Evaluating A Selection of Tools for Extraction of Forensic Data: Disk ...
Evaluating A Selection of Tools for Extraction of Forensic Data: Disk ...
Evaluating A Selection of Tools for Extraction of Forensic Data: Disk ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
FTK Imager 2.9.0.1385 (Release Date: 8 th , Apr 2010)<br />
Analysis: Test FAILED to achieve the expected Result. FTK Imager is not able to<br />
recognise the partition table existed in the device. The entire device is<br />
recognised as unallocated space.<br />
1.31 TC-16-01 Acquire a Single GUID Partition<br />
Test Case TC-16-01 Acquire a Single GUID Partition (FTK Imager 2.9.0.1385)<br />
Test &<br />
Case<br />
Summary:<br />
Acquire a Single GUID Partition<br />
Notes: Hard drive partitioned as GPT disk. 6 partitions are created.<br />
Assertions: AFR-01 The tool accesses the digital source with a supported access interface<br />
AFR-02 The tool acquires a digital source<br />
AFR-03 The tool operates in an execution environment<br />
AFR-04 The tool creates an image file <strong>of</strong> the digital source<br />
AFR-05 The tool acquires all the visible data sectors from the digital source<br />
Source<br />
Device:<br />
Drive<br />
Setup:<br />
Partition<br />
Table<br />
(GPT<br />
disk):<br />
AFR-07 All data sectors acquired from the digital source are acquired accurately.<br />
AIC-01<br />
The data represented by an image file is the same as the data acquired by the<br />
tool<br />
AIC-02 The tool creates an image file according to the file <strong>for</strong>mat the user specified.<br />
AIC-05<br />
If multi-file image creation and the image file size is selected, the tool creates<br />
a multi-file image except that one file may be smaller<br />
AIC-06<br />
If the image file integrity check is selected, the tool shall report to the user the<br />
image file has not been changed if the image file has not been changed.<br />
AIC-07<br />
If the image file integrity check is selected, the tool shall report to the user the<br />
AIC-08<br />
ALOG-<br />
01<br />
ALOG-<br />
02<br />
ALOG-<br />
03<br />
image file has been changed if the image file has been changed.<br />
If the image file integrity check is selected, the tool shall report to the user the<br />
image file has been changed and the involved location if the image file has<br />
been changed.<br />
If the tool logs any in<strong>for</strong>mation regarding to the acquisition, the in<strong>for</strong>mation is<br />
accurately logged in the log file.<br />
The tool display correct in<strong>for</strong>mation about the acquisition to the user. The<br />
in<strong>for</strong>mation about the acquisition at least including following: device, start<br />
sector, end sector, type and number <strong>of</strong> errors encountered, and start time and<br />
end time <strong>of</strong> acquisition.<br />
The tool display correct in<strong>for</strong>mation regarding to the acquisition to the user<br />
and the in<strong>for</strong>mation displayed is consistent with the log file if the log file<br />
function is supported<br />
Drive Model: ST380817AS (80GB)<br />
Serial Number: 5MR18V18<br />
Sector count: 156,301,488<br />
Write blocker: Tableau <strong>Forensic</strong> SATA/IDE Bridge IEEE 1394 SBP2<br />
Device<br />
/dev/sdb: current max LBA: 156,301,488<br />
/dev/sdb: native max LBA: 156,301,488<br />
/dev/sdb: physical max LBA: 156,301,488<br />
/dev/sdb: HPA and DCO are not set<br />
Device Start End #sectors File System<br />
/dev/sdb1 34 262110 262144 Micros<strong>of</strong>t<br />
Reserved<br />
/dev/sdb2 264192 8652799 8388608 NTFS<br />
/dev/sdb3 8652800 12847103 4194304 NTFS<br />
/dev/sdb4 12847104 14944255 2097152 NTFS<br />
/dev/sdb5 14944256 25380863 10436608 NTFS<br />
/dev//sdb6 25380864 156299264 130918400 NTFS<br />
206