US
Department of JusticeOffice of justice P810 Seventh Street NwEric H Holder, JMary Lou LearyActing Assistant Attorney GeneraGreg RidgewayActing Director, National Institute of Justiceother publications and products oOffice of Justice ProgramsSafer Neighborhoods
Only the first 268, 435, 456 sectors(12&GB)of a drive larger than 128GB arele tool is executed in the windows 2000 environment(DA-08-DCOs is because of the limitations of windows 2000 to handle drives requiring8bit addressing This is not an issue with the tool; this result is noted to make thereader aware of the conseqences2 Test Case SelectionTest cases used to test disk imaging tools are defined in Digital data Aeassertions and test plan version 10 To test a tool test cases are selected from the testPlan document based on the features offered by the tool Not all test cases or testssertions are appropriate for all tools
There is a core set of base cases(DA-06, DA-0d DA-08)thatcuted for every tool tested Tool features guide the selectiadditional test cases If a given tool implements a given feature, then the test cases linkedto that feature are run Table 1 lists the features selected for testing and the linked testases selected for execution Table 2 lists the features not selected for testing and the test/Baso supported Optional FeatureCases selected for execution06,07&08Read error during acquisition09Create a clone from an image file14&17Destination Device Switching13Create an unaligned clone from a digital source 02Create a truncated clone from a physical device04able 2 omitted test casesUnsupported Optional FeatureCases Omitted( Not Executed)Create cylinder aligned clones21&23Insufficient space for image fileDevice vo error generator available05,11&18Fill excess sectors on a clone device&23Create a clone from a subset of an image file16Fill excess sectors on a clone acquisitionDetect a corrupted (or changed)imagSome test cases have variant forms to accommodate parameters within test assertionThese variant forms are designed to cover parameters that can vary within the tesassertthe acquterface to the source drive(Src-AIMarch 2013X-Ways Forensics 148
the type of digital source(DS)object acquired, thenment(XE)and theray that sectors are hidden on a drive Additional parameters that were varied betweentest cases and test case variations were types of hash algorithm calculated, image fileegment size, the use of a hardware write blocker and the type of hardware write blockerusedThe following source access interfaces were tested ata28 atA48 SAtA28 SATA4SCSI FW and usB These are noted as variations on test cases dA-O1 DA-06 DA-08and dA-14The following digital sources were tested: partitions(FAT12, FAT16, FAT32, FAT32X,NTFS), compact flash(CF) and thumb drive(Thumb) There are two FAT 32 variationof both FAT 32 partition codes OXOB(FAT32)and OXOC(FAT32Xe noted as variations on test cases da-02 and DA-07Hardware write blockers were used in certain variations of the da-o1 DA-02 DA-07DA-08 and dA-09 test case3 Results by Test assertionA test assertion is a verifiable statement about a single condition after an actioperformed by theder test, a test case usually checkof assertions after thexecution of the tool under test test assertions are defined and linkedto test cases in Digital Data Acquisition Tool Assertions and Test Plan Version 10 tablesummarizes the test results for all the test cases by assertion The column labeledAssertions Tested gives the text of each assertion
The column labeled Tests gives thenumber of test cases that use the given assertion The column labeled Anomaly gives thesection number in this report where any observed anomalies are discussedSee section 2 for a discussion of source access interface execution environment anddigital sourceTable 3 assertions testedAssertions TestedTests AnomalAM-01 The tool uses access interface SRc-ai to access the digitaSourceAM-02 Theacquires digital source DSAM-03 The tool executes in execution environment XEAM-04 If clone creation is specified, the tool creates a clone of the13digitalAM-05 If image file creation is specified, the tool creates an image 25file on file system type FSAM-06 All visible sectors are acquired from the digital source35LAM-07 All hidden sectors are acquired from the digital sourceMarch 2013X-Ways Forensics 148
AM-0S All sectors acquired from the digital source are acquired/-sts AnomalyAssertions testedAM-09 If unresolved errors occur while reading from the selecteddigital source, the tool notifies the user of the error type and locationwithin the digital sourceAM-10 If unresolved errors occur while reading from the selectedthe tool uses a benign fill in the destination objectce of the inaccessible dataAO-01 If the tool creates an image file, the data represented by the 2AO-04 If the tool is creating an image file and there is insufficientpace on the image destination device to contain the image file, theshall notify the userAO-05 If the tool creates a multi-fileof a requested size, then 2the individual files shall be no larger than the requested sizeAO-10 If there is insufficient space to contain all files of a multi-fileimage, and if destination device switching is supported, the image isontinued on another deviceequested, a clone is created during an acquisition of adigital sourceAO-12 If requested, a clone is created from an image fileAo-13 A clone is created using access interface DSt-Al to writethe clone device
AO-14 If an unaligned clone is created each sector written to thelone is accurately written to the same disk address on the clone thatthe sector occupied on the digital sourceAO-17 If requested, any excess sectors on a clone destination device 12are not modifiedAO-19 If there is insufficient space to create a complete clone, atruncated clone is created using all available sectors of the clorAO-20 If a truncated clone is created, the tool notifies the userAO-23information is accurately recorded in the log fileAO-24 If the tool executes in a forensically safe executionenvironment, the digital sourcehanged by the acquisitionTable 4 Assertions not testedAssertions Not TestedAO-02 If an image file format is specified, the tool creates an image file in the specifiedAo-03 If thean error while writing the image file, the tool notifies the userMarch 2013X-Ways Forensics 148
Assertions Not TestedAO-06 If the tool performs an image file integrity check on an image file that has notbeen changed since the file was created, the tool shall notify the user that the image fileAo-07 If the tool performs an image file integrity check on an image file that has beenhanged since the file was created, the tool shall notify the user that the image file hasAo-08 If the tool performs an image file integrity check on an image file that has beenchanged since the file was created the tool shall notify the user of the affected locationsAo-09 If the tool converts a source image file from one format to a target image file inanother format, the acquired data represented in the target image file is the same as theuired dataaligned clone is created, each sector within a contiguous span of sectorsom the source is accurately written to the same disk address on the clone device relativethe start of the span as the sector occupied on the original digital source A span ofdefined to be either a mountabof sectorsnot part of a mountable partition Extended partitions, which may contain both mountableL partitions and unallocated sectors, are not mountable partitionsAO-16 If a subset of an image or acquisition is specified, all the subset is clonedAO-18 If requested, a benign fill is written to excess sectors of a cloneAo-21 If thea write error during clone creation the tool notifies the userA0-22sted the tool calculates block hashes fod block size duringlock acquired from the digital source3
1 Metadata Changes During Restore or Clonele systemmay occur whenimage of a FAT32 or NTFS logical drive For FAT32 file systems, there are usually nore than three sectors with changes the more intricate ntfs may have more than 200sectors of metadatat least one bvte changed (DA-02-CF DA-02-F32 DA-02nade by the operating system Sometimes the changes can be prevented by removing thedevice without following the normal shutdown procedure3 2 Acquisition of HPa and dcoThe tool does not remove an HPA or a DCO The tool did not acquire sectors hidden byHPA or a dco in test case dariations DA-08-DCO, DA-08-AtA28 and da08-ATA48 A separate tool, X-ways Replica, can be used to remove an HPA The tooldisplays the following pop-up windan hpa or a dco is detectedMarch 2013X-Ways Forensics 148
X-Ways ForensicsAconfguration overlay [DOK3 3 Logical Acquisition of NTFS PartitionEight unused sectors at the end of a partition containing an NTFS file system are notcquired(DA-07-NTFS) The partition has 27, 744, 192 sectors but the tool acquires only27744 184 sectors skthe last eight sectors However, the last eight sectoNT file system are not used to contain any user data The eight sectors are omittedbecause the tool user selected acquiring the logical drive rather than the physical drive Ifthe physical drive is selected, all sectors of the partition should be acquired This is not ansue with theI this resultted to make the reader aware of the diffebetween choosing a logical vS, a physical acquisition3
4 Acquisition of 48bit Address Drive From windows 2000Only the first 268, 435, 456 sectors of a drive that requires 48bit addressing (ie larg08-DCO) Windows 2000 should not be used to acquire drives larger nan 12G8(DAthan 128GB)are acquired if the tool is executed in the windows 2000 environment35 Acquisition of Faulty SectorsThe tool allows the specification of a number of sectors to skip when a faulty sectorperformance, but some readable sectors areacquired when the skip feature is used(DA-09-FW, DA-09-FW-XP and DA-09-USBng EnvironmeThe tests were run in the nist cftt lab This section describes the test computersavailable for testing, using the support software, and notes on other test hardware41 Test ComputersThree test computers were usedFreddy, frank and Joe have the following configurationIntel Desktop motherboard D865GB/D865PERC(with ATA-6 IDE on board controller)BIOS VOBF86510A86A0053P13Adaptec SCSI BIOS V3100Intel@B Pentium M 4 cpu 3 4Ghz2577972KB RAMMarch 2013X-Ways Forensics 148
SONY DVD RW DRU-530A, ATAPI CD/DVD-ROM drive44 MB flots for removable ide hard disk driTwo slots for removable sata hard disk drivesTwo sl
