Do Metadata-based Deleted-File-Recovery (DFR) Tools Meet NIST Guidelines?

Meyer, Andrew and Roy, Sankardas (2019) Do Metadata-based Deleted-File-Recovery (DFR) Tools Meet NIST Guidelines? EAI Endorsed Transactions on Security and Safety, 6 (21). e4. ISSN 2032-9393

[thumbnail of eai.13-7-2018.163091.pdf]
Available under License Creative Commons Attribution No Derivatives.

Download (2MB) | Preview


Digital forensics (DF) tools are used for post-mortem investigation of cyber-crimes. CFTT (Computer Forensics Tool Testing) Program at National Institute of Standards and Technology (NIST) has defined expectations for a DF tool’s behavior. Understanding these expectations and how DF tools work is critical for ensuring integrity of the forensic analysis results. In this paper, we consider standardization of one class of DF tools which are for Deleted File Recovery (DFR). We design a list of canonical test file system images to evaluate a DFR tool. Via extensive experiments we find that many popular DFR tools do not satisfy some of the standards, and we compile a comparative analysis of these tools, which could help the user choose the right tool. Furthermore, one of our research questions identifies the factors which make a DFR tool fail. Moreover, we also provide critique on applicability of the standards. Our findings is likely to trigger more research on compliance of standards from the researcher community as well as the practitioners.

Item Type: Article
Uncontrolled Keywords: Deleted File Recovery, Digital Forensics, Metadata, NIST Guidelines, File System, FAT, NTFS
Subjects: H Social Sciences > H Social Sciences (General)
Q Science > QA Mathematics > QA75 Electronic computers. Computer science
QA75 Electronic computers. Computer science
Depositing User: EAI Editor IV
Date Deposited: 26 Mar 2021 14:01
Last Modified: 26 Mar 2021 14:01

Actions (login required)

View Item
View Item