Recover My Files v5.2.1. Test Results for Video File Carving Tool



Similar documents
BlackLight v Test Results for Mobile Device Acquisition Tool

Tableau TD3 Forensic Imager Test Results for Digital Data Acquisition Tool

Test Results for Mobile Device Acquisition Tool: Lantern v2.3

Deleted File Recovery Tool Testing Results

NIST CFTT: Testing Disk Imaging Tools

Digital Forensics at the National Institute of Standards and Technology

The Contribution of Tool Testing to the Challenge of Responding to an IT Adversary

Mobile Device Forensics. Rick Ayers

Federated Testing: Well-Tested Tools, Shared Test Materials & Shared Test. Reports; The Computer Forensics Tool Catalog Website: Connecting

Digital Identity & Authentication Directions Biometric Applications Who is doing what? Academia, Industry, Government

Computer Forensics and Investigations Duration: 5 Days Courseware: CT

Gaming System Monitoring and Analysis Effort

Ans.: You can find your activation key for a Recover My Files by logging on to your account.

Digital Forensics. Module 4 CS 996

a partition (drive letter) has been deleted or is missing (and a Fast Format Recover did not work);

CTC 328: Computer Forensics

Forensic Toolkit. Sales and Promotional Summary ACCESSDATA, ON YOUR RADAR

Contents. Getting Set Up Contents 2

FORENSIC ANALYSIS OF USB MEDIA EVIDENCE. Jesús Alexander García. Luis Alejandro Franco. Juan David Urrea. Carlos Alfonso Torres

RECOVERING FROM SHAMOON

Summary Reporting System. National Incident-Based Reporting System

Towards facilitating reliable recovery of JPEG pictures? P. De Smet

Put your message in front of the largest market for legal professionals in the south.

Developing Specialization in Computer Forensics - Curriculum and Outreach

A Records Recovery Method for InnoDB Tables Based on Reconstructed Table Definition Files

Welcome to new students seminar!! Security is a people problem. forensic proof.com JK Kim

Criminal Justice: Law Enforcement Technology

9.63 Laboratory in Visual Cognition. Single Factor design. Single design experiment. Experimental design. Textbook Chapters

Data Domain Profiling and Data Masking for Hadoop

ENTERPRISE COMPUTER INCIDENT RESPONSE AND FORENSICS TRAINING

Digital Forensics Tutorials Acquiring an Image with FTK Imager

RE: School of Computer Forensic Investigation, Class 7, Eastern Michigan University

Microsoft Vista: Serious Challenges for Digital Investigations

Working with Temporal Data

Reviewers Guide. Don t Panic - Photo Edition 1

CyberSkills Management Support Initiative

Completed. Document Name. NERC CIP Requirements CIP-002 Critical Cyber Asset Identification R1 Critical Asset Identifaction Method

HAVE YOUR COMPUTER FORENSICS TOOLS BEEN TESTED?

Rm avi to dvd vcd svcd mpeg video converter

by Scott Recover your P0RN from your RAID Array!

Which cybersecurity standard is most relevant for a water utility?

REPORT TO CONGRESS ON THE IMPLEMENTATION OF THE FY 2003 INTEROPERABLE COMMUNICATIONS EQUIPMENT GRANT PROGRAM

CDR500 Spy Recovery Pro

Guide to Computer Forensics and Investigations, Second Edition

Proposals Management System

Recover My Files v5. Chapter Contents. Published: 18 March 2013 at 12:52:56. Frequently Asked questions Data Recovery Fundamentals...

Connecticut Department of Public Health Electronic Laboratory Reporting HL7 v2.5.1 Message Validation Tool User Guide

Automating the Computer Forensic Triage Process With MantaRay

Office of Inspector General

ITL BULLETIN FOR SEPTEMBER 2012 REVISED GUIDE HELPS ORGANIZATIONS HANDLE SECURITY-RELATED INCIDENTS

Fuzzy Hashing for Digital Forensic Investigators Dustin Hurlbut - AccessData January 9, 2009

DHS, National Cyber Security Division Overview

ITL BULLETIN FOR JANUARY 2011

VALUE LINE INVESTMENT SURVEY ONLINE USER S GUIDE VALUE LINE INVESTMENT SURVEY ONLINE. User s Guide

IoT Security Platform

Lab 1 Introduction to Microsoft Project

CA Clarity PPM. Demand Management User Guide. v

Website Editor User Guide

BCA Software Installation and Troubleshooting Guide

Version 3.0. Building Block for Blackboard Collaborate Web Conferencing Users Guide For Blackboard Learn 9.1

INSTRUCTIONS FOR THE USE OF THE NSQAP DRIED BLOOD SPOT (DBS) QC DATA ENTRY FORM Updated 7/1/2015

Keywords: VoIP calls, packet extraction, packet analysis

Establishing a State Cyber Crimes Unit White Paper

ITU National Cybersecurity/CIIP Self-Assessment Toolkit. Background Information for National Pilot Tests

Working with the FBI

Jay Ferron. Blog.mir.net. CEHi, CWSP, CISM, CISSP, CVEi. MCITP, MCT, MVP, NSA IAM.

Data Loss Prevention in the Enterprise

ENGAGE MEMBERS WHO SPEND MORE THAN $1.5 BILLION ANNUALLY ON PRODUCTS AND SERVICES

Global Image Management System For epad-vision. User Manual Version 1.10

BA 9000: National Institute of Justice Body Armor Quality Management System Requirements January 2012

Personal Portfolios on Blackboard

NICE and Framework Overview

Quick Reference Guide

Automated Windows Event Log Forensics

U.S. Cyber Security Readiness

Creating Web Pages with Microsoft FrontPage

Digital Forensics with Open Source Tools

Computer Forensics Standards:

R221 - Specific Requirements: Forensic

Minneapolis Police Department Crime Lab ASCLD/LAB ISO International Accreditation


Recovers Lost or Deleted Pictures from: Any Memory Card Type Any Brand Using Any Mass Storage Reader

Cloud Forensics. 175 Lakeside Ave, Room 300A Phone: 802/ Fax: 802/

This document was derived from simulation software created by Steve Robbins which was supported by NSF DUE

Experian Credit Score Import

Critical Controls for Cyber Security.

2! Bit-stream copy. Acquisition and Tools. Planning Your Investigation. Understanding Bit-Stream Copies. Bit-stream Copies (contd.

Portal Connector Fields and Widgets Technical Documentation

T R A I N I N G C O U R S E S

City of Phoenix Prosecutor s Office ediscovery

How to Create and Run a Missouri Arts Council

Student Portfolios Department of Geological Sciences Brigham Young University

SQL Server An Overview

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

SolarEdge Site Mapping Tool Software Guide

Grade Level: High School

Lab III: Unix File Recovery Data Unit Level

Using Computer Forensics in your Investigations

Practice Exercise March 7, 2016

Module 1: Overview. Module 2: AlienVault USM Solution Deployment. Module 3: AlienVault USM Basic Configuration

Transcription:

Recover My Files v5.2.1 Test Results for Video File Carving Tool October 22, 2014

This report w as prepared for the Department of Homeland Security Science and Technology Directorate Cyber Security Division by the Office of Law Enforcement Standards of the National Institute of Standards and Technology. For additional information about the Cyber Security Division and ongoing projects, please visit w ww.cyber.st.dhs.gov.

Test Results for Video File Carving Tool: Recover My Files v5.2.1 October 2014

Contents Introduction... 1 How to Read This Report... 1 1 Results Summary... 2 2 Test Case Selection... 2 3 Testing Environment... 3 3.1 Execution Environment... 3 3.2 Support Software... 3 3.3 Raw dd Image Creation... 3 4 Test Results... 3 4.1 No Padding... 5 4.2 Cluster Padded... 5 4.3 Fragmented In order... 6 4.4 Incomplete... 6 4.5 Fragmented Out of Order... 7 4.6 Braided Pair... 9 4.7 Byte Shifted... 9 ii

Introduction The Computer Forensics Tool Testing (CFTT) program is a joint project of the Department of Homeland Security (DHS), the National Institute of Justice (NIJ), and the National Institute of Standards and Technology Law Enforcement Standards Office (OLES) and Information Technology Laboratory (ITL). CFTT is supported by other organizations, including the Federal Bureau of Investigation, the U.S. Department of Defense Cyber Crime Center, U.S. Internal Revenue Service Criminal Investigation Division Electronic Crimes Program, and the U.S. Department of Homeland Security s Bureau of Immigration and Customs Enforcement, U.S. Customs and Border Protection and U.S. Secret Service. The objective of the CFTT program is to provide measurable assurance to practitioners, researchers, and other applicable users that the tools used in computer forensics investigations provide accurate results. Accomplishing this requires the development of specifications and test methods for computer forensics tools and subsequent testing of specific tools against those specifications. Test results provide the information necessary for developers to improve tools, users to make informed choices, and the legal community and others to understand the tools capabilities. The CFTT approach to testing computer forensics tools is based on wellrecognized methodologies for conformance and quality testing. Interested parties in the computer forensics community can review and comment on the specifications and test methods posted on the CFTT Web site (http://www.cftt.nist.gov/). This document reports the results from testing Recover My Files (RMF) v5.2.1 against raw disembodied dd images that contain various layouts of fragmentation and completeness. The dd images are available at the CFREDS Web site (http://www.cfreds.nist.gov). Test results from other tools can be found on the DHS S&T-sponsored digital forensics web page, http://www.cyberfetch.org/. How to Read This Report This report is divided into four sections. Section 1 identifies and provides a summary of any significant anomalies observed in the test runs. This section is sufficient for most readers to assess the suitability of the tool for the intended use. Section 2 identifies the test cases that were selected. The test cases are selected, in general, based on features offered by the tool. Section 3 lists software used to run the test cases with links to additional information about the items used. Section 4 presents for each test case the expected result data used to measure the success of the test and the actual data reported by the tool. To download a zip file containing data returned for each test case for RMF v5.2.1 runs, see http://www.cftt.nist.gov/cftt-test-run-raw-files.html.

Test Results for Digital Data File Carving Tool Tool Tested: Software Version: Supplier: Address: Recover My Files (RMF) v5.2.1 GetData 588 West 400 South Suite 350 Lindon, UT 84042 Tel: +61 (0)2 8208 6053 (Australian Business Hours) USA callback service: (866) 723-7329 Fax: +61 (0)2 9588 1195 WWW: www.getdata.com 1 Results Summary Below are summaries on how Recover My Files v5.2.1 performed when carving raw dd images containing various layouts of fragmentation and completeness. RMF was most successful at carving mp4, mov, avi, wmv, 3gp and ogv from no padding, braided pair and cluster padded dd images. Recovering video files from fragmented images (i.e., Simple, Partial, Disorderd) returned an increase in Viewable Incomplete and Not Viewable rankings. The Non-Sector boundary dd image containing a total of 36 files, recovered only 6 files all of which were classified as False Positive. For more test result details see section 4. 2 Test Case Selection RMF s ability to carve mp4, mov, avi, wmv, 3gp, ogv video files was measured by analyzing carved video files from raw disembodied dd images (i.e., an image without a filesystem) that contain various layouts of fragmentation and completeness. The dd image layouts are: No Padding: contiguous files with no other content between files Cluster Padded: contiguous files with assorted content between files ranging in size from 1, 2, 4, 8, 16 and 32 sectors Fragmented In Order: contiguous and sequential fragmented files with content separating the files October 2014 Page 2 of 10 Recover My Files v5.2.1

Incomplete: contiguous and partial (i.e., only a portion of the file is present) files Fragmented Out of Order: contiguous and disordered fragmented files separated by other content Braided Pair: contiguous and intertwined fragmented files Byte Shifted: contiguous files that are not aligned to sector boundaries 3 Testing Environment The tests were run in the NIST CFTT lab. This section describes the selected test execution environment, using the support software, and notes on other test hardware. 3.1 Execution Environment RMF version 5.2.1 was installed on Windows XP v5.1.2600. The default configuration settings were used for RMF. 3.2 Support Software A package of programs to support test analysis, rel-9, was used. The software can be obtained from: http://www.cftt.nist.gov/filecarving/rel-9.zip. 3.3 Raw dd Image Creation The scripts used to create the dd images used for testing can be obtained from: http://www.cfreds.nist.gov/filecarvingtestreports.html. 4 Test Results The results in sections 4.1 4.7 identify the test image that was carved and the data (i.e., carved files) that were returned. Each test has an associated table that identifies the test, the total number of files carved and whether the carved files were Viewable Complete/minor alteration; Viewable Incomplete/major alteration; Not Viewable or a False Positive. The Total Carved column reports the total number of files carved. This number is often higher than the number of files contained within the image. This is generally due to false positives. False positives often occur when a tool has carved a file based upon a known file signature (e.g., FF D8) string that is not a file header, but a string within another file. The Viewable Complete/minor alteration column describes carved files in which the video appears to be unchanged from the original or the changes are so minor that the full content, color, and other attributes of the video are maintained. The Viewable Incomplete/major alteration column include partial recoveries (i.e., only parts of the video are viewable), scrambled videos in which the fragments are assembled incorrectly, color shifts and similar changes. October 2014 Page 3 of 10 Recover My Files v5.2.1

The Not Viewable column describes a file that is not viewable, could not be opened or had no content when opened. Samples of viewable/complete and viewable/incomplete are available at http://www.cftt.nist.gov/filecarving.html The False Positive column reports a count of files that were incorrectly identified. The left-most column of the report tables provides a count for the individual file types that make up the test image. The first row in in the tables reports the overall results for all files. Subsequent rows report results by file types (e.g., mp4, mov). The results are further divided based on the test case, e.g., by the amount of fragmentation or the presence of filler (i.e., other content). A bent arrow is used to show the breakdown. The VLC media player software was used to interpret the files carved and classify them into the different categories (i.e., Viewable Complete/minor, Viewable Incomplete/major). The media player speed used was faster to shorten the classification time for files carved. Full data on the test results including a complete analysis of sectors recovered is available at http://www.cftt.nist.gov/cftt-test-run-raw-files.html. October 2014 Page 4 of 10 Recover My Files v5.2.1

4.1 No Padding Video-nofill_1401090836.dd contains a total of 36 contiguous files with no filler between files. Out of the 36 video files a total of 34 files were carved 33 of the carved files were Viewable Complete and 1 file was Not Viewable. Summary: The tool was successful at recovering the majority of all file types. Test: No Padding Total Carved Viewable Viewable Complete/minor Incomplete/major alteration alteration Not Viewable 36 files 34 33 1 6 mp4 6 6 6 mov 6 5 1 6 avi 6 6 6 wmv 4 4 6 3gp 6 6 6 ogv 6 6 Full results are available at: http://www.cftt.nist.gov/ CFTT-Test-Run-Raw-Files.html Table 1: No Padding False Positive 4.2 Cluster Padded Video-notshifted_1401090819.dd contains a total of 36 files, where all 36 files are contiguous files that have filler that ranges in size from 1, 2, 4, 8, 16, 32 sectors where the files land on sector boundaries. Out of the 36 video files a total of 35 files were carved 34 of the carved files were Viewable Complete and 1 was Not Viewable. Summary: The tool was successful at recovering contiguous files separated with various lengths of filler. Test: Cluster Padded Total Carved Viewable Viewable Complete/minor Incomplete/major alteration alteration Not Viewable 36 files 35 34 1 6 mp4 6 6 6 mov 6 5 1 6 avi 6 6 6 wmv 5 5 6 3gp 6 6 6 ogv 6 6 Full results are available at: http://www.cftt.nist.gov/ CFTT-Test-Run-Raw-Files.html Table 2: Cluster Padded False Positive October 2014 Page 5 of 10 Recover My Files v5.2.1

4.3 Fragmented In order Video-simple-frag_1401090846.dd contains a total of 36 files, 12 which are contiguous and 24 that are sequentially fragmented with filler that ranges in size from 1, 2, 4, 8, 16 sectors. Out of the 36 video files a total of 40 files were carved 12 of the carved files were Viewable Complete, 14 of the files were Viewable Incomplete and 14 of the files were Not Viewable. Summary: In the presence of sequentially fragmented files, the tool had a reduced ability to recover viewable complete mp4, mov, avi, wmv, 3pg and ogv files. Test: Fragmented In Order Total Carved Viewable Viewable Complete/minor Incomplete/major alteration alteration Not Viewable False Positive 36 files 40 12 14 14 6 mp4 6 2 3 1 4 Frag w/fill 4 3 1 6 mov 6 2 4 4 Frag w/fill 4 4 6 avi 6 2 4 4 Frag w/fill 4 4 6 wmv 5 2 3 4 Frag w/fill 3 3 6 3gp 6 2 4 4 Frag w/fill 4 4 6 ogv 11 2 4 5 4 Frag w/fill 9 4 5 Full results are available at: http://www.cftt.nist.gov/ CFTT-Test-Run-Raw-Files.html Table 3: Fragmented In Order 4.4 Incomplete Video-partials_1401090843.dd contains a total of 36 files, 18 complete files: 12 which are contiguous and 6 that have filler that ranges in size from 1, 2, 4, 8, 16 sectors. The remaining 18 files are partial files (e.g., only a portion of the file is present). October 2014 Page 6 of 10 Recover My Files v5.2.1

Out of the 36 video files a total of 32 files were carved 12 of the carved files were Viewable Complete, 10 of the files were Viewable Incomplete and 10 were Not Viewable. Summary: In the presence of partial files, the tool had a reduced ability to recover viewable complete mp4, mov, avi, wmv, 3pg and ogv files. Test: Incomplete Total Carved Viewable Viewable Recovery of all Incomplete/major available/minor alteration alteration Not Viewable 36 files 32 12 10 10 6 mp4 5 2 2 1 3 Complete 3 2 1 3 Partial 2 1 1 6 mov 5 2 3 3 Complete 3 2 1 3 Partial 2 2 6 avi 5 2 3 3 Complete 3 2 1 3 Partial 2 2 6 wmv 4 2 2 3 Complete 3 2 1 3 Partial 1 1 6 3gp 5 2 3 3 Complete 3 2 1 3 Partial 2 2 6 ogv 8 2 3 3 3 Complete 4 2 1 1 3 Partial 4 2 2 Full results are available at: http://www.cftt.nist.gov/ CFTT-Test-Run-Raw-Files.html Table 4: Incomplete False Positive 4.5 Fragmented Out of Order Video-disorder_1401090832.dd contains a total of 36 files, 6 of which are contiguous fragmented files that have filler that ranges in size from 1, 2, 4, 8, 16 sectors and the remaining 30 are fragmented files that are disordered. Out of the 36 video files a total of 36 files were carved 16 of the carved files were Viewable Incomplete and 21 of the files were Not Viewable. Summary: In the presence of disordered fragmented files, the tool had a reduced ability to recover viewable complete mp4, avi, wmv and ogv files. All mov and 3gp files were not viewable. October 2014 Page 7 of 10 Recover My Files v5.2.1

Test: Fragmented Out of Order Total Carved Viewable Viewable Complete/minor Incomplete/major alteration alteration Not Viewable False Positive 36 files 37 16 21 6 mp4 6 4 2 1 ABC 1 1 ACB 1 1 1 BAC 1 1 1 BCA 1 1 1 CAB 1 1 1 CBA 1 6 mov 6 6 1 ABC 1 1 1 ACB 1 1 1 BAC 1 1 1 BCA 1 1 1 CAB 1 1 1 CBA 1 1 6 avi 6 6 1 ABC 1 1 1 ACB 1 1 1 BAC 1 1 1 BCA 1 1 1 CAB 1 1 1 CBA 1 1 6 wmv 1 1 1 ABC 1 ACB 1 BAC 1 BCA 1 1 1 CAB 1 CBA 6 3gp 6 6 1 ABC 1 1 1 ACB 1 1 1 BAC 1 1 1 BCA 1 1 1 CAB 1 1 1 CBA 1 1 6 ogv 12 5 7 1 ABC 2 1 1 1 ACB 2 2 1 BAC 2 1 1 1 BCA 2 1 1 1 CAB 2 1 1 1 CBA 2 1 1 Full results are available at: http://www.cftt.nist.gov/ CFTT-Test-Run-Raw-Files.html Table 5: Fragmented Out of Order October 2014 Page 8 of 10 Recover My Files v5.2.1

4.6 Braided Pair Video-braid_1401090830.dd contains a total of 24 files, 12 of which are contiguous and 12 fragmented files. Out of the 24 video files a total of 24 files were carved 13 of the carved files were Viewable Complete, 5 were Viewable Incomplete and 6 were Not Viewable. Summary: The presence of braided files did not significantly impact the recovery of Viewable Complete files. Test: Braided Pair Total Carved Viewable Viewable Complete/minor Incomplete/major alteration alteration Not Viewable 24 files 24 13 5 6 4 mp4 4 2 2 2 Braided 2 2 4 mov 4 2 2 2 Braided 2 2 4 avi 4 2 2 2 Braided 2 2 4 wmv 3 2 1 2 Braided 1 1 4 3gp 4 2 2 2 Braided 2 2 4 ogv 5 3 2 2 Braided 3 1 2 Full results are available at: http://www.cftt.nist.gov/ CFTT-Test-Run-Raw-Files.html Table 6: Braided Pair False Positive 4.7 Byte Shifted Video-shifted_1401090819.dd contains a total of 36 files, where all 36 files are contiguous files that have filler that ranges in size from 1, 2, 4, 8, 16, 32 sectors where the files land on non-sector boundaries. Out of the 36 video files, only 6 ogv video files were carved. All 6 files were False Positives. Summary: The tool was unsuccessful at carving files not aligned to sector boundaries. October 2014 Page 9 of 10 Recover My Files v5.2.1

Test: Byte Shifted Total Carved Viewable Viewable Complete/minor Incomplete/major alteration alteration Not Viewable False Positive 36 files 6 6 6 mp4 6 mov 6 avi 6 wmv 6 3gp 6 ogv 6 6 Full results are available at: http://www.cftt.nist.gov/ CFTT-Test-Run-Raw-Files.html Table 7: Byte Shifted October 2014 Page 10 of 10 Recover My Files v5.2.1

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information