of the physical partition are not acquired
  • The sectors hidden by a host protected area (HPA) are not acquired
  • The sectors hidden by a device configuration overlay (DCO) are not acquired
  • The location of corrupted data in an image file is not reported


Linen Summary: Full Linen Report

Except for two test cases (DA–08 and DA–09), the tested tool acquired all visible and hidden sectors completely and accurately from the test media. The two exceptions are the following:

  • Up to seven sectors contiguous to a defective sector may be replaced by zeros in the acquisition
  • The sectors hidden by a device configuration overlay (DCO) are not acquired

The HPA was imaged by Linen and report states that:

“The tool does not remove either Host Protected Areas (HPAs) or DCOs. However, the Linux test environment automatically removed the HPA on the test drive, allowing the tool to image sectors hidden by an HPA”

EnCase  Summary 4: Full EnCase 4 Report

Except for three test cases (DA–07, DA–08 and DA–09), the tested tool acquried all visible and hidden sectors completely and accurately from the test media with any anomalies. The Following five anomalies were observed:

  • If a logical acquisition is made of an NTFS partition, a small number (seven in the executed test) appear in the image file twice, replacing other sector
  • If a logical acquisition is made of an NTFS partition, the last physical sector of the partition is not acquired
  • If the tool attempts to acquire a defective sector, a sixty-four sector block of sectors containing the defective defective sector is replaced by zeros in the created image file.
  • The sectors hidden by a host protected area (HPA) are not acquired.
  • The sectors hidden by a device configuration overlay (DCO) are not acquired


Paraben Device Seizure Summary: Full Device Seizure Report

All supported data objects completely and accurately from the Nokia 6101, T-Mobile SIM, Motorola RAZR V3, and AT&T SIM.

Neutrino Summary: Full Neutrino Report

  • EMS messages (text messages over 160 characters were not acquired for the Motorola RAZR V3). (CFT–IM–08)
  • Maximum length ADNs and ADNs that contain special characters for the name (i.e., ‘@’) were not reported. (CFT–SIM–07)
  • Stand-alone internal memory acquisitions alter the status flags of ‘unread’ text messages present on the SIM to ‘read’. (CFT–IMO–10)
Advertisements

One Response to “Forensics: Imaging Tools”

  1. Forensics: What is imaging? « Data – Where is it? Says:

    […] Despite claims of perfect imaging etc, no image tool is really perfect and deals with errors in different ways, this article shows the effectiveness of different imaging tools […]


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: