NCJ Number
196352
Date Published
August 2002
Length
62 pages
Annotation
This report presents test findings for one commonly used computer disk imaging tool, the dd GNU fileutils 4.0.36 provided with Red Hat Linux 7.1.
Abstract
The tested disk imaging tool was compared to the Disk Imaging Tool Specification developed by the Computer Forensics Tool Testing (CFTT) project, a joint effort of the National Institute of Justice, the National Institute of Standards and Technology, as well as the Department of Defense, the Technical Support Working Group, and other related agencies. This specification requires that top-level disk imaging tools make a bit-stream duplicate or an image of an original disk or partition, that they not alter the original disk, that they log I/O errors, and that the tool's documentation be correct. The test methodology is for software tools that copy or image hard disk drives. It does not pertain to analog media or digital media such as cell phones or personal digital assistants. After each source disk is created, a SHA-1 hash value is calculated and saved. Each time the tool is run, another SHA-1 is calculated and compared to the saved value. For all 32 test cases run, the hash codes matched, indicating the source was not altered by the tool. In all cases tested, the disk imaging tool produced an accurate bit-stream duplicate or an image on disks or partitions of all disk sectors copied; however, for a source with an odd number of sectors, the last sector of the source was omitted. Assertions that required read or write errors were not tested. The tested tool did produce a log message that there was no space left on the destination when the source was greater than the destination. No errors were found in the documentation supplied. Extensive data tables
Date Published: August 1, 2002