skip navigation


Register for Latest Research

Stay Informed
Register with NCJRS to receive NCJRS's biweekly e-newsletter JUSTINFO and additional periodic emails from NCJRS and the NCJRS federal sponsors that highlight the latest research published or sponsored by the Office of Justice Programs.

NCJRS Abstract

The document referenced below is part of the NCJRS Virtual Library collection. To conduct further searches of the collection, visit the Virtual Library. See the Obtain Documents page for direction on how to access resources online, via mail, through interlibrary loans, or in a local library.


NCJ Number: 200031 Add to Shopping cart Find in a Library
Title: Test Results for Disk Imaging Tools: EnCase 3.20
Corporate Author: National Institute of Standards and Technology (NIST)
United States of America
Date Published: June 2003
Page Count: 100
Sponsoring Agency: National Institute of Justice (NIJ)
Washington, DC 20531
National Institute of Justice/NCJRS
Rockville, MD 20849
National Institute of Standards and Technology (NIST)
Gaithersburg, MD 20899-3460
NCJRS Photocopy Services
Rockville, MD 20849-6000
Grant Number: 94-IJ-R-004
Sale Source: National Institute of Justice/NCJRS
Box 6000
Rockville, MD 20849
United States of America

NCJRS Photocopy Services
Box 6000
Rockville, MD 20849-6000
United States of America
Document: PDF
Type: Report (Study/Research)
Format: Document
Language: English
Country: United States of America
Annotation: This document reports the results from testing EnCase 3.20, a commonly used disk imaging tool.
Abstract: The Computer Forensics Tool Testing (CFTT) project is a joint effort of the National Institute of Justice (NIJ), the National Institute of Standards and Technology (NIST), the U.S. Department of Defense (DOD), the Technical Support Working Group, and other related agencies. The goal of the project is to provide measurable assurance to practitioners, researchers, and other applicable users that the tools used in computer forensics investigations provide accurate results. To accomplish this goal, specifications and test methods for computer forensics tools and subsequent testing of specific tools against those specifications must be developed. This report presents the results from testing EnCase 3.20, a disk imaging tool, against Disk Imaging Tool Specification, Version 3.1.6, developed by CFTT staff. This specification identifies the top-level disk imaging tool requirements as: the tool shall make a bit-stream duplicate or an image of an original disk or partition; the tool shall not alter the original disk; the tool shall log I/O errors; and the tool’s documentation shall be correct. Results of the test against the specification for the requirements include the following: 1) EnCase, with one exception, correctly and completely copied all disk sectors to an image file in the test cases that were run, and with two other exceptions, correctly and completely restored all disk sectors to a destination drive in the test cases that were run; 2) for all the test cases that were run, EnCase never altered the original hard drive; 3) for all the test cases that were run, EnCase always identified image files that had been modified; 4) for test cases that were run, EnCase always logged I/O/ errors; and 5) the tool documentation available was the EnCase Reference Manual, Version 3.0, Revision 3.18, and in some cases the software behavior was not documented or was ambiguous. The following three anomalies were found during the test: BIOS anomaly, logical restore anomaly, and restore size anomaly. These anomalies are described more fully in the report along with criteria for test case selection. Test results for also provided for mandatory assertions listed in the Disk Imaging Tool Specification, Version 3.1.6, as well as for optional assertions listed in the specification. Test result summaries are included at the end of the report. Tables
Main Term(s): Criminology; Reports
Index Term(s): Computer mapping; Computer software; Equipment and technology; NIJ grant-related documents
Note: Downloaded August 6, 2003.
To cite this abstract, use the following link:

*A link to the full-text document is provided whenever possible. For documents not available online, a link to the publisher's website is provided. Tell us how you use the NCJRS Library and Abstracts Database - send us your feedback.