Overview: The Computer Forensics Tools Testing (CFTT) project provides a measure of assurance
that the tools used in the investigations of computer-related crimes produce valid results. It also supports other
projects in the National Institute of Justice’s overall computer forensics research program, such as the National
Software Reference Library (NSRL).
Industry Need Addressed: There are many different automated tools routinely used by law
enforcement organizations to assist in the investigation of crimes involving computers. These tools are used to
create critical evidence used in criminal cases, yet there are no standards or recognized tests by which to judge
the validity of results produced by these tools.
NIST/ITL Approach: Focus groups are established to define requirements for specific types or
classes of computer forensics tools, such as disk imaging tools, deleted file
recovery tools, etc. The initial concept is
to develop general classifications of tool functions in order to group similar testing requirements in a computer forensics
testing framework. For example, we are concentrating immediate efforts on disk imaging products, write blockers,
and selected suites of tools. Further classifications will develop as tools are added to the list of products to
test. The common characteristics of each classification are decomposed into testable requirements. Assertions are
derived from these requirements along with assertions from specific capabilities of individual tools. Each
assertion is then tested within the overall testing framework to produce results that are repeatable and
objectively measurable. Test results will be reported to manufacturers and law enforcement organizations.
Impact: The implementation of testing based on rigorous procedures will provide impetus for
vendors to improve their tools and provide assurance that their results will stand up in court. Focus
group requirements documents may be used as the basis for industry standards pertaining to computer
forensics tools. Law enforcement and other investigatory groups can use results as a basis for deciding
when and how to use various tools.
NIST will provide unbiased, open, and objective means for manufacturers, law enforcement organizations,
and the legal community to assess the validity of tools used in computer forensics.