Evaluating A Selection of Tools for Extraction of Forensic Data: Disk ...
Evaluating A Selection of Tools for Extraction of Forensic Data: Disk ...
Evaluating A Selection of Tools for Extraction of Forensic Data: Disk ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Source<br />
Device:<br />
Drive<br />
Setup:<br />
Partition<br />
Table:<br />
Log<br />
highlights:<br />
AIR 2.0.0 (Release Date: 17th, Feb 2010)<br />
AFR-09<br />
error occurred during the reading from a digital source.<br />
If there are unresolved errors reading from a digital source, then the tool uses<br />
a benign fill in the destination object in place <strong>of</strong> the inaccessible data.<br />
AIC-01<br />
The data represented by an image file is the same as the data acquired by the<br />
tool<br />
AIC-02 The tool creates an image file according to the file <strong>for</strong>mat the user specified.<br />
AIC-03<br />
The tool reports to the user if an error occurs during the image creation<br />
process.<br />
AIC-05<br />
If multi-file image creation and the image file size is selected, the tool creates<br />
a multi-file image except that one file may be smaller<br />
AIC-06<br />
If the image file integrity check is selected, the tool shall report to the user the<br />
image file has not been changed if the image file has not been changed.<br />
AIC-07<br />
If the image file integrity check is selected, the tool shall report to the user the<br />
image file has been changed if the image file has been changed.<br />
If the image file integrity check is selected, the tool shall report to the user the<br />
AIC-08 image file has been changed and the involved location if the image file has<br />
been changed.<br />
AIC-11 The tool reports to the user if any irregularities found in the digital source.<br />
ALOG- If the tool logs any in<strong>for</strong>mation regarding to the acquisition, the in<strong>for</strong>mation is<br />
01 accurately logged in the log file.<br />
The tool display correct in<strong>for</strong>mation about the acquisition to the user. The<br />
ALOG- in<strong>for</strong>mation about the acquisition at least including following: device, start<br />
02 sector, end sector, type and number <strong>of</strong> errors encountered, and start time and<br />
end time <strong>of</strong> acquisition.<br />
ALOG-<br />
03<br />
The tool display correct in<strong>for</strong>mation regarding to the acquisition to the user<br />
and the in<strong>for</strong>mation displayed is consistent with the log file if the log file<br />
function is supported<br />
Drive Model: ST380817AS (80GB)<br />
Serial Number: 5MR18V18<br />
Sector count: 156,301,488<br />
Write blocker: Tableau <strong>Forensic</strong> SATA/IDE Bridge IEEE 1394 SBP2<br />
Device<br />
/dev/sdb: current max LBA: 156,301,488<br />
/dev/sdb: native max LBA: 156,301,488<br />
/dev/sdb: physical max LBA: 156,301,488<br />
/dev/sdb: HPA and DCO are not set<br />
Device Start End #sectors File System<br />
/dev/sdb1 2048 40962047 40960000 NTFS<br />
/dev/sdb2 40962048 83970047 43008000 Ext4<br />
/dev/sdb3 83972096 156301311 72329125 Extended<br />
Start DC3DD (md5 sha1): Mon Sep 13 18:34:06 NZST 2010<br />
command line: dc3dd hash=md5,sha1 hashlog=/tmp/hash.log status=noxfer<br />
if=/dev/sdc skip=0 conv=noerror,sync iflag=direct ibs=32768<br />
compiled options: DEFAULT_BLOCKSIZE=32768<br />
sector size: 512 (assumed)<br />
md5 TOTAL: 2ab63e47f402406afed31dad063df7f8<br />
sha1 TOTAL: d337f09ba2b9069668c70a14a2fc87a3b21a5887<br />
156301488+0 sectors in<br />
156301488+0 sectors out<br />
dc3dd completed at 2010-09-13 19:56:20 +1200<br />
Command completed: Mon Sep 13 19:56:24 NZST 2010<br />
Start VERIFY: Mon Sep 13 19:56:24 NZST 2010<br />
Command-line: cat /mnt/new/Image/Caine_UnReadableMBR.* | air-counter<br />
2>> /usr/local/share/air/logs/air.buffer.data | dc3dd hash=md5,sha1<br />
285