25 Days, 25 Questions: Part 4 – Lab And Tool Standards

Editor’s note: This article concludes our four-part series written by Mr. Santosh Khadsare, our guest digital forensics expert from New Delhi, India, based upon his recent LinkedIn series, #25Days25Questions. More about Mr. Khadsare is in his bio below.

On 18 August 2020 #25Days25Questions was started on LinkedIn. Every day a question was posed to the enthusiastic digital forensic community and the next day I posted my comments/views on the same. The idea of the 25 days, 25 questions (#25Days25Questions) initiative was to achieve three major purposes:

• Creating a common forum for the DFIR professionals to interact and share their  thoughts.
• Increasing the core knowledge base in an interactive mode.
• Networking with professionals who are working in this niche area.

I have summarised all the responses, including mine, to get a consolidated reply to the questions posed. Everyone who has responded has equal credit to the final answer.

Should all commercial forensic tools give reports in a standard format, defined by the law of the land?

(Originally asked on Day 4)

Many respondents strongly believe that commercial forensic tools should have an option of giving standard results. Either a global agency fixes a standard format of the report, or the OEMs take inputs from the governments and standardize their tools, but it has to be done.

Some opined that standardization of commercial tools may affect the additional capabilities and features that the tools offer. Most professionals think “the more, the merrier.” Having something extra / additional is a bonus, but there also should be an approved standard format (in much the same way that we select time zone, keypad or language when we install an operating system).

Should we follow NIST’s CFTT program (for digital forensics tool selection) as a standard, or should every country have its own indigenous body to do the same?

(Originally asked on Day 6)

The world of digital forensics in its current form is just two decades old; the genres within the area of study are even younger. The whole subject is still evolving and it will continue to evolve for the next 20 to 25 years.

We need global standards with global acceptance. NIST and its CFTT program are being followed globally and should surely be taken as a benchmark, but many respondents feel that a country should have its own body/entity to do this kind of work.

Global standards are adhered to by all countries with due participation. The underlying technology platforms and operating systems are built on common ground and the principle of interoperability. They are global in nature, it is but natural to align on similar lines with necessary tweaks specific to local legal boundaries. Guidelines may be adopted from NIST, but have to be mapped to the legal requirements and procedures of the country adopting the guidelines.

Incorporation of a CFTT-like program would require involvement of a deeper understanding of the automated and manual functionalities, availability of experienced resources to conduct the tool testing, and followed by peer review from experienced and credible examiners. Funding and continuous efforts and involvement for tool testing will also be required.

Some gave suggestions that there should be Digital Forensics Engineers (DFEs) worldwide, along the lines of the Institute of Electrical and Electronics Engineers (IEEE), who should  provide the standards, policies, regulations, and legal procedures only pertaining to digital forensics.

Can open source forensics tools and frameworks suffice for digital forensic analysis, and should the courts accept it?

(Originally asked on Day 7)

The same digital evidence should be able to be obtained by more than one tool. No court has ever objected to the use of open source tools / frameworks, but there have been occasions when the license of the tool used has been asked and also the OEM has been asked to be present in the court to clarify how the tool works.

Open source tools often fail these tests. It may not be astonishing to hear in the near future that courts are also seeking the credibility of the tools — open source or otherwise — while relying on their forensic reports.

Open source forensic tools and frameworks may not have the same features as commercial tools, but they can very well be used for carrying out digital forensic analysis. It is recommended to use open source tools alongside with commercial tools. If you do use open source tools, you should mention it in the digital forensics report.

Which standards should a person read and implement while establishing a digital forensics laboratory?

(Originally asked on Day 9)

Standards to be looked into while establishment of a digital forensics lab include:

• ISO/IEC 17025:2017 – General requirements for the competence of testing and calibration laboratories. (ISO/IEC, 2017)
• ISO /IEC 27037:2012 – Information technology — Security techniques — Guidelines for identification, collection, acquisition and preservation of digital evidence. (ISO/IEC, 2012)
• ISO/IEC 27041 :2015- Information technology — Security techniques — Guidance on assuring suitability and adequacy of incident investigative method. (ISO/IEC, 2015)
• ISO/IEC 27042:2015 – Information technology — Security techniques — Guidelines for the analysis and interpretation of digital evidence. (ISO/IEC, 2015)
• ISO/IEC 27043:2015 – Information technology — Security techniques — Incident investigation principles and processes. (ISO/IEC, 2015) 

How should we stay up to date with the fast-growing mobile forensics, cloud forensics, and other digital forensics disciplines? Should we pay for it, dedicate research teams to it, or develop internal programs to address technical challenges?

(Originally asked on Day 10)

There should be a multi-prong approach that is fluid, based on demand. Organizations that have a wide range of expertise should know the strengths and weaknesses of personnel to delegate research and development into the areas of need quickly.

Many people rely solely on a paid software tool or two in order to stay up to date, which may cover a wide range of artifacts, but never close to all of them, and they often provide incorrect information. Researching and information seeking should always be a forethought when delving into new tech or trends. Having a wide range of people in your network to reach out to often remedies these hurdles.

Any knowledge development activity will require dedicated resources (both personnel and financial). Without appropriate resources, the desired results can never be attained. However, whether to build or buy expertise will depend on the particular case.

For academics, law enforcement and judiciary, building expertise is advisable. For businesses, buying expertise is better since it is not a day-to-day activity in corporate environments. 

What should be the criteria for selection of digital forensics tools for carrying out analysis?

(Originally asked on Day 11)

Selection of a digital forensic tool to carry out analysis is a very important step and requires a lot of deliberation and thought. This requires knowledge about different tools available for the same task, and knowing which tool is more effective. Some of the criteria for selection should include:

• Does it adhere to the standards and pass tests for correctness?
• How transparently does it provide the information? From where did it get the information, what was stored at that location, and how did the tool parse it?
• How frequently is it updated to cater to changes? How quickly does it add new features?
• What kind of computing resources does it need?
• How open is it to integrate with other tools, importing and exporting data?
• What level of automation does it have and support?
• Does it use open standards or proprietary ones?
• The completeness of the tool. I would prefer a tool for mobile forensics that can jailbreak and analyze too, rather than using some other tool to jailbreak and then analyze.
• How user friendly is it?
• Does it provide detailed logs to ensure visibility in the entire process?
• Can it correlate with other evidence?
• It should be scalable and flexible to add plugins or utilities to provide compatibility with the latest technology features. This includes scripting for parsing and customization for projecting the potential evidence to the standard report format, including first incidence triage.
• It should have a properly defined and secured license for an analysis. The license should also be shown clearly, mentioning whether it is genuine. For direct physical and remote acquisition, it should be free.
• The knowledge, acceptance, relevance, capability, reliability, and repeatability of the tool.
• Time taken for analysis, format of reports generated, and sufficient available supporting mechanisms for the tool.

Participation in #25Days25Answers

As anticipated, a wide spectrum of participants  to include enthusiasts, new entrants, professionals, experts, mentors and even accademia took interest and put forth their views in these 25 days. A few of the participants and their designations are as mentioned below.

• Barath Rajagopalan J Iyer,  ACIArb, CMO, Founder & Director – SourceData Consulting
• Prince Boonlia, Editor In Chief at Digital Forensics (4N6) Journal
• Heather Mahalik, Senior Director of Digital Intelligence at Cellebrite & SANS Senior Instructor, DFIR Co-Curriculum Lead and Author
• Richard Saylor, Computer Crimes Program Manager at U.S. Army Criminal Investigation Command
• Venkatesan Owner, Lab Systