EAI Endorsed Transactions on Security and Safety (Aug 2019)
Do Metadata-based Deleted-File-Recovery (DFR) Tools Meet NIST Guidelines?
Abstract
Digital forensics (DF) tools are used for post-mortem investigation of cyber-crimes. CFTT (Computer ForensicsTool Testing) Program at National Institute of Standards and Technology (NIST) has defined expectations for aDF tool’s behavior. Understanding these expectations and how DF tools work is critical for ensuring integrityof the forensic analysis results. In this paper, we consider standardization of one class of DF tools which arefor Deleted File Recovery (DFR). We design a list of canonical test file system images to evaluate a DFR tool.Via extensive experiments we find that many popular DFR tools do not satisfy some of the standards, and wecompile a comparative analysis of these tools, which could help the user choose the right tool. Furthermore,one of our research questions identifies the factors which make a DFR tool fail. Moreover, we also providecritique on applicability of the standards. Our findings is likely to trigger more research on compliance ofstandards from the researcher community as well as the practitioners.
Keywords