| 
  • If you are citizen of an European Union member nation, you may not use this service unless you are at least 16 years old.

  • Stop wasting time looking for files and revisions. Connect your Gmail, DriveDropbox, and Slack accounts and in less than 2 minutes, Dokkio will automatically organize all your file attachments. Learn more and claim your free account.

View
 

Assignment 3

Page history last edited by Philip Craiger 5 years, 1 month ago
Tool Validation 
CET4860 
Introduction to Digital Forensics 
Dr. Philip Craiger Fall 2015

Objective 

Your task is to use validation procedures to validate two file
recovery tools, PhotoRec and Foremost, and to write a report using the SWGDE format. Why is validation important?
Your tools must work, and must be validated, particularly if your results are to be used in a court of law.  You wouldn't
want your freedom or life to be based on the results of a faulty tool used during a forensic analysis!

Materials

 1. 4860.2.dd.zip; (this is the partition that you used for assignment 2). SHA1 =  6e89253b65f9ac9a89c1dd632d122a0409a32dca
2. Watch the validation videos
     1. Creating validation media
     2. Forensic tool validation  
    
3. Example validation report (based on SWGDE template).  Your report should follow the template EXACTLY. Same level of detail. 
Include the two recovered files in your report including associated metadata. 

I've included an example of an actual validation document that my research team -- while I was the 
Assistant Director for Digital Evidence at the National Center for Forensic Science -- 
for some research funded by the National Institute for Justice.  

Read the document carefully and follow the format.  Here's a Word version you can use as a template.
You should have detailed explanations regarding the procedures you used as well as the outcome and results.

You are to use the two tools to recover the two deleted files.  
Follow the template to describe the procedures you used to recover the files. Describe your outcomes and conclusions.
Your expectation is that both tools should correctly identify the deleted files, and be able to recover them correctly
(that is, the hashes should match!).  

 

Here are the contents of the image, including the notation for the deleted files:

 

file1.jpg:  (active)

JPEG image data, JFIF standard 1.01

Size: 138835 Oct  9  2014 file1.jpg

38940ec5b3a309bca46e44f9aa2b4e12f67d5269  file1.jpg

 

file2.png:  (deleted)

PNG image data, 341 x 226, 8-bit/color RGBA, non-interlaced

152463 Oct  9  2014 file2.png

74fde2180dfb04b16c31e9e85dd0dd41f38b97fe  file2.png

 

file3.docx: (active)

Microsoft Word 2007+

22422 Oct  9  2014 file3.docx

8bef5c51c67d3a58015c63dcb69e668b8f000a63  file3.docx

 

file4.jpg:  (deleted)

JPEG image data, JFIF standard 1.01, comment: "File source: http://commons.wikimedia.org/wiki/File:Gorfou_sau\251"

45187 Sep  8 14:58 file4.jpg

d8805525a4eead253824de53e02f6ed1e4c470c2  file4.jpg

 

file5.txt:  (Active)

ASCII text, with no line terminators

23 Oct  9  2014 file5.txt

b99ca9cb2419b487eb04c15fe9a9499367e22566  file5.txt

 

 

 

 

 

 

Comments (0)

You don't have permission to comment on this page.