NW3C - Validation - COFEE v1.1.2 - GUI Console

8/7/2019 NW3C - Validation - COFEE v1.1.2 - GUI Console

1/19

COFEE v1.1.2 GUI CONSOLE

Validation Study

9/29/2009

Written and Tested By:Mark Bowser, CFCE

Computer Crime Specialist, NW3C

Justin Wykes, CFCEComputer Crime Specialist, NW3C


2/19

NW3CNW3C,Inc.,d/b/atheNationalWhiteCollarCrimeCenter,isa501c3nonprofitcorporationunderthe

UnitedStatesInternalRevenueTaxcode,incorporatedintheCommonwealthofVirginia.NW3Chas

morethana30yearhistoryinservingState,Local,andTribalLawEnforcement.

NW3Csno

cost

membership,

training,

and

services

are

extended

to

all

Law

Enforcement,

regulatory

andprosecutorialagencies.NW3CisgovernedbyaBoardofDirectorselectedfrommemberlaw

enforcementagencies.TheBoardestablishesstrategicdirectioninaccordancewiththeNW3Ccorporate

bylaws,grantconditions,andotherappropriateguidelines,suchasapplicableOfficeofManagement

andBudget(OMB)circularsandtheOJPFinancialGuide.

WhatNW3CDoesNW3Csprimaryareaofservicetojusticeagenciesistraining,andsince1996hasbeenthenations

leadingproviderofnocostInvestigativeandForensicsComputerCrimeandDigitalEvidencetrainingto

State,Local,

and

Tribal

Law

Enforcement.

Through

acombination

of

training

and

critical

support

services,NW3Cequipsstateandlocallawenforcementagencieswithskillsandresourcestheyneedto

tackleemergingeconomicandcybercrimeproblems.

Forthegeneralpublic,NW3Cprovidesinformationandresearchsotheytoomaybecomeproactivein

thepreventionofeconomicandcybercrime.VictimsofcrimescanrelyonNW3Ctohelpthemregister

Internetcrimecomplaintsthroughtheirwebsiteatwww.ic3.govandnotifytheappropriateauthorities

atlocal,state,andfederallevelspromptly,accurately,andsecurely.

Acongressionallyfundednonprofitorganization,NW3Chasbeencontinuouslyfundedforthepast28

yearsin

support

of

state

and

local

enforcement

efforts.

NW3C

is

anational

program

with

apresence

in

all50states.

MembershipinNW3Cisfreeandopentofederal,state,localandinternationallawenforcement;

regulatoryandprosecutionagencies;aswellasdulyconstitutedpermanenttaskforces.Neither

individualsnorprivatecompaniesareeligibleformembership.

This project was supported by Grant No. 2008-CE-CX-0001 awarded by the Bureau of Justice Assistance. The

Bureau of Justice Assistance is a component of the Office of Justice Programs, which also includes the Bureau of

Justice Statistics, the National Institute of Justice, the Office of Juvenile Justice and Delinquency Prevention, and the

Office for Victims of Crime. Points of view or opinions in this document are those of the author and do not represent

the official position or policies of the United States Department of Justice.


3/19

i

TableofContentsTableofContents........................................................................................................................................... i

Introduction.................................................................................................................................................. 1

Purposeand

Scope

........................................................................................................................................

1

TestResultSummary.................................................................................................................................... 1

TestAssertions.............................................................................................................................................. 1

TestingEnvironment..................................................................................................................................... 2

TestComputer.......................................................................................................................................... 2

SupportSoftwareUsed............................................................................................................................. 3

TestResults................................................................................................................................................... 3

TestResultsReportKey............................................................................................................................ 3

ReportNotes............................................................................................................................................... 16

AdditionalReferences................................................................................................................................. 16

Glossary....................................................................................................................................................... 16


4/19

1

IntroductionThepurposeofthisreportistodocumentthevalidationofComputerOnlineForensicEvidence

Extractors(COFEE)abilitytoproperlyformat,wipe,andgenerateaprofiletoathumbdrive. Thisreport

includesthevalidationofCOFEEsabilitytogenerateareportfromcollecteddata.

COFEEisaliveinformationandvolatiledataacquisitionsuite.ItisaGUIconsolebaseddigitalforensics

tooldevelopedforlive(volatile)forensicsevidenceacquisitionandanalysis.

ToolTested: ComputerOnlineForensicEvidenceExtractor(COFEE)Version: 1.1.2

RunEnvironments: MicrosoftWindowsXPwithServicePack3Supplier: MicrosoftandNW3C

PurposeandScopeThisvalidationstudywasconductedtoverifyCOFEEproperlyformats,wipes,andgeneratesprofile(s)toathumbdrive,includingitsabilitytogenerateareportfromcollecteddata.

ThisvalidationstudywasconductedtoensurethatCOFEEconsistentlycompletedallofitsrequired

actions.

TestResultSummaryAlltestassertionsconductedonCOFEEweresuccessful.

COFEEsuccessfully

generated

alisted

profile,

auser

created

profile,

formatted

an

attached

device

as

FAT32andoverwroteorwipeddataexistinginunallocatedspaceonthedevice.

COFEEsuccessfullygeneratedadetailedreportoftheresultsofthecollecteddatafromaspecified

profile.

Therewerenounexpectedanomaliesfoundduringtesting.

TestAssertionsThefollowingtestassertionsweredesignedbaseduponthelistedfeaturesoftheCOFEEtool

1. COFEEwillnotformatadrivesmallerthan1GiBinsize.2. COFEEwillonlyformatdrives1GiBinsizeorlarger.3. COFEEwillformatdrives2GiBorlarger.4. COFEEwilldisplayawarningwhenformattingadrivebetween1GiBand2GiB.5. COFEEwillformataselecteddriveasFAT32.6. COFEEwillformatandwipedrives1GiBinsizeorlarger.


5/19

2

7. COFEEwilldisplayawarningwhenformattingandwipingadrivebetween1GiBand2GiBinsize.

8. Aninvestigatorcancreatetheirownapplicationprofile.9. Aninvestigatorcansavetheirownapplicationprofileforfutureuse.10.AninvestigatorcreatedprofilecanbeusedafterCOFEEisclosedandrestarted.11.COFEEwillnotgenerateaprofileonadevicesmallerthan1GiBinsize.12.COFEEwillgenerateaprofileona1GiBdevicealongwithitsrequiredfiles.13.COFEEwillgeneratea2GiBorlargerdrivewithaprofile.14.Alldatageneratedbytheprogramsinthespecifiedprofileweresuccessfullycreatedinthe

report.

15.COFEEsuccessfullyverifiedtheHASHvaluesofthefilesgeneratedinthespecifiedprofiletoensurethatnochangeshavebeenmadesincetheircreation.

TestingEnvironmentTestComputer

1. DellLatitudeD820Laptop(CHAD)a. T2500CPU2.00GHzb. 2GBRAMc. SerialATA2.5HardDrive

i. Hitachi60GiB,7200RPM,ModelHTS721060G9A00ii. SerialNumber:MPCCN8Y3HULBGLiii. ThedrivecontainedonePrimaryPartitionwhichwasreportedas55.88GB

2. Gateway600YG2Laptop(Abe)a. SerialNumber:0029567634b. IntelPentium4Mobile2.00GHzc. 512MBRAMd. PATA2.5HardDrive

i. IBMIC25N030ATCS04030GBHardDriveii. SerialNumber:DAH4W0ABiii. ThedrivecontainedonePrimaryPartitionwhichwasreportedas27.94GB

3. ThumbDrivesformattedasFAT32.a. 512MBHitachiS/NHTS721060G9SA00b. 1GiBLexarJumpDriveS/N106A20320411403085c. 2GiBRallyS/NAA04012700061222d. SerialATA2.5HardDrive

1. 80GiBSeagate5400RPM2. SerialNumber:5ly3lpna3. ConnectedbyaSerialATAtoUSBconvertor4. S/N6&a48b458


6/19

3

SupportSoftwareUsed1. MicrosoftWindowsXPProwithSP3wasusedtocreateknowndataonthetestedthumbdrives.

