Abstract:
The issue of validation of computer forensics tools (CFTs) plays a critical role in
computer forensics. The National Institute of Standards and Technology (NIST) of USA is
among the leading organizations dealing with defining the standards for various
functionalities of computer forensics and accordingly validating computer forensics tools
(CFTs). Standardization procedure at NIST comprises defining tool specifications, test
assertions, test methodology and test cases. NIST has not defined standards for all the
functionalities of CFTs. Hence, functionalities of various CFTs cannot be validated.
This research thesis defines the standards for one of the important undefined
functionality i.e. Secure Wipe functionality for NTFS specific to Windows 7. These
standards are defined basing on results of thorough research on file creation and file
deletion processes and their artifacts in MFT records, hard disk and $LogFile. In addition,
comprehensive research on $LogFile of NTFS has been done in this thesis. Research on
MFT records and linking their changes to $LogFile and defining flow of activities of file
creation and deletion processes are other important researched areas of this thesis.
Two tools having the capability of secure wipe, have also been validated basing on
the standards defined in this research thesis.
