±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36783
New Yesterday: 0 Visitors: 118

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Recommendations for carving software

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2 
  

Rich2005
Senior Member
 

Re: Recommendations for carving software

Post Posted: Nov 12, 19 17:24

Thanks for that jaclaz - very useful (I'd been contemplating improving my general strategy by carving in X-Ways and bringing that into my NUIX case via a container following a bit of filtering - rather than carving in NUIX for a number of reasons).  
 
  

minime2k9
Senior Member
 

Re: Recommendations for carving software

Post Posted: Nov 12, 19 21:31

Even though it is very useful, I should point out that pretty much all of the NIST testing was done in 2014 and some of those versions are quite old. X-Ways is now on 19.8 SR9 (19.9 is still in Beta) and 17.6 was tested by NIST, which is a lot of versions difference.

The NIST reports are probably the best validation of tools I have seen, but its also a great example of how things move far to fast to actually perform any meaningful validation.  
 
  

jaclaz
Senior Member
 

Re: Recommendations for carving software

Post Posted: Nov 13, 19 10:22

- minime2k9
Even though it is very useful, I should point out that pretty much all of the NIST testing was done in 2014 and some of those versions are quite old. X-Ways is now on 19.8 SR9 (19.9 is still in Beta) and 17.6 was tested by NIST, which is a lot of versions difference.

The NIST reports are probably the best validation of tools I have seen, but its also a great example of how things move far to fast to actually perform any meaningful validation.


Sure and the blatant differences in performance (besides my personal scores) of the two subsequent versions of Encase (hopefully an isolated case) show clearly enough how you cannot "extend" validation from one release to another of a same tool.

I have no idea how the tools (or the investigators) deal or should deal with "false positives", but if the thingy generated around 9000 false positives on a test dataset containing 40 images, how many would be generated if the disk under examinations has a thousands images ? millions? Shocked

Also, the (nice) tests by NIST (understandbly) do not touch the topic of "validation", how do you actually validate any of those?

I mean, let's take the single test where the overall better scoring tools (X-Ways and Photorec) were less "brilliant" :
4.5 Fragmented Out of Order
X-Ways Forensics v17.6 out of 35 images, 24 carved, of which 3 viewable, 24 only partially viewable, 7 not viewable
Photorec v7.0 WIP out of 35 images, 12 carved, of which 3 viewable, 9 only partially viewable, 0 not viewable

How can you validate the latter (and "trust" it) when it has roughly half of the performance of the former?

Then you take another tool (actually not very well performing in "simpler" tests), and you have (in the specific test) a result that is double the best one of the two above:
Encase Forensics v6.18.0.59 out of 35 images, 46 carved, of which 10 viewable, 9 only partially viewable, 6 not viewable, 21 false positives

The validation may only refer to the fact that all three tools above did not "invent" new images from random bytes.

And still I would like to see what happens in Court when one investigator (using tool A) says (test results multiplied by 100 to convey the effect):
From the disks I examined I was able to recover 4,900 viewable images in total..
and the investigator for the other party (using tool B) says:
From the same disks (images) I was able to recover 16,000 viewable images in total.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 

Page 2 of 2
Page Previous  1, 2