In order for computer forensics findings to be admissible in a court of law, the tools and methods used to collect such data must ensure its integrity. According to Marie-Helen Maras (2012), “As with other forms of evidence, the original captured network traffic data must be kept intact. An investigator must ensure that any programs that are run to obtain evidence do not modify data on the system” (p.286). The National Institute of Standards and Technology (NIST) maintains the Computer Forensics Tool Testing (CFTT) program to help investigators choose the appropriate tools for this purpose.
NIST has established a methodology for the testing of computer forensics tools in order to assist law enforcement and other investigators in choosing the proper forensics tools which will consistently produce legally admissible court evidence. Among the test criteria for forensic tools are; “general tool specifications, test procedures, test criteria, test sets, and test hardware” (NIST, n.d.). The program is endorsed by the NIST Law Enforcement Standards Office and the US Department of Homeland Security (DHS) (NIST, n.d.). The CFTT program allows investigators to choose forensics tools which have already been tested and verified to be sufficiently accurate to be legally appropriate, which saves investigators from the need to test their own tools from scratch in an effort to validate acceptable ones, a process that might jeopardize court cases when tools are found to be insufficient during an investigation.
Disk Imaging and Deleted File Recovery
In the 2012 CFTT booklet, NIST lists detailed results for nineteen tested disk imaging programs. Each program tested has an overview of the general findings and what specific conditions caused the procedure to fail. Following the general overview is an itemized list of anomalies that were observed during testing for that particular forensic tool. For instance, the report for Encase Linen 6.01explains in the overview that the software functioned as intended except for two specific conditions. In the itemized anomaly list, the two conditions are explained to be bad sector copies following a defective sector, and the inability to acquire sectors which are hidden by a device configuration overlay (NIST, 2012, p.24).
The portion of the CFTT that deals with deleted file recovery...