Abstract
Commercially-available digital forensic tools are often large, expensive, complex software products, offering a range of functions to assist in the investigation of digital artifacts. Several authors have raised concerns about the reliability of evidence derived from these tools. This is of particular importance because many forensic tools are closed source and, therefore, are only subject to black box evaluation. In addition, many of the individual functions integrated into forensic tools are available as standalone products, typically at a much lower cost or even free. This paper compares – rather than individually evaluates – the data recovery function of two forensic suites and three standalone non-forensic commercial applications. Experimental results demonstrate that all the tools have comparable performance with respect to the data recovery function. However, some variation exists in the data recovered by the tools.
Chapter PDF
Similar content being viewed by others
References
AccessData, FTK, Linden, Utah ( accessdata.com/products/computer-forensics/ftk , 2011.
C. Ball, FTK 2.0: Product review, Electronic Data Discovery Update Weblog ( commonscold.typepad.com/eddupdate/2008/05/ftk-20-product.html#more ), May 8, 2008.
H. Bariki, M. Hashmi and I. Baggili, Defining a standard for reporting digital evidence items in computer forensic tools, Proceedings of the Second International ICST Conference on Digital Forensics and Cyber Crime, pp. 78–95, 2010.
B. Carrier, Open Source Digital Forensic Tools: The Legal Argument, White Paper, @Stake, Cambridge, Massachusetts, 2002.
B. Carrier, File System Forensic Analysis, Pearson Education, Upper Saddle River, New Jersey, 2005.
B. Carrier, The Sleuth Kit ( www.sleuthkit.org/sleuthkit ), 2011.
D. Childs and P. Stephens, An analysis of the accuracy and usefulness of Vinetto, Pasco and mork.pl, International Journal of Electronic Security and Digital Forensics, vol. 2(2), pp. 182–198, 2009.
M. Cross, Scene of the Cybercrime, Syngress, Burlington, Massachusetts, 2008.
Forensic Focus Blog, What happened to FTK2? ( forensicfocus.blogspot.com/2008/05/what-happened-to-ftk-2.html ), May 20, 2008.
S. Garfinkel, P. Farrell, V. Roussev and G. Dinolt, Bringing science to digital forensics through standardized forensic corpora, Digital Investigation, vol. 6(S), pp. S2–S7, 2009.
GetData, Mount Image Pro v4, Kogarah, Australia ( mountimage.com ), 2011.
W. Glisson, T. Storer, G. Mayall, I. Moug and G. Grispos, Electronic retention: What does your mobile phone reveal about you? International Journal of Information Security, vol. 10(6), pp. 337–349, 2011.
Guidance Software, EnCase Forensic, Pasadena, California ( www.guidancesoftware.com/forensic.htm ), 2011.
N. Harbour, dcfldd version 1.3.4-1 ( dcfldd.sourceforge.net ), 2006.
M. Hildebrandt, S. Kiltz and J. Dittmann, A common scheme for evaluation of forensic software, Proceedings of the Sixth International Conference on IT Security Incident Management and IT Forensics, pp. 92–106, 2011.
A. Jones, G. Dardick, G. Davies, I. Sutherland and C. Valli, The 2008 analysis of information remaining on disks offered for sale on the second hand market, Journal of International Commercial Law and Technology, vol. 4(3), pp. 162–175, 2009.
D. Manson, A. Carlin, S. Ramos, A. Gyger, M. Kaufman and J. Treichelt, Is the open way a better way? Digital forensics using open source tools, Proceedings of the Fortieth Annual Hawaii International Conference on System Sciences, pp. 266b, 2007.
R. Mercuri, Criminal defense challenges in computer forensics, Proceedings of the First International ICST Conference on Digital Forensics and Cyber Crime, pp. 132–138, 2009.
National Institute of Standards and Technology, Active File Identification and Deleted File Recovery Tool Specification, National Institute of Standards and Technology, Draft for Comment 1 of Version 1.1, Gaithersburg, Maryland, 2009.
National Institute of Standards and Technology, Computer Forensics Tool Testing Program, Gaithersburg, Maryland ( www.cftt.nist.gov ), 2011.
L. Pascoe, MD5summer ( md5summer.org ), 2011.
SC Magazine, Forensic tools 2006, New York ( www.scmagazineus.com/forensic-tools-2006/grouptest/37 ), July 11, 2006.
Where is Your Data? Weblog, Forensics: FTK 2 ( whereismydata.wordpress.com/2009/03/01/forensics-ftk-2 ), March 1, 2009.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 IFIP International Federation for Information Processing
About this paper
Cite this paper
Buchanan-Wollaston, J., Storer, T., Glisson, W. (2013). Comparison of the Data Recovery Function of Forensic Tools. In: Peterson, G., Shenoi, S. (eds) Advances in Digital Forensics IX. DigitalForensics 2013. IFIP Advances in Information and Communication Technology, vol 410. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-41148-9_22
Download citation
DOI: https://doi.org/10.1007/978-3-642-41148-9_22
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-41147-2
Online ISBN: 978-3-642-41148-9
eBook Packages: Computer ScienceComputer Science (R0)