ots for removable scsi hard disk drive42 Support SoftwareA package of programs to support test analysis, FS-TST Release 20, was used Thesoftwarecanbeobtainedfromhttp://wwwcfttnistgov/diskimaging/fs-tst20zip4 3 Test Drive CreationThere are three ways that a hard drive may be used in a tool test case: as a source drivelaged by the toolmedia drive thafiles created by theunder test or as a destination drive on which the tool under test creates a clone of theource drive In addto the operating system drive formatting tools, some tools(diskwipe and diskhash) from the FS-TST package are used to set up test driveTo set up a media drive, the drive is formatted with one of the supported file systedia drive may be used in several test casesThe setup of most source drives follows the same general procedure, but there are sevesteps that may be varied depending on the needs of the test casehe drive is filled with known data by the diskwipe program from FS-TST Thediskwipe program writes the sector address to each sector in both C/H/S and lBaormat The remainder of the sector bytes is set to a constant fill value unique forach driveThe fill value is noted in the diskwipe tool log fileThe drive may be formatted with partit3 An operating system may optionally be installed4 A set of reference hashes is created by the FS-tST diskhash tool These includeboth shal and mds hashes In addition to full drive hashes hashes of eachartition maybe5 If the drive is intended for hidden area tests (Da-08), an HPa, a dco or bothay be created The diskhash tool is then used to calculate reference hashes ojust the visible sectors of the driveThe source drives for DA-09 are created such that there is a consistent set of faultyctors on the drive Each of these source drives is initialized with disk wipe and theneir faulty sectors are activated For each of these source drives, a second drive of thentent as the faulty sector drive but with no faulty sectorsserves as a reference drive for images made from the faulty driveTo set up a destination drive, the drive is filled with known data by the diskwipe programom FS-TST Partitions may be created if the test cfrom the imasogical acquireMarch 2013X-Ways Forensics 148
4 4 Test Drive AnalysisFor test cases that create a clone of a physical device(eg, DA-Ol and DA-04), thedestination drive is compared to the source drive with the diskemp program from theTST package For test cases that create a clone of a logical device (ie a partition, egDA-02 and DA-20), the destination partition is compared to the source partition with thepartcmp program For a destination created from anfile(e g DA-14), thedestination is compared, using either diskcmp(for physical device clones )or partcmpor partilones), to the source that was acquired to create the image file Bothdiskemp and partemp note differences between the source and destinationIf the destination is larger than the source then the excess destination sectors arecategorized as either, undisturbed (still containing the fill pattern written by diskwipeero filled or changed to something else
a tool may provide a feature to wipe the excessat partitdiskemp and partemp programs report the final statethe excess sectors For an NTFS partition, metadata may be written to the excessectors, overwriting the fill values placed by diskwipe A special procedure is used todetermine the state of excess sectors after restoring an NTfs partition, such as test caseDA-14-NTFS a destination drive is first pattern-filled with diskwipe, then, beforeg the partition, a hash is computedthehe destinatAfter the tool is used to restore the partition, another hash is computed over the excesssectors of the destination if the two hashes match then none of the excess sectors haveanged by the toFor test case DA-09, imaging a drive with known faulty sectors, the program anabadused to compare the faulty sector reference drive to a cloned version of the faulty sectores such as dA-06 and DA-0cquisition hash computed by theunder test is compared to the reference hash of the source to check that the sourcecompletely and accurately acquired45 Comments on Test Drivesan external label that consists of a 2-digit hera ety of vendors The drives are identified bySATA) The combination of hex value and tag serves as a unique identifier for each driveThe two digit hex value is used by the Fs-tSt diskwipe program as a sector fill valueThe fs-tsdiskcmp and partcmp count sectors that are filled with thesource and destination fill values on a destination that is larger than the original sourceTable 5 lists the source test drives used The models and serial numbers are listed asturned by the ata IdEntify device commanTable 5 test drivesDriveSerial#Size (sectorsO1-IDEI WDC WD400BB-0OJHCO WD-WMAMC7417100 78165360March 201310 of 109X-Ways Forensics 148
MARCH 2013est Results for Digital Data Acquisition ToolX-Ways Forensics 14
8NcJ236224
N丿Greg RidgewayActing Director, National Institute of JustiStandards of the nattute of standards and teagency Agreethe offPrograms, whiclJuvenile Justice and Delinquency Prevention, the office for Victims of Crime, and the office o
March 2013Results for digital data Acquisition Toolays Forensics 14
8andards and Tech
