The testing methodology developed by NIST is functionality driven. The activities of forensic investigations are separated into discrete functions or categories, such as hard disk write protection, disk imaging, string searching, etc. A test methodology is then developed for each category. Currently we have developed a methodology for disk imaging tools and are developing a methodology for software hard disk write blocking tools. Deleted file recovery tools will be the next category for development of a test methodology.
The CFTT testing process is directed by a steering committee composed of representatives of the law enforcement community. Included are the FBI, DoD, NIJ (representing state and local agencies), NIST/OLES and other agencies. Currently the steering committee selects tool categories for investigation and tools within a category for actual testing by CFTT staff. A vendor may request testing of a tool, however the steering committee makes the decision about which tools to test.
Under the disk imaging category the tools selected initially for testing were: Linux dd, and SafeBack. The RCMP hdl was selected for the hard disk write block category. Final test reports are posted to a web site maintained by NIJ.
Specification development process
After a tool category and at least one tool is selected by the steering committee the development process is as follows:
Tool test process
After a category specification has been developed and a tool selected, the test process is as follows: