Our Members:

Testing Forensic Software

By: Danny Mares

How many of you actually test the forensic software tools you use daily? I would guess not many.

An excellent question for attorneys to ask you is. How do you know the software you are using produces true and accurate results for your particular type of investigation?

What is your answer? If your answer is, persons on my list serve have recommended it as valid: "insert your topic here" (hashing, copying, zipping) software, or others respond: "I use it all the time." and have recommended its use. If your peers recommend it online, it must be helpful and produce authentic, accurate, complete, and defensible results. If you use any of these arguments, your case is going south.

The best answer you should have given is: I have tested it myself to determine if it satisfies my needs for this investigation. The keywords here are "tested it myself" and "for this particular investigation."

I decided to run a few tests on some basic forensic and evidentiary practices. It would help if you considered doing the same before you get challenged in court.

Now for some sweet stuff. OOPS, I meant SUITE stuff. Actually, in most cases, suites at the physical/sector level will perform correctly. But suites aren't the end all. After the suite, you must process the files the suite exports to your drive.

However, when the suite, or more notably the individual version of forensic software, performs at the file or logical level, you may find some areas for improvement in their capability of processing your evidence completely.

Here is some background as to what I tested, and you may want to consider similar. You will test different areas depending on what evidence you are processing. I decided to test a few basic evidence processes. Listed on my website, dmares.com, are the areas I tested and links to my articles regarding each.

1. list it.htm Create an inventory or catalog of the evidentiary files in the analysis.

2. copy that.htm Article tests over 40 "forensic" file copiers to determine if they can accurately copy ALL the evidence files.

3. hash it out.htm Article tests over 30 "forensic" hash programs. Let's hash it out.

4. ZIP IT.htm This article tests a few zipping programs and determines whether they are truly good file retention programs.

Notice the four areas I tested were some basic evidentiary processes. You may add others for network, cell phone cases, or whatever. But these four are essential to all investigations and reports.

When your initial process extracts or identifies data/files from the suspect drive/image/whatever, one thing you ultimately want to create is a true and accurate list of all the files you will be analyzing and or a complete list of the files you will be providing to the reviewer, prosecutor, etc. So why not have a program to produce authentic and accurate listings/catalogs of the evidence files? So, test your file listing software.

Next, consider running hash values after you extract or begin the process. You will run hashes on the source of the evidence, and when your case is completed, run hashes on the evidence you produce for adjudication. HASHING: Basic idea. Yes/NO?? But don't be surprised when many "recommended" hashing products can't wholly perform.

At some point, you will have to copy the files forensically. Whether you copy original files from the suspect tree off a gigantic server or copy the evidence files you have identified for long-term retention, delivery to the reviewer, or other yet unknown reasons. You should know that your copy program works when you copy these files. If you use Windows drag and drop to copy evidence files, look for another job.

Then, after you copy the files, we need to prepare them for long-term retention or delivery. So, besides having a valid, accurate copy, you may or probably consider zipping the files for long-term retention or zipping them for delivery to the reviewer. After all, isn't zipping and unzipping a fancy copy operation? So, you will need a good and reliable zip/unzip program.

These were four areas that I tested somewhere near 80 "forensically sound" programs. If you do the same, you will be surprised at the results. These four items are processes that you might consider in almost every forensic exam. If you haven't tested the software for these subjects or other pertinent areas of your exam, you may leave yourself open to valid defense challenges.











The American Society of

     Digital Forensics & eDiscovery, Inc®

      For Digital Evidence Experts™

      2451 Cumberland Parkway, Suite 3382 

     Atlanta, GA 30339-6157

     (404) 919-1143











Copyright 2024

All Rights Reserved

Powered by Wild Apricot Membership Software