ThissoftwareislicensedtoNW3C.

2. AccessData FTKimagerv.2.5.5wasusedtoverifythatdeleteddatawaswiped.TestResultsThissectioncontainsdetailsonalltestsconductedduringthevalidationstudy.

TestResultsReportKeyTestResultsReportKey

TestName: 0001 Date: 23July2009Description: TodetermineifXYZdoesABCTesterName: Jshmoe TestMachine: Dave1AssertionsTested: XYZdoesA

XYZdoesB

XYZdoesC

UniqueSetupInformation:

NonUniversalStuff. Newpartitionscheme,etc. Couldalsoincludeprehash

values,etc.

ResultsByAssertion:

XYZdoesA

XYZdoesB

XYZdoesC

AsExpected

AsExpected

AnomaliesDetected

TesterNotes: AnyadditionalinformationthetesterwantstoaddprobablyinParagraphform.Couldincludehashinformation.

OverallSuccess: AsExpectedorAnomaliesDetected


7/19

4

TestResultsTestName: COFEEFormat001 Date: Sept09,2009Description: UsingCOFEEtoformat512MBthumbdriveinFAT32FSTester

Name:

MBowser

TestMachine: Chad

AssertionsTested: COFEEwillnotFormatadrivesmallerthan1GiB

UniqueSetupInformation: 512MBHitachithumbdrive.(S/NHTS721060G9SA00)ResultsByAssertion: COFEEwillnotformata512MBthumbdrive. AsExpectedTesterNotes:

512MBThumbDrive1. InsertedthethumbdrivewithasmalltextfileonitintoUSBportand

allowedfortheOStoinstalldrivers.

2. ExecutedCOFEE.exe.3. W/ICOFEEIClickedonFile,FormatDevice.4. ClickedontheDropdownmenuandselectedthecorrectdriveletterfor

thethumbdrive.

5. LeftClickedFormatbutton.6. MessagestatingTheselecteddriveis480.71MBinsize,andissmaller

thantherequired1GiBtoFormat.Itisalsorecommendedthatadriveof

atleast2GiBbeusedwithCOFEE.

7. ClickedOK.8. InWindowsExplorerIverifiedthattextfilewasstillallocatedandformat

typeisFAT32hadnotchangedonthethumbdrive.


8/19

5

TestName: COFEEFormat002 Date: Sept09,2009Description: UsingCOFEEtoformat1GiBthumbdriveinFAT32FSTesterName: MBowser TestMachine: ChadAssertionsTested: 1. COFEEwillonlyformatdrives1GiBinsizeorlarger.

2. COFEEwilldisplayawarningwhenformattingadrivebetween1GiBand2GiB

.3. COFEEwillformattheselecteddriveasFAT32.

UniqueSetupInformation: 1GiBLexarJumpdrivethumbdrive(S/N106A20320411403085)ResultsByAssertion: 1. COFEEwillonlyformatdrivesgreaterthan1GiB.

2. COFEEwilldisplayawarningwhenformattingadrivebetween1GiBand2GiB.

3. COFEEwillformattheselecteddriveasFAT32.

AsExpected

AsExpected

AsExpected

TesterNotes:1GiBThumbDrive

1. InsertedthethumbdrivewithasmalltextfileonitintoUSBport.2. ExecutedCOFEE.exe.3. W/ICOFEEIClickedonFile,FormatDevice.4. Dropdownmenuselectedthecorrectdriveletterforthethumbdrive.5. LeftClickedFormatbutton.6. MessagestatingTheselecteddriveis987.58COFEEwillallowyouto

continue,howevertherecommendedsizeforthedriveis2GiBorgreater

7. ClickedOK.8. InWindowsExplorerIverifiedthattextfilewasnowunallocated9. FormattypeisFAT32onthethumbdrive.

OverallSuccess: AsExpected


9/19

6

TestName: COFEEFormat003 Date: Sept09,2009Description: UsingCOFEEtoformat2GiBthumbdriveinFAT32FSTesterName: MBowser TestMachine: ChadAssertionsTested: 1. COFEEwillformatdrives2GiBinsize.

