U.S. flag

An official website of the United States government, Department of Justice.

NCJRS Virtual Library

The Virtual Library houses over 235,000 criminal justice resources, including all known OJP works.
Click here to search the NCJRS Virtual Library

Partial Results from Prototype Testing Efforts for Disk Imaging Tools: SafeBack 2.0

NCJ Number
199000
Date Published
April 2003
Length
108 pages
Annotation
This document discusses the accuracy of tools used in computer forensics investigations.
Abstract
The product used for test development was SafeBack version 2.0. The disk imaging specification and the test cases were an early version of the specifications now in use. The support software and the testing procedures were prototype versions. Partial results show that the tool did not alter the original disk, made a bit-stream duplicate or an image of an original disk or partition, logged I/O errors, and the documentation was correct. There were several detected anomalies. If an entire physical disk was duplicated on a larger physical disk, SafeBack allowed the specification of either filling the remainder of the destination with zeros or leaving the destination as it was. If SafeBack was used to copy a physical disk to another physical disk of a different geometry, SafeBack optionally could reposition partitions to disk cylinder boundaries. A SafeBack image file contained all the data read from the imaged source plus cyclical redundancy checksums (CRC) for verifying the integrity of the captured data. The primary testing environment consisted of six different platforms: beta-1, beta-2, beta-3, beta-4, beta-5, and beta-6. The results show that if a source is copied to a destination, either directly or indirectly, and there are no I/O errors, then corresponding sectors compare equal. Excess destination sectors are assigned values according to run-time tool options selected by the user. The tool must notify the user if some source sectors are not copied to the destination. Using the tool over a communications link yields the same result as would have been obtained without the communications link. Deleted files can be recovered. The tool does not access areas of the disk outside the boundaries indicated by the BIOS.