Research Paper Example on Validation of Forensic Tools

Why Forensic Tools Need to Be Validated

Is your time best spent reading someone else’s essay? Get a 100% original essay FROM A CERTIFIED WRITER!

Save 25%

The science of digital forensics is mainly founded under principles of repeatable processes, as well as the provision of quality evidence. As such, forensic experts should be able to design and maintain a validation process, which is a key requirement for any examiner in the field. According to Brannon and Song (2008), the first step in the forensic process is validating all software and hardware in ensuring that they are operating and working effectively. It usually happens in many organizations once they purchase it or before using it. As the researchers also posit, hardware and software need to be validated after any form of reconfiguration, patch or update. Therefore, the main reason why forensic tools need to be validated is to providing confidence in the system software and hardware. Through the validation process, forensic experts can confirm, mainly via examination and the provision of a specified objective, that a forensic tool, procedure, or technique functions correctly and in accordance with the intended purpose. Other reasons for validating is ensuring that the forensic tool has been empirically tested, has undergone peer review, ensuring that there is no error and whether the tool ha gained acceptance in the forensic community. I

Also, according to Brunty (2011), validation ensures that a forensic tool can gather, observe, investigate, as well as show measurable and repeatable results. In essence, repeatability refers to when the forensic examiner obtains similar results when they use a similar method on identical test items while using the same laboratory by the same operator, but also using the same equipment, usually within short intervals of time. Also, the forensic tools should also be validated to ensure that they give reproducible results. An examiner should be able to obtain similar results when utilizing the same method on identical test items on different testing laboratories with different operators using different equipment in the validation process.

Organizations that Undertake the Validation of Forensic Tools

According to Guo and Slay (2010), even though the validation of forensic tools is at its embryonic stage, various organizations have taken the task head on. For instance, the Computer Forensics Tool Testing (CFTT) project that was initiated by the National Institute of Standards and Technology (NIST) highlight one of the major works that have been initiated for validating forensic tools (NIST, n.d). According to NIST (n.d), the CFTT project has a goal of establishing a methodology that can test computer forensic software tools via the development of general tool specifications, test sets, test criteria, test procedures, as well as test hardware. The results of these tests provide the information required by toolmakers in improving the forensic tools so that users can make informed choices in acquiring and using the tools.

Besides NIST, as Brunty (2011) points out, another organization responsible for forensic tool validation is the Marshal University that has published various forensic software and tool validation reports also validates the tools. They have published detailed reports that can be publicly downloaded and provides a mechanism for forensic examiners to initiate internal validation protocols. These includes aspects, such as how to validate the tool version and to test the forensic tool manufacturer.

Processes and Tests Utilized in Validating Forensic Tools.

According to Brunty (2011), it is recommended that forensic examiners should use four steps in validating the forensic tools. Firstly, the examiner should develop a plan. It entails coming up with a plan and a scope that involves background checks of the tool, as well as defining what the tool of software can do in a detailed fashion. Therefore, this step enables examiners to create a protocol for the testing process by outlining the requirements, tools, steps to be used in the test. For instance, it may include evaluating multiple test scenarios for the same tool. For example, if validating for an imaging tool, it can be tested if it can successfully create hashes and verifies a certain baseline image that has previously been used. As such, the NIST or Marshall University validation tool report can be of help at thus step.

Secondly, the examiner should develop a controlled data set. The step entails setting up specific baseline images and devices and then adding data to specified areas of the device or media. Acquisitions will then be performed and documented after each addition, which thereby validates initial baselines. The baseline may include a USB, hard drive, mobile phone, or thumb drive. Once the baseline images are successfully created, tested, and validated, examiners, document what is contained therein.

The third step involves conducting tests in a controlled environment, such as a laboratory. It is a common practice for examiners to borrow validations from other laboratories, such as NIST or Marshall University and fail to validate their tools. The validation process protects the integrity of the evidence and protects the credibility. The fourth step entails validating the test results against expected or known results and presenting it. In essence, the subsequent results obtained in the validation and experimentation step should be reputable. Once they are accurate, they are then presented to the appropriate and legal parties.

Information Contained in Forensic Tool Validation Reports

The Forensic tool validation reports contain information about the testing process, including the software testing support tools used, the test plans, test case specifications, test design specifications, as well as the test results (Gavrila & Fong, 2004). The NIST report created by Gavrila and Fong (2004) contained these aspects, as well as items test, and the environment, which entails the used software and hardware. The validation report should also include variances from the trials, the summary of the results, as well as an inclusion of the failed results. About the hardware used, the report should include the host computer specifications, including the names, the BIOS, models, sectors, the size, and the HDD slots. Also, about the software, the versions should be stated, the manufacturer, as well as the partitions, used. Furthermore, the report should also encompass the various observations from the test. Other crucial information that can be included in the report include the tester name, the date, and disks used. Log file highlights and the locations are also essential components that should be added to the report. Besides, the test assertions used should also be included along with the resolution of comments document.

How Forensic Tool Validation Report Can be Used in Defending or Attacking the Findings in a Report of a Forensic Examination

The validation report is very important as it validates the examination results. For this reason, it is a vital component in the review process as it provides the basis for the examination reports. If the tools used are accurate, they will subsequently provide accurate results, but when they are inaccurate, the examination results will also be inaccurate. The results obtained from the validation report determines whether the examination is done in accordance with the require accuracy in courts. In essence, as pointed out earlier, digital forensic tools should produce similar results, hence bringing in the issue of reproducibility and repeatability. If the results are characterized of these two, then they can be used in a court of law. In essence, the validation report can be used in court for both defending and attack purposes.

Vendors that sell digital forensics software and tools typically use statements, for example, our tools have been proven in court for marketing. In essence, they assert that the tool was used in court for solving a case. It shows that the results of the tool and the methodology used for testing the evidence, as well as the testimony were admitted in the court case. For this reason, the validation report can be used for defense in court if fellow forensic examiners can be able to reproduce similar results, which are repeatable. In essence, if the validation report can be reproduced and replicated by other forensic examiners such that similar findings are produced, then it can be used for defense purposes. However, if the results and the reports differ, it can be used as a platform for attack. As such, it is required that whenever the forensic expert presents the validation report to the court, then other experts in the community can arrive at the same results, and in this case, it can be used to provide forensic evidence for defending an experts opinion. However, if the validation report is not reproducible and repeatable, it can be used for attacking the forensic expert's opinion.

NIST Forensic Tool Validation Report

Overview of the Forensic Tool (what it is, what it does)

Gavrila and Fong (2004) in their NIST forensic tool validation report used the NIST Forensic Software Testing Support Tools (FS-TST) for creating the validation report. The forensic software testing support tools (FS-TST) version 1.0, utilized the following support tools: diskwipe, seccmp, baddisk, partab, seccopy, diskchg, partcmp, corrupt, logsetup, adjcmp diskcmp, diskhash, sechash, badx13, logcase. In essence, the tool is a software package that can accurately support the testing of disk imaging tools. The FS-TST tool involves a total of 15 tools that can be used in authenticating and testing the integrity of forensic evidence. They can perform various forensic some forensic tasks, including hard disk initialization, hard disk comparisons, faulty disk simulation, copying disks and disk partitions, as well as extract information from hard disks. The tool can also show the variances that are characterized by the test results, as well as the failures involved in the testing process. It can also scrutinize the log in files. Also, it checks whether the logged information is correct or not. It also detects the various anomalies that are present in the evidence. For this reason, the tool analyzes the credibility of the disk evidence used, analyzing whether there were alterations made in the evidence, as well as reading the various errors. The tool compares the expected results from the actual results, and thus, outlines the credibility of proof for the purpose of ensuring that it is reproducible and repeatable.

How the tool was tested

The tool as used in scrutinizing the evidence, and ensuring that it passed the various tests. The partab tool was used in determining whether the disk had any sub-partitions of unknown types. Partcmp tool was used in recognizing and comparing the primary FAT32 partitions of the disks that were larger than 8GB. On the other hand, the sechash tool was used in computing the SHA1 hash value for sector groups with only one sector. Adjcmp and parttab tools, just like the partcmp, were used in recognizing and comparing FAT32 partitions larger than 8GB. The corrupt tool was used in checking whether there were corrupted parts of the disk. Badx13 was used in checking whether there were disk sectors addresses that were outside the disk range. Diskcmp was used in comparing source and destination disk drives. Logsetup and logcase were used in checking the log information of the disk. Logsetup was used in logging information about the setup of the source disk. Each tool was used in validating the forensic tool used to make that the examiners determine whether the expected and tested results were the same or not. For this reason, the testing process ensured that the examiners compared the expected and the actual results were correct and accurate, thereby enabling the...