2. COFEEwillformattheselecteddriveasFAT32.UniqueSetupInformation: 2GiBRallythumbdrive(S/NAA04012700061222)ResultsByAssertion: 1. COFEEwillformatdrivesgreaterthan1GiB.

2. COFEEwillformattheselecteddriveasFAT32.AsExpected

AsExpected

TesterNotes:2 GiBThumbDrive

1. InsertedthethumbdrivewithasmalltextfileonitintoUSBport2. ExecutedCOFEE.exe.3. W/ICOFEEIClickedonFile,FormatDevice.4. Clickedonthedropdownmenuandselectedthecorrectdriveletterfor

thethumbdrive.

5. LeftClickedFormatbutton.6. InWindowsExplorerIverifiedthattextfilewasnowunallocatedand

formattypeisFAT32onthethumbdrive.



10/19

7

TestName: COFEEFormat004 Date: Sept2nd,2009Description: UsingCOFEEtoformat80GiBUSBdriveinFAT32FSTesterName: MBowser TestMachine: ChadAssertions

Tested:

1.COFEE

will

format

drives

80

GiB

in

size.

2. COFEEwillformattheselecteddriveasFAT32.UniqueSetupInformation: SerialATA2.5HardDrive

5. 80GiBSeagate5400RPM6. SerialNumber:5ly3lpna7. ConnectedbyaSerialATAtoUSBconvertor8. S/N6&a48b458

ResultsByAssertion: 1. COFEEwillformatdrivesgreaterthan1GiB.2. COFEEwillformattheselecteddriveasFAT32. AsExpectedAsExpectedTesterNotes:

80 GiBUSBDrive1. InsertedtheUSBdrivewithasmalltextfileonitintoUSBport2. ExecutedCOFEE.exe.3. W/ICOFEEIClickedonFile,FormatDevice.4. Clickedonthedropdownmenuandselectedthecorrectdriveletter

fortheUSBdrive.

5. LeftClickedFormatbutton.6. InWindowsExplorerIverifiedthattextfilewasnowunallocatedand

formattypeisFAT32onthethumbdrive.



11/19

8

TestName: COFEEProfileCreation001 Date: Sept09,2009Description: UsingCOFEEtocreateandsaveauserdefinedprofile.TesterName: Mbowser TestMachine: ChadAssertions

Tested:

1.A

user

can

create

their

own

application

profile.

2. Ausercansavetheirownapplicationprofileforfutureuse.3. AusercreatedprofilecanbeusedafterCOFEEisclosedandrestarted.

UniqueSetupInformation: NoneResultsByAssertion: 1. Ausercancreatetheirownapplicationprofile.2. Ausercansavetheirownapplicationprofilefor

futureuse.

3. AusercreatedprofilecanbeusedafterCOFEEisclosedandrestarted.

AsExpected

AsExpected

AsExpected

TesterNotes:1. OpenedtheCOFEEprogram2. ClickedontheMoreOptions(Advanced)button3. Removedallapplicationsintherightscreenbyleftclickingthedoubleleft

arrow.

4. Highlightedandaddedoneapplicationfromtheleftscreen(net.exe wasusedforthistest)andclickedtherightarrowmovingtheapplicationsto

therightsideofthescreen.

5. AddedanapplicationthatwasnotincludedanyofthepreexistingprofilesbyclickingonAddTool.

a. reg.exewasusedforthistestb. reg.exewasobtainedfromapreviousversionoftheCOFEEinstall.

