Evaluating A Selection of Tools for Extraction of Forensic Data: Disk ...
Evaluating A Selection of Tools for Extraction of Forensic Data: Disk ...
Evaluating A Selection of Tools for Extraction of Forensic Data: Disk ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Results by<br />
assertion:<br />
AIR 2.0.0 (Release Date: 17th, Feb 2010)<br />
VERIFY SUCCESSFUL: Hashes match<br />
Orig = md5 TOTAL: 554357b44e0334f254e80ab537a299c7<br />
sha1 TOTAL: aa314705b7addb0bf230974b30967fa74082f490<br />
Copy = md5 TOTAL: 554357b44e0334f254e80ab537a299c7<br />
sha1 TOTAL: aa314705b7addb0bf230974b30967fa74082f490<br />
Command completed: Wed Sep 1 00:27:06 NZST 2010<br />
AFR-01 PASSED AIC-01 PASSED AHS-02 FAILED<br />
AFR-02 PASSED AIC-02 PASSED AHS-03 FAILED<br />
AFR-03 PASSED AIC-05 PASSED ALOG-01 PASSED<br />
AFR-04 PASSED AIC-06 PASSED ALOG-02 PASSED<br />
AFR-05 PASSED AIC-07 PASSED ALOG-03 PASSED<br />
AFR-06 FAILED AIC-08 PASSED<br />
AFR-07 PASSED AHS-01 FAILED<br />
Analysis: Test FAILED to achieve the expected Result. AIR failed to detect and<br />
acquire the hidden areas in the hard drive. Dc3dd command line option has<br />
the ability <strong>of</strong> detect Hidden areas.<br />
3.16. TC-12-02 Completely Hidden by HPA<br />
Test Case TC-12-02 Completely Hidden by HPA (AIR 2.0.0)<br />
Test &<br />
Case<br />
Summary:<br />
Acquire a partition that is partially or completely hidden by HPA or DCO<br />
Notes: FAT32 partition has been completely hidden by HPA from 149565150 to<br />
156301487.<br />
Assertion: AFR-01 The tool accesses the digital source with a supported access interface<br />
AFR-02 The tool acquires a digital source<br />
AFR-03 The tool operates in an execution environment<br />
AFR-04 The tool creates an image file <strong>of</strong> the digital source<br />
AFR-05 The tool acquires all the visible data sectors from the digital source<br />
AFR-06 The tool acquires all the hidden data sectors from the digital source<br />
AFR-07 All data sectors acquired from the digital source are acquired accurately.<br />
AIC-01 The data represented by an image file is the same as the data acquired by the<br />
tool<br />
AIC-02 The tool creates an image file according to the file <strong>for</strong>mat the user specified.<br />
AIC-05 If multi-file image creation and the image file size is selected, the tool creates<br />
a multi-file image except that one file may be smaller<br />
AIC-06 If the image file integrity check is selected, the tool shall report to the user the<br />
image file has not been changed if the image file has not been changed.<br />
AIC-07 If the image file integrity check is selected, the tool shall report to the user the<br />
image file has been changed if the image file has been changed.<br />
AIC-08 If the image file integrity check is selected, the tool shall report to the user the<br />
image file has been changed and the involved location if the image file has<br />
been changed.<br />
ALOG- If the tool logs any in<strong>for</strong>mation regarding to the acquisition, the in<strong>for</strong>mation is<br />
01<br />
ALOG-<br />
02<br />
ALOG-<br />
03<br />
accurately logged in the log file.<br />
The tool display correct in<strong>for</strong>mation about the acquisition to the user. The<br />
in<strong>for</strong>mation about the acquisition at least including following: device, start<br />
sector, end sector, type and number <strong>of</strong> errors encountered, and start time and<br />
end time <strong>of</strong> acquisition.<br />
The tool display correct in<strong>for</strong>mation regarding to the acquisition to the user<br />
and the in<strong>for</strong>mation displayed is consistent with the log file if the log file<br />
function is supported<br />
AHS-01 The tool reports to the user if any hidden sectors are found<br />
280