Coursework Suggesti...
 
Notifications
Clear all

Coursework Suggestions

6 Posts
4 Users
0 Likes
490 Views
(@mhibert)
Posts: 12
Active Member
Topic starter
 

Hello guys,

I hope you are all well. I need help with my coursework, the aim is to critically evaluate two forensics tools and compare them both. My teacher said it can be any tools like FTK, Encase and so on. Also, he mentioned that in the order to demonstrate them i need to implemented some material on which they can be tested and compared. I need help with 'where i could take forensics images?' and the most important question is 'what things and tests i can do with these tools?' to show contrast between them.

Thank you!

 
Posted : 04/10/2017 12:06 pm
AmNe5iA
(@amne5ia)
Posts: 173
Estimable Member
 

http//www.dftt.org/

Maybe reduce the scope of your coursework by comparing specific use programs like file carvers rather than trying to compare entire forensic suites…

 
Posted : 04/10/2017 12:43 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Also, he mentioned that in the order to demonstrate them i need to implemented some material on which they can be tested and compared. I need help with 'where i could take forensics images?'

More here
http//www.forensicfocus.com/images-and-challenges

You can also try a generator
https://articles.forensicfocus.com/2013/10/18/forge-computer-forensic-test-image-generator/
https://github.com/hannuvisti/forge

Also check
http//www.forensicfocus.com/Forums/viewtopic/t=11023/

and the most important question is 'what things and tests i can do with these tools?' to show contrast between them.

As AmNe5iA suggested, you should narrow the scope, and possibly ask your teacher for advice, the field (and things that can be done with the one or the other of the "suites") is vast.

jaclaz

 
Posted : 04/10/2017 1:27 pm
(@athulin)
Posts: 1156
Noble Member
 

I need help with 'where i could take forensics images?' and the most important question is 'what things and tests i can do with these tools?' to show contrast between them.

You're in a bit of a bind in order to compare two tools, you need to have access to them, and you also need to have sufficiently much experience with them that you are confident that you are not yourself the cause of any differences you may find.

For some very narrow test material … you might look at

* Brian Carrier's project http//dftt.sourceforge.net/, which collects some test data and software for specific aspects of computer forensic functionality (… already mentioned by someone whose name I have forgotten).

* Elizabeth Zwicky's Torture Test.

She wrote a program that creates a rather gnarly Unix file structure (long names, weird file characters, dead and circular links, sparse files, etc.) in order to test backup/archive software such as dump, tar and cpio can they backup the file structure, and can they restore it correctly? There are two papers from LISA that describe the results,

http//www.coredumps.de/doc/dump/zwicky/testdump.doc.html

https://www.usenix.org/legacy/event/lisa03/tech/full_papers/zwicky/zwicky.pdf

(I'm fairly certain the original source code is also out there, as well as one or two attempts to improve it.)

While Zwicky's purpose was to ensure that backup software was robust, the tests can also be applied to forensic software do they keep their cool, when faced with file systems or file archives containing this kind of weirdness? (I remember feeding a torture tar archive to an old EnCase version, and watched it break down fairly comprehensively. But I don't know anyone who has done a systematic test of it.)

The test probably needs to be updated with modern file system artifacts, but that should not be too difficult, if you have some experience with modern Linux or Mac or other Unix-based platforms.

* There's also the sourceforge project http//disktype.sourceforge.net/ which tries to identify lots and lots of different types of disk /volume images (PC floppy, Atari floppy, reiser fs, squashfs, xfs, …)

The project provides test samples (http//disktype.cvs.sourceforge.net/disktype/file-system-sampler/), but it doesn't seem too difficult to add more modern samples, like ZFS, YAFFS.

The test could then be … do full-blown forensic platforms also identify and interpret these samples, or do they fail? (And when they fails, do they report the failure reasonably correctly?)

* My own CompForTest at https://sourceforge.net/projects/compfortest/, which provides test data for NTFS time stamp interpretation test as well as some slightly wider but still not comprehensive ISO 9660-related tests.

The latest NTFS release may be a bit hairy to test without writing some kind of checking software, as the number of test samples is really large.

 
Posted : 04/10/2017 3:21 pm
(@mhibert)
Posts: 12
Active Member
Topic starter
 

Thank you very much for all your answers they were surprisingly quick and informative!

 
Posted : 04/10/2017 9:36 pm
(@mhibert)
Posts: 12
Active Member
Topic starter
 

Guys, I am going to be honest with you. With help of your answers, I determined tests which i am planning to demonstrate such as Data Carving, Web Artifacts and Keyword Search. However, i am struggling with choosing tools. I would like to add Autopsy tool into my list as its free and i can obtain latest version, but with other tools I can find only version between 2001-2009 which are not up to date. I am asking myself, 'How can i compare something that were change dramatically over the years?'. Could you please advice me what tools are similar to Autopsy (open-source) so i could start playing with material that you kindly gave me?

Thank you!

 
Posted : 04/10/2017 9:46 pm
Share: