Computer Forensics Tool Testing (CFTT)
The testing methodology developed by NIST is functionality driven. The activities of forensic investigations are separated into discrete functions or categories, such as hard disk write protection, disk imaging, string searching, etc. A test methodology is then developed for each category. The current list of functionalities is available from the links provided in the left column.
The CFTT testing process is directed by a steering committee composed of representatives of the law enforcement community. Currently the steering committee selects tool categories for investigation and tools within a category for actual testing by CFTT staff. A vendor may request testing of a tool, however the steering committee makes the decision about which tools to test.
1. Specification development process
After a tool category and at least one tool is selected by the steering committee the development process is as follows:
- NIST and law enforcement staff develops a requirements, assertions and test cases document (called the tool category specification).
- The tool category specification is posted to the web for peer review by members of the computer forensics community and for public comment by other interested parties.
- Relevant comments and feedback are incorporated into the specification.
- A test environment is designed for the tool category.
2. Tool test process
After a category specification has been developed and a tool selected, the test process is as follows:
- NIST acquires the tool to be tested.
- NIST reviews the tool documentation.
- NIST selects relevant test cases depending on features supported by the tool.
- NIST develops test strategy.
- NIST executes tests
- NIST produces test report.
- Steering Committee reviews test report.
- Vendor reviews test report.
- NIST posts support software to web.
- DHS [cyberfetch.org] posts test report to web.