IntroductionHow to Read This ReportResults2 Test case selection3 Results by Test Assertion3 1 Metadata Changes during restore or Clone3,2AHPA and dco33 Logical Acquisition of NTFS Partitionf 48bit Address drive from windows 20004 Testing er41 Test Col42 Support Software88888990045C51 Test Results Report Key52 Test Details521DA-01-ATA28ATA28524DA-01-SATA48525DA-01-SCSI526DA-01-USB27DA-02CF529DA-02-F165210DA-02-F32211DA-02-F32X212 DA-02-THUM8024652
13DA-045214DA-06-Fw5215DA-06-ATA285217DA-06CF5218 DA-06-FLOPPY5219DA-06PART5220DA-06-SATA285221DA-06-SATA485222DA-06-SCSI5223DA-06-USB5224DA-07F125225DA-07F16X-Ways Forensics 148
5226DA-07-F325227DA-07-F32X5228DA-07NTFS5229 DA-O7-THUMB5230DA-08-ATA285231DA-08-ATA485233DA09-ATA5234DA-09FW5235DA-09FWXP58135237DA-09-USB52
38DA-13239DA-14-ATA25240DA-14-ATA485241DA-14CF5242DA-14-F12243DA-14-F165245DA-14F32X5246 DA-14-FLOPPY5247DA-14NTFS5249DA14-SATA285250DA-14-SATA485251 DA-14-THUMB5252DA-14-USB5253DA-1X-Ways Forensics 148
troductionThe Computer Forensics Tool Testing(CFTT) program is a joint project of the NationaInstitute of Justice (ND), the research and develthe usDepartment of Justice, and the National Institute of Standards and Technology's layEnforcement Standards Office and Information Technology laboratory CFTTsupported by other organizations, including the Federal Bureau of Investigation, the UsDepartment of Defense Cyber Crime Center, the US Internal Revenue Service CriminalProgram, and the US Departmelomeland Securitys Bureau of Immigration and Customs Enforcement, US Customsand Border Protection and US Secret Service (USSS) The objective of the CFTTs requires the development of specifications and test methodsfor computer forensics tools and subsequent testing of specific tools against thoseTest results provide the information necessary for developers to improve tools, users tomake informed choices, and the legal community and others to understand the toolcapabilities The CFTT approach to testing computer forensic tools is based on weld quality testing The specifications andstmethodsarepostedonthecFttWebsite(http://wwwcfttnist
govd)forreviewandcomment by the computer forensics communityThis document ree results from testing X-Ways Forensics, Version 148, againstthe digital Data ATool assertions and Test plan veLO available at theCfttWebsite(http://wwwcfttnistgov/da-atp-pc-01pdiTest results from other tools and the cftt tool methodology can be found on nijsCFTT Web pagehttp://wwwniigov/nii/topics/forensics/evidence/digital/standards/cftthtmow to Read This ReportThis report is divided into five sections The first section is a summary of the results frthe test runs and is sufficient for most readers to assess the suitability of the tool for thentended use The remaining sections of the report describe how the tests were conducteddiscuss any anomalies that were encountered and provide documentation of test case rundetails that support the report summary Section 2 gives justification for the selection oftest cases from the set of possible cases defined in the test plan for Digital DatAcquisition tools The test cases are selected, in general, based on features offered by thetool Section 3 describes in more depth any anomalies summarized in the first sectioSection 4 lists hardware and software used to run the test cases with links to additicase runThe description of each test run lists all test assertions used in the test case, the expected
result and the actual result For more information pertaining to the features and uX-waysForensicsseethevendorWebsite(http://wwwx-ways
comMarch 2013X-Ways Forensics 148
est Results for Digital Data Acquisition ToolTool TestedforensicsRun environments: windows: 2000 XPX-Ways Software Technology AGAddress:ⅹ- Ways AG50676 Cologne+49221-4204865mail@x-wayscomWWWhttp:/wwwx-wayscomResults stcept for the cases whereaged, a logical NTFS partitimaged, or a source drive containing hidden sectors, a Host Protected Area(HPa)ofDevice Configuration Overlay (dco), was imaged The tool restoredcreated clones accurately except for clone or restore operations on cermovable media where small changes to file system metadata wereSome readable sectors may be intentionally skipped, controlled by a parametersetting, to improve performance during acquisition of a drive with faulty sectorsDA-09-FW, DA-09-FW-XP and DA-09-USB)Eight unused sectors at the end of a partition containing an NT file system are notquired (DA-07-NTFS) This is because the tool user selected acquiring thelogical drive rather than the physical drive
If the physical drive is selected, alsectors of the partition should be acquired This is note with the toolresult is noted to make the reader aware of the differences between choosing alogical vS a physical acquisitionThe tool does not acquire any sectors hidden by an HPA or a DCO However, ahidden sectors visible and then acquire the formerly hidden sectors(DA- f takeXWays recan be usedmove an hpaDCOATA28, DA-08-ATA48 and DA-08-DCO)mall changes may be made by the operating system to file system metadataFAT32 or NTFSe(DA-02CF DA-02-F32 DA-02-F32X DA-14-CF DA-14-F32 DA-14-F32X and DA14-NTFS) The tool has no control over these changeMarch 20133 of 109X-Ways Forensics 148