Sata and usb drives addition supporting pata

Contact: James Lyle
Computer Forensics Tool Testing Program
Office of Law Enforcement Standards
National Institute of Standards and
Technology

HAVE YOUR COMPUTER FORENSICS TOOLS BEEN TESTED?

The CFTT continues to test tools. See
http://www.ojp.usdoj.gov/nij/publications/welcome.htm (select computer forensics tools testing) or www.cftt.nist.gov for the current list. The CFTT site also contains the specification against which the tools are tested and the testing software and complete methodology.

Revised Date: 8/6/2015

Tableau TD3 Forensic Imager 1.3.0
MacQuisition 2013R2
Paladin 4.0
DCFLDD 1.3.4-1
X-Ways Forensics 16.2 SR-5
Image MASSter Solo-4 Forensic
IXImager v3.0.nov.12.12
Fast Disk Acquisition System (FDAS) 2.0.2
FTK Imager CLI 2.9.0 Debian
Paladin 3.0
Paladin 2.06
X-Ways Forensic 14.8
ASR Data SMART version 2010-11-03
VOOM HardCopy 3P – Firmware Version 2-04
Imager MASSter Solo-3 Forensics, Software Version 2.0.10.23f Tableau TD1 Forensic Duplicator, Firmware Version 2.34 Feb. 17, 2011
Tableau Imager (TIM) Version 1.11
SubRosaSoft MacForensics Lab 2.5.5
Logicube Forensic Talon Software Version 2.43
BlackBag MacQuisition 2.2
EnCase 6.5
EnCase LinEn 6.01
EnCase 5.05f
FTK Imager 2.5.3.14
DCCIdd (Version 2.0)
EnCase 4.22a
EnCase LinEn 5.05f
IXimager (Version 2.0)
dd FreeBSD
EnCase 3.20
Safeback 2.18
Safeback (Sydex) 2.0
dd GNU fileutils 4.0.36

Forensic Media Preparation

 ACES Writeblocker Windows 2000 V5.02.00  ACES Writeblocker Windows XP V6.10.0  PDBLOCK Version 1.02 (PDB_LITE)
 PDBLOCK Version 2.00
 PDBLOCK Version 2.10
 RCMP HDL V0.4
 RCMP HDL V0.5
 RCMP HDL V0.7
 RCMP HDL V0.8

Write Block (Hardware)
 T4 Forensic SCSI Bridge (FireWire Interface)
 T4 Forensic SCSI Bridge (USB Interface)
 Tableau T8 Forensic USB Bridge (FireWire Interface)

Tableau T8 Forensic USB Bridge (USB Interface)  FastBloc FE (USB Interface)
 FastBloc FE (FireWire Interface)
 Tableau T5 Forensic IDE Bridge (USB Interface)

Tableau T5 Forensic IDE Bridge (FireWire Interface)  Tableau Forensic SATA Bridge T3u (USB Interface)
 Tableau Forensic SATA Bridge T3u (FireWire Interface)  Tableau Forensic IDE Pocket Bridge T14 (FireWire Interface) 
WiebeTech Forensic SATADock (FireWire Interface)  WiebeTech Forensic SATADock (USB Interface)










Device Seizure v6.8
Lantern v4.5.6
EnCase Smartphone Examiner v7.10.00.103
Oxygen Forensics Suite 2015 – Analyst v7.0.0.408
Secure View v3.16.4
viaExtract v2.5
Mobile Phone Examiner Plus v5.5.3.73
iOS Crime Lab v1.0.1
UFED Physical Analyzer v3.9.6.7
XRY/XACT v6.10.1
EnCase Smartphone Examiner v7.0
Device Seizure v5.0 build 4582.15907
Lantern v2.3
Micro Systemation XRY v6.3.1
Secure View 3v3.8.0
CelleBrite UFED 1.1.8.6 – Report Manager 1.8.3/UFED Physical Analyzer 2.3.0
Mobile Phone Examiner Plus (MPE+) 4.6.0.2
AFLogical 1.4
Mobilyze 1.1
iXAM Version 1.5.6
Zdziarski’s Method
WinMoFo Version 2.2.38791
SecureView 2.1.0
Device Seizure 4.0

	ILooKIX v2.2.3.151 The Sleuth Kit (TSK) 3.2.2 / Autopsy 2.24 X-Ways Forensics Version 16.0 SR-4 SMART for Linux Version 2011-02-02 (Revised) FTK Version 3.3.0.33124 EnCase Version 6.18.0.59

Forensic File Carving

Video     

TEST REPORT FOR:
TABLEAU TD3 FORENSIC IMAGER 1.3.0

July 2014

For a complete copy of the report, go to:
https://cyberfetch.org/groups/community/test-results-digital-data-acquisition-tool-tableau-td3-forensic-imager-130

TEST REPORT FOR:
MACQUISITION 2013R2

July 2014

Vendor information:
BlackBag Technologies
http://www.blackbagtech.com

The CFTT Project tested the Paladin 4.0 against the Digital Data Acquisition Tool Specification available at: http://www.cftt.nist.gov/disk_imaging.htm

Our results are:

Computer Forensics Tool Testing Program Office of Law Enforcement Standards National Institute of Standards and
Technology

Our results are:

DCFLDD is an enhanced version of GNU dd with features useful for forensics and security. Based on the dd program found in the GNU Coreutils
package, dcfldd has the following additional features: hashing on-the-fly, status output, flexible disk wipes, image/wipe verify, multiple outputs, split output and piped output and logs. DCFLDD was tested only for its disk imaging capabilities and, except for the following anomaly the tool
acquired the test media completely and accurately.

For a complete copy of the report, go to:
https://www.cyberfetch.org/groups/community/test-results-digital-data-acquisition-tool-dcfldd-134-1

Vendor information:
Sourceforge.net
http://dcfldd.sourceforge.net

The CFTT Project tested the X-Ways Forensics 16.2 SR-5 against the Digital Data Acquisition Tool Specification available at:
http://www.cftt.nist.gov/disk_imaging.htm

Our results are:

DISK IMAGING

drive vs. restoring an image of a partition to a partition formatted with a file system vs. restoring an image of a partition to an unformatted destination partition.



DISK IMAGING

TEST REPORT FOR:
IMAGE MASSTER SOLO-4 FORENSIC



In test case DA-10-encrypt the tool’s “Encrypt Destination Files” setting was used to acquire a source drive to an encrypted image file. In DA-14-encrypt, the image file created in DA-10-encrypt was restored to a drive. When the restored drive was compared to the source, only 1,571,229 sectors out of 156,301,488 sectors matched. The vendor plans to address this issue in a future software release and recommends not using the “Encrypt Destination Files” setting until it is corrected.

For a complete copy of the report, go to:
https://www.cyberfetch.org/groups/community/digital-data-acquisition-tool-image-masster-solo-4-forensic

DISK IMAGING

TEST REPORT FOR:
IXIMAGER V3.0.NOV.12.12

For a complete copy of the report, go to:
https://www.cyberfetch.org/groups/community/digital-data-acquisition-tool-iximager-v30nov1212

Vendor information:
Perlustro, L.P.

TEST REPORT FOR:
FAST DISK ACQUITION SYSTEM (FDAS) 2.0.2

July 2013

	When a drive with faulty sectors was imaged (test cases DA-09-option1 & DA-09-option2) the tool failed to completely acquire all readable sectors near the location of the faulty sectors. Option 1 tries to skip around faulty sectors and omitted 422 readable sectors.

Computer Forensics Tool Testing Program Office of Law Enforcement Standards National Institute of Standards and
Technology

Our results are:

AccessData’s FTK Imager CLI v2.9 Debian is designed to image and restore hard drives and other secondary storage. It uses the Debian command line interface to image, clone and restore acquired data. Except for the case where a drive with faulty sectors was imaged (test case DA-09), the tool acquired all sectors of the test media completely and accurately. In test cases DA-04 and DA-17 that measure how a tool behaves when the destination media has insufficient space for a clone or restore task, the tool failed to display a message indicating that the destination drive had insufficient space.

Computer Forensics Tool Testing Program Office of Law Enforcement Standards National Institute of Standards and
Technology

DISK IMAGING

.	Paladin 3.0 is a modified Live Linux distribution designed to simplify the process of creating forensic images in a forensically sound manner. Paladin 3.0 is designed to image, clone and restore data from hard drives and other secondary storage. Except for the following anomalies, the tool acquired the test media completely and accurately.
	
	
	