Evaluating A Selection of Tools for Extraction of Forensic Data: Disk ...
Evaluating A Selection of Tools for Extraction of Forensic Data: Disk ...
Evaluating A Selection of Tools for Extraction of Forensic Data: Disk ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
3.21. TC-16-02 Acquire a GPT disk<br />
AIR 2.0.0 (Release Date: 17th, Feb 2010)<br />
Test Case TC-16-02 Acquire a GPT disk (AIR 2.0.0)<br />
Test &<br />
Case<br />
Summary:<br />
Acquire a GPT disk<br />
Notes: Hard drive partitioned as GPT disk. 6 partitions are created.<br />
Assertions: AFR-01 The tool accesses the digital source with a supported access interface<br />
AFR-02 The tool acquires a digital source<br />
AFR-03 The tool operates in an execution environment<br />
AFR-04 The tool creates an image file <strong>of</strong> the digital source<br />
AFR-05 The tool acquires all the visible data sectors from the digital source<br />
Source<br />
Device:<br />
Drive<br />
Setup:<br />
Partition<br />
Table<br />
(GPT<br />
disk):<br />
Log<br />
highlights:<br />
AFR-07 All data sectors acquired from the digital source are acquired accurately.<br />
AIC-01<br />
The data represented by an image file is the same as the data acquired by the<br />
tool<br />
AIC-02 The tool creates an image file according to the file <strong>for</strong>mat the user specified.<br />
AIC-05<br />
If multi-file image creation and the image file size is selected, the tool creates<br />
a multi-file image except that one file may be smaller<br />
AIC-06<br />
If the image file integrity check is selected, the tool shall report to the user the<br />
image file has not been changed if the image file has not been changed.<br />
AIC-07<br />
If the image file integrity check is selected, the tool shall report to the user the<br />
AIC-08<br />
ALOG-<br />
01<br />
ALOG-<br />
02<br />
ALOG-<br />
03<br />
image file has been changed if the image file has been changed.<br />
If the image file integrity check is selected, the tool shall report to the user the<br />
image file has been changed and the involved location if the image file has<br />
been changed.<br />
If the tool logs any in<strong>for</strong>mation regarding to the acquisition, the in<strong>for</strong>mation is<br />
accurately logged in the log file.<br />
The tool display correct in<strong>for</strong>mation about the acquisition to the user. The<br />
in<strong>for</strong>mation about the acquisition at least including following: device, start<br />
sector, end sector, type and number <strong>of</strong> errors encountered, and start time and<br />
end time <strong>of</strong> acquisition.<br />
The tool display correct in<strong>for</strong>mation regarding to the acquisition to the user<br />
and the in<strong>for</strong>mation displayed is consistent with the log file if the log file<br />
function is supported<br />
Drive Model: ST380817AS (80GB)<br />
Serial Number: 5MR18V18<br />
Sector count: 156,301,488<br />
Write blocker: Tableau <strong>Forensic</strong> SATA/IDE Bridge IEEE 1394 SBP2<br />
Device<br />
/dev/sdb: current max LBA: 156,301,488<br />
/dev/sdb: native max LBA: 156,301,488<br />
/dev/sdb: physical max LBA: 156,301,488<br />
/dev/sdb: HPA and DCO are not set<br />
Device Start End #sectors File System<br />
/dev/sdb1 34 262110 262144 Micros<strong>of</strong>t<br />
Reserved<br />
/dev/sdb2 264192 8652799 8388608 NTFS<br />
/dev/sdb3 8652800 12847103 4194304 NTFS<br />
/dev/sdb4 12847104 14944255 2097152 NTFS<br />
/dev/sdb5 14944256 25380863 10436608 NTFS<br />
/dev/sdb6 25380864 156299264 130918400 NTFS<br />
Start DC3DD (md5 sha1): Fri Sep 17 17:48:35 NZST 2010<br />
command line: dc3dd hash=md5,sha1 hashlog=/tmp/hash.log status=noxfer<br />
if=/dev/sdc skip=0 conv=noerror,sync iflag=direct ibs=32768<br />
compiled options: DEFAULT_BLOCKSIZE=32768<br />
sector size: 512 (assumed)<br />
288