±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 33057
New Yesterday: 5 Visitors: 193

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

Coursework Suggestions

Computer forensics training and education issues. If you are looking for topic suggestions for your project, thesis or dissertation please post here rather than the general discussion forum.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

Coursework Suggestions

Post Posted: Wed Oct 04, 2017 6:06 am

Hello guys,

I hope you are all well. I need help with my coursework, the aim is to critically evaluate two forensics tools and compare them both. My teacher said it can be any tools like FTK, Encase and so on. Also, he mentioned that in the order to demonstrate them i need to implemented some material on which they can be tested and compared. I need help with 'where i could take forensics images?' and the most important question is 'what things and tests i can do with these tools?' to show contrast between them.

Thank you!  

mhibert
Newbie
 
 
  

Re: Coursework Suggestions

Post Posted: Wed Oct 04, 2017 6:43 am

http://www.dftt.org/

Maybe reduce the scope of your coursework by comparing specific use programs like file carvers rather than trying to compare entire forensic suites...  

AmNe5iA
Member
 
 
  

Re: Coursework Suggestions

Post Posted: Wed Oct 04, 2017 7:27 am

- mhibert
Also, he mentioned that in the order to demonstrate them i need to implemented some material on which they can be tested and compared. I need help with 'where i could take forensics images?'

More here:
www.forensicfocus.com/...challenges

You can also try a generator:
articles.forensicfocus...generator/
github.com/hannuvisti/forge

Also check:
www.forensicfocus.com/...c/t=11023/


- mhibert
and the most important question is 'what things and tests i can do with these tools?' to show contrast between them.

As AmNe5iA suggested, you should narrow the scope, and possibly ask your teacher for advice, the field (and things that can be done with the one or the other of the "suites") is vast.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Coursework Suggestions

Post Posted: Wed Oct 04, 2017 9:21 am

- mhibert
I need help with 'where i could take forensics images?' and the most important question is 'what things and tests i can do with these tools?' to show contrast between them.


You're in a bit of a bind: in order to compare two tools, you need to have access to them, and you also need to have sufficiently much experience with them that you are confident that you are not yourself the cause of any differences you may find.

For some very narrow test material ... you might look at:

* Brian Carrier's project dftt.sourceforge.net/, which collects some test data and software for specific aspects of computer forensic functionality (... already mentioned by someone whose name I have forgotten).

* Elizabeth Zwicky's Torture Test.

She wrote a program that creates a rather gnarly Unix file structure (long names, weird file characters, dead and circular links, sparse files, etc.) in order to test backup/archive software such as dump, tar and cpio: can they backup the file structure, and can they restore it correctly? There are two papers from LISA that describe the results,

www.coredumps.de/doc/d...p.doc.html

www.usenix.org/legacy/...zwicky.pdf

(I'm fairly certain the original source code is also out there, as well as one or two attempts to improve it.)

While Zwicky's purpose was to ensure that backup software was robust, the tests can also be applied to forensic software: do they keep their cool, when faced with file systems or file archives containing this kind of weirdness? (I remember feeding a torture tar archive to an old EnCase version, and watched it break down fairly comprehensively. But I don't know anyone who has done a systematic test of it.)

The test probably needs to be updated with modern file system artifacts, but that should not be too difficult, if you have some experience with modern Linux or Mac or other Unix-based platforms.

* There's also the sourceforge project disktype.sourceforge.net/ which tries to identify lots and lots of different types of disk /volume images (PC floppy, Atari floppy, reiser fs, squashfs, xfs, ...)

The project provides test samples (http://disktype.cvs.sourceforge.net/disktype/file-system-sampler/), but it doesn't seem too difficult to add more modern samples, like ZFS, YAFFS.

The test could then be ... do full-blown forensic platforms also identify and interpret these samples, or do they fail? (And when they fails, do they report the failure reasonably correctly?)

* My own CompForTest at sourceforge.net/projec...pfortest/, which provides test data for NTFS time stamp interpretation test as well as some slightly wider but still not comprehensive ISO 9660-related tests.

The latest NTFS release may be a bit hairy to test without writing some kind of checking software, as the number of test samples is really large.  

athulin
Senior Member
 
 
  

Re: Coursework Suggestions

Post Posted: Wed Oct 04, 2017 3:36 pm

Thank you very much for all your answers they were surprisingly quick and informative!  

mhibert
Newbie
 
 
  

Re: Coursework Suggestions

Post Posted: Wed Oct 04, 2017 3:46 pm

Guys, I am going to be honest with you. With help of your answers, I determined tests which i am planning to demonstrate such as Data Carving, Web Artifacts and Keyword Search. However, i am struggling with choosing tools. I would like to add Autopsy tool into my list as its free and i can obtain latest version, but with other tools I can find only version between 2001-2009 which are not up to date. I am asking myself, 'How can i compare something that were change dramatically over the years?'. Could you please advice me what tools are similar to Autopsy (open-source) so i could start playing with material that you kindly gave me?

Thank you!  

mhibert
Newbie
 
 

Page 1 of 1