sesa 19(21): e4

Research Article

Do Metadata-based Deleted-File-Recovery (DFR) Tools Meet NIST Guidelines?

Download2136 downloads
  • @ARTICLE{10.4108/eai.13-7-2018.163091,
        author={Andrew Meyer and Sankardas Roy},
        title={Do Metadata-based Deleted-File-Recovery (DFR) Tools Meet NIST Guidelines?},
        journal={EAI Endorsed Transactions on Security and Safety},
        keywords={Deleted File Recovery, Digital Forensics, Metadata, NIST Guidelines, File System, FAT, NTFS},
  • Andrew Meyer
    Sankardas Roy
    Year: 2019
    Do Metadata-based Deleted-File-Recovery (DFR) Tools Meet NIST Guidelines?
    DOI: 10.4108/eai.13-7-2018.163091
Andrew Meyer1,*, Sankardas Roy1,*
  • 1: Computer Science Department, Bowling Green State University, Bowling Green, Ohio, USA
*Contact email:,


Digital forensics (DF) tools are used for post-mortem investigation of cyber-crimes. CFTT (Computer Forensics Tool Testing) Program at National Institute of Standards and Technology (NIST) has defined expectations for a DF tool’s behavior. Understanding these expectations and how DF tools work is critical for ensuring integrity of the forensic analysis results. In this paper, we consider standardization of one class of DF tools which are for Deleted File Recovery (DFR). We design a list of canonical test file system images to evaluate a DFR tool. Via extensive experiments we find that many popular DFR tools do not satisfy some of the standards, and we compile a comparative analysis of these tools, which could help the user choose the right tool. Furthermore, one of our research questions identifies the factors which make a DFR tool fail. Moreover, we also provide critique on applicability of the standards. Our findings is likely to trigger more research on compliance of standards from the researcher community as well as the practitioners.