6. ToolPropertyboxopened,andthefollowinginformationwasentered:a. Description:b. Tool: Enteredthelocationofreg.exec. Arguments:blankd. Family:Registrye. OutputFormat:Textf. VendorName:blankg. VendorLink:blankh. RequiredFile(s):blank

7. ClickedOK8. Addedthenewprogramtotherunningsequencebyhighlightingreg.exe

andclickingtherightarrow.

9.Clicked

Save

Order

and

gave

the

profile

a

unique

name.

(Marks)

10.ClickedtheOKbutton.11.ClosedandrestartedCOFEE.12.ObservedthattheMarksprofilewaslistedandloadedcorrectly.



12/19

9

TestName: COFEEUSBDriveCreation001 Date: Sept09,2009Description: COFEEwillgeneratea1GiBthumbdrivewithaprofile.TesterName: MBowser TestMachine: ChadAssertionsTested: COFEEwillgenerateaprofileona1GiBdevicealongwithitsrequired

files.

UniqueSetupInformation: 1GiBLexarJumpdrivethumbdrive(S/N 106A20320411403085)ResultsByAssertion: COFEEwillgenerateaprofileona1GiBdevicealongwithitsrequiredfiles. AsExpectedTesterNotes:

1GiBthumbdrive1. InsertedtheformattedFAT32thumbdriveintoUSBslotonthe

computer.

2. OpenedtheCOFEEprogram.3. SelectedthedriveletterdropdownmenufortheThumbdrive.4. SelectedthedesiredprofilewhichwascreatedduringthetestCOFEE

ProfileCreation001.(Marks)

5. ClickGeneratebutton.6. OpenedWindowsExplorerandverifiedtheapplicationfromtheselected

profilewereincludedonthethumbdrive.(net.exe,reg.exe)

7. 12Additionalfileswereaddedtothethumbdrive(Runner.exe,Autorun.inf,NW3C_SHA1.exe,Uptime.exe,Pausep.exe,Casenotes.txt,

checksum,config.txt,DILABEL,filelist.txt,folders.txt,require.txt),

8. ClickOKbutton.9. OpenedWindowsExplorerandverifiedtheapplicationsfromtheselected

profilewereincludedonthethumbdrive.



13/19

10

TestName: COFEEUSBDriveCreation002 Date: Sept09,2009Description: COFEEwillgeneratea2GiBthumbdrivewithaprofile.TesterName: MBowser TestMachine: ChadAssertionsTested: COFEEwillgeneratea2GiBorlargerdrivewithaprofile.

UniqueSetupInformation: 2GiBRallythumbdrive(S/N AA04012700061222)ResultsByAssertion: COFEEwillgenerateaprofileona2GiBdevicealongwithitsrequiredfiles. AsExpectedTesterNotes:

2GiBthumbdrive:1. CreatedauserprofileonCOFEEusingtwoprograms(net.exe,reg.exe)2. InsertedtheformattedFAT32thumbdriveintoUSBslotonthe

computer.

3. OpenedtheCOFEEprogram.4. SelectedthedriveletterdropdownmenufortheThumbdrive.5. Selectedtheprofiledesired.(Marks)6. ClickGeneratebutton.7. OpenedWindowsExplorerandverifiedtheapplicationfromtheselected




9. ClickOKbutton.10.OpenedWindowsExplorerandverifiedtheapplicationsfromthe

selectedprofilewereincludedonthethumbdrive.



14/19

11

TestName: COFEEUSB DriveCreation003 Date: Sept09,2009Description: COFEEwillgeneratea512MBthumbdrivewithaprofile.TesterName: MBowser TestMachine: ChadAssertionsTested: COFEEwillnotgenerateaprofileonadevicesmallerthan1GiB

UniqueSetupInformation: 512MBHitachithumbdrive(S/NHTS721060G9SA00)ResultsByAssertion: COFEEwillnotgenerateaprofileonadevicesmallerthan1GiB AsExpectedTesterNotes:

512MBThumbDrive1. InsertedtheformattedFAT32thumbdriveintoUSBslotonthe

computer.

2. OpenedtheCOFEEprogram.3. SelectedthedriveletterdropdownmenufortheThumbdrive.4. Selectedtheprofiledesired.(Marks)5. ClickGeneratebutton.6. ReceivedanerrormessagestatingTheselecteddriveisonly480.71

MBinsize,andistoosmalltousewithCOFEE.

7. OpenedWindowsexplorerandverifiedthatnofileswereplacedonthethumbdrive.



15/19

12

TestName: COFEEUSBCREATION004 Date: Sept2nd,2009Description: COFEEwillgeneratean80GiBUSBdrivewithaprofile.TesterName: MBowser TestMachine: ChadAssertionsTested: COFEEwillgeneratea2GiBorlargerdrivewithaprofile.

UniqueSetupInformation: SerialATA2.5HardDrive80GiBSeagate5400RPM

SerialNumber:5ly3lpna

ConnectedbyaSerialATAtoUSBconvertor

S/N6&a48b458

ResultsByAssertion: COFEEwillgenerateaprofileonadevicelargerthan2GiBinsizealongwithitsrequiredfiles. AsExpectedTesterNotes:

80 GiBUSBDrive1. CreatedauserprofileonCOFEEusingtwoprograms(net.exe,reg.exe)2. InsertedtheformattedFAT32thumbdriveintoUSBslotonthe

computer.

3. OpenedtheCOFEEprogram.4. SelectedthedriveletterdropdownmenufortheThumbdrive.5. Selectedtheprofiledesired.(Marks)6. ClickGeneratebutton.7. OpenedWindowsExplorerandverifiedtheapplicationfromtheselected




9. ClickOKbutton.10.OpenedWindowsExplorerandverifiedtheapplicationsfromthe

selectedprofile

were

included

on

the

thumb

drive.



16/19

13

TestName: COFEEFormat/Wipe001 Date: Sept09,2009Description: UsingCOFEEtoformatandwipeathumbdrive1GiBinsize.Tester

Name:

MBowser TestMachine: ChadAssertions

Tested:

1. COFEEwill FormatandWipedrives1GiBorlargerinsize.2.

COFEE

will

display

a

warning

when

formatting

and

Wiping

a

drive

between

1GiB

and2GiB.

3. COFEEwillformattheselecteddriveasFAT32.UniqueSetupInformation:

1GiBLexarJumpdrivethumbdrive(S\N106A20320411403085)

ResultsByAssertion: 1. COFEEwillFormatandWipedrives1GiBorlargerinsize.

2. COFEEwilldisplayawarningwhenformattingandwipingadrivebetween1GiBand2GiB.

3. COFEEwillformattheselecteddriveasFAT32.

AsExpected

AsExpected

AsExpected

TesterNotes:

1GiBThumbDrive1. InsertedthethumbdrivewithasmalltextfileonitintoUSBportandallowedfor

theOStoinstalldrivers.

2. ExecutedCOFEE.exe.3. W/ICOFEEIClickedonFile,FormatDevice.4. CheckedtheboxinthemenuforwipeandformatDrive5. Dropdownmenuselectedthecorrectdriveletterforthethumbdrive.6. LeftClickedFormatbutton.7. ClickedOK.8. MessagestatingThewipingprocessisabouttobegin.9. ClickedOK.10. InWindowsExplorerIverifiedthattextfilewasnowunallocatedandformat

typeisfat32onthethumbdrive.

11.ViewedthephysicaldeviceusingFTKimagerandobservedthatthedatahadbeendeleted,aFat32filesystemwasinstalled,andtheunallocated

sectors/clustershadbeenoverwrittenwithrandomHexcodes.



