Provision of validated toolset of freeware computer forensics tools (CFTS)

Abstract

The issue of validation of computer forensics tools (CFTs) plays a critical role in computer forensics. The National Institute of Standards and Technology (NIST) of USA is among the leading organizations dealing with defining the standards for various functionalities of computer forensics and accordingly validating computer forensics tools (CFTs). Standardization procedure at NIST comprises defining tool specifications, test assertions, test methodology and test cases. NIST has not defined standards for all the functionalities of CFTs. Hence, functionalities of various CFTs cannot be validated. This research thesis defines the standards for one of the important undefined functionality i.e. Secure Wipe functionality for NTFS specific to Windows 7. These standards are defined basing on results of thorough research on file creation and file deletion processes and their artifacts in MFT records, hard disk and $LogFile. In addition, comprehensive research on $LogFile of NTFS has been done in this thesis. Research on MFT records and linking their changes to $LogFile and defining flow of activities of file creation and deletion processes are other important researched areas of this thesis. Two tools having the capability of secure wipe, have also been validated basing on the standards defined in this research thesis.