NCJ Number
228223
Date Published
September 2009
Length
71 pages
Annotation
Results are presented for testing BlackBag Technologies' MacQuisition, version 2.2 a digital data acquisition tool under Computer Forensics Tool Testing (CFTT) program.
Abstract
The MacQuisition tool acquired the source drives accurately except for acquiring a drive with faulty sectors. Highlights of several tool anomalies observed in certain test cases were 1) in one distributed version of MacQuisition 2.2 SHA1 acquisition hashes on the PowerPc architecture were computed incorrectly, 2) acquisition hashes might be computed incorrectly, 3) the ranges of data over which block hashes were computed were logged incorrectly, 4) the sectors hidden by a "device configuration overlay" (DCO) or "host protected area" (HPA) were not acquired, and 5) good sectors in the same block as a faulty sector were not acquired, and the other data was written in their place. The Computer Forensics Tool Testing (CFTT) program is a joint project of the United States Department of Justice, National Institute of Justice and the National Institute of Standards and Technology (NIST) Office of Law Enforcement Standards, and Information Technology Laboratory. The objective of the CFTT program is to provide measurable assurance to practitioners, researchers, and others that the tools used in computer forensic investigations provide accurate results. This requires the development of specifications and test methods for computer forensic tools and subsequent testing of tools against specifications. This report presents the results from testing BlackBag Technologies' MacQuisition, version 2.2., against the Digital Data Acquisition Tool Assertions and Test Plan, Version 1.0. Tables
Date Published: September 1, 2009