17/19

14

TestName: COFEEFormat/Wipe002 Date: Sept09,2009Description: UsingCOFEEtoformatandwipeathumbdrive2GiBinsize.Tester

Name:


Tested:

1. COFEEwillFormatandWipedrivesgreaterthan1GiB.2. COFEEwillformattheselecteddriveasFAT32.

UniqueSetupInformation:

2GiBRallythumbdrive(S\NAA04012700061222)

ResultsByAssertion: 1. COFEEwillFormatandWipedrivesgreaterthan1GiB.


AsExpected

TesterNotes:

2GiBThumbDrive1. InsertedthethumbdrivewithasmalltextfileonitintoUSBportandallowedfor

theOStoinstalldrivers.

2. ExecutedCOFEE.exe.3. W/ICOFEEIClickedonFile,FormatDevice.4. CheckedtheboxinthemenuforwipeandformatDrive5. Dropdownmenuselectedthecorrectdriveletterforthethumbdrive.6. LeftClickedFormatbutton.7. ClickedOK.8. MessagestatingThewipingprocessisabouttobegin.9. ClickedOK.10. InWindowsExplorerIverifiedthattextfilewasnowunallocatedandformattypeisfat32onthethumbdrive.11.ViewedthephysicaldeviceusingFTKimagerandobservedthatthedatahad

beendeleted,aFat32filesystemwasinstalled,andtheunallocated

sectors/clustershadbeenoverwrittenwithrandomHexcodes.



18/19

15

TestName: COFEEFormat/Wipe003 Date: Sept2nd,2009Description: UsingCOFEEtoformatandwipeaUSBdrive80GiBinsize.Tester

Name:


Tested:

1. COFEEwillFormatandWipedrivesgreaterthan1GiB.2.

COFEE

will

format

the

selected

drive

as

FAT

32.

UniqueSetupInformation: SerialATA2.5HardDrive1. 80GiBSeagate5400RPM

2. SerialNumber:5ly3lpna3. ConnectedbyaSerialATAtoUSBconvertor4. S/N6&a48b458

ResultsByAssertion: 1. COFEEwillFormatandWipedrivesgreaterthan1GiB.


AsExpected

TesterNotes:

80GiBUSBDrive1. InsertedtheUSBharddrivewithasmalltextfileonitintoUSBportandallowed

fortheOStoinstalldrivers.

3. ExecutedCOFEE.exe.4. W/ICOFEEIClickedonFile,FormatDevice.5. CheckedtheboxinthemenuforwipeandformatDrive6. Dropdownmenuselectedthecorrectdriveletterforthethumbdrive.7. LeftClickedFormatbutton.8. ClickedOK.9. Textboxalertedthatwipingwascomplete.10.Textboxalertedthatformatwascomplete.11. InWindowsExplorerIverifiedthattextfilewasnowunallocatedandformat

typeisfat32onthethumbdrive.

12.ViewedthephysicaldeviceusingFTKimagerandobservedthatthedatahadbeendeleted,aFat32filesystemwasinstalled,andtheunallocated

sectors/clustershadbeenoverwrittenwithE5Hexcodes.



19/19

16

ReportNotesThisvalidationwasconductedinconjunctionwithvalidationsoftheCOFEERunnerandNW3Cprofiles.

Allassertionslistedwerevalidatedandmetexpectations.

AdditionalReferencesWykes,J.(2009).COFEEv1.1Runner&NW3CProfiles.NationalWhiteCollarCrimeCenter.

GlossaryFormat: Formatpreparesthelogicaldrivesforusebytheoperatingsystem. Partofthisprocessis

creatingcertainhousekeepingareasthatcontainstructuresforkeepingtrackoffilelocations,root

directoryentries,etc.

Wipe: Theprocessofoverwritingunallocateddatathatexistonadigitalstoragedevice. COFEEwipes

byoverwriting

the

unallocated

space

with

hex

00

characters.

NW3C - Validation - COFEE v1.1.2 - GUI Console

Documents

Transcript of NW3C - Validation - COFEE v1.1.2 - GUI Console