NIST deleted file r...
 
Notifications
Clear all

NIST deleted file recovery test images  

  RSS
EricZimmerman
(@ericzimmerman)
Active Member

has anyone done any testing with these images?

i started trying to test them with XWF but ran into so many inconsistencies in the NIST documentation that i do not trust the documentation and/or the images.

This also includes missing dates, wrong sector counts, etc.

anyone else done any testing that can provide feedback on your experience?

Quote
Posted : 24/05/2013 7:03 am
joakims
(@joakims)
Active Member

I had a try on a couple of them while making the parser for the $LogFile on NTFS. But found the file to be more or less empty (due to formatting in linux I suppose). The NTFS images was thus worthless for me with my specific task. That's all I know about them.

ReplyQuote
Posted : 24/05/2013 12:13 pm
tfink26
(@tfink26)
New Member

I just stumbled upon this post while searching for some NIST results for comparison. I recently began working with the NIST images. I have worked with two test images with my software (ilook) so far.

I would agree that the documentation doesn't necessarily lend itself to clarity.

To present, I have compared my results with the results on Perlustro.com's website and with some other examiners. I found that my results have met, or exceeded, the listed numbers.

ReplyQuote
Posted : 02/07/2013 2:27 am
jaclaz
(@jaclaz)
Community Legend


I have worked with two test images with my software (ilook) so far.

….

To present, I have compared my results with the results on Perlustro.com's website and with some other examiners. I found that my results have met, or exceeded, the listed numbers.

I am not sure to understand.
Using the same tool (ilookix) results should be exactly the same, shouldn't they? ?

jaclaz

ReplyQuote
Posted : 02/07/2013 5:41 pm
tfink26
(@tfink26)
New Member

… I have compared my results with the results on Perlustro.com's website and with some other examiners. I found that my results have met, or exceeded, the listed numbers.

My apologies if I wasn't as clear as I should have been; or perhaps you misread my post.

I also mentioned that I compare the results with other examiners when possible. Otherwise, yes the results using the same tool multiple times would most certainly yield the same results.

ReplyQuote
Posted : 02/07/2013 5:53 pm
jaclaz
(@jaclaz)
Community Legend

I also mentioned that I compare the results with other examiners when possible.

I see, but the "some other examiners" must have then used different tools (or different commands or *whatever*).

So you actually got, using the same tool, i.e. Ilookix, exactly the same results Perlustro published and those results exceed what other examiners managed to get using other (non-specified) tools?

Is that correct? ?

To clarify, this is "common sense" or "theory" )

Otherwise, yes the results using the same tool multiple times would most certainly yield the same results.

but , practice might differ (see my signature wink ).

jaclaz

ReplyQuote
Posted : 02/07/2013 8:12 pm
Share: