sesa 19(21): e4

Research Article

Do Metadata-based Deleted-File-Recovery (DFR) Tools Meet NIST Guidelines?

Download1926 downloads
Cite
BibTeX Plain Text
  • @ARTICLE{10.4108/eai.13-7-2018.163091,
    author={Andrew Meyer and Sankardas Roy},
    title={Do Metadata-based Deleted-File-Recovery (DFR) Tools Meet NIST Guidelines?},
    journal={EAI Endorsed Transactions on Security and Safety},
    volume={6},
    number={21},
    publisher={EAI},
    journal_a={SESA},
    year={2019},
    month={8},
    keywords={Deleted File Recovery, Digital Forensics, Metadata, NIST Guidelines, File System, FAT, NTFS},
    doi={10.4108/eai.13-7-2018.163091}
}
  • Andrew Meyer
    Sankardas Roy
    Year: 2019
    Do Metadata-based Deleted-File-Recovery (DFR) Tools Meet NIST Guidelines?
    SESA
    EAI
    DOI: 10.4108/eai.13-7-2018.163091
Andrew Meyer1,*, Sankardas Roy1,*
  • 1: Computer Science Department, Bowling Green State University, Bowling Green, Ohio, USA
*Contact email: apmeyer@bgsu.edu, sanroy@bgsu.edu

Abstract

Digital forensics (DF) tools are used for post-mortem investigation of cyber-crimes. CFTT (Computer Forensics Tool Testing) Program at National Institute of Standards and Technology (NIST) has defined expectations for a DF tool’s behavior. Understanding these expectations and how DF tools work is critical for ensuring integrity of the forensic analysis results. In this paper, we consider standardization of one class of DF tools which are for Deleted File Recovery (DFR). We design a list of canonical test file system images to evaluate a DFR tool. Via extensive experiments we find that many popular DFR tools do not satisfy some of the standards, and we compile a comparative analysis of these tools, which could help the user choose the right tool. Furthermore, one of our research questions identifies the factors which make a DFR tool fail. Moreover, we also provide critique on applicability of the standards. Our findings is likely to trigger more research on compliance of standards from the researcher community as well as the practitioners.

Keywords
Deleted File Recovery, Digital Forensics, Metadata, NIST Guidelines, File System, FAT, NTFS
Received
2019-07-09
Accepted
2019-07-24
Published
2019-08-01
Publisher
EAI
http://dx.doi.org/10.4108/eai.13-7-2018.163091

Copyright © 2019 Andrew Meyer et al., licensed to EAI. This is an open access article distributed under the terms of the Creative Commons Attribution license (http://creativecommons.org/licenses/by/3.0/), which permits unlimited use, distribution and reproduction in any medium so long as the original work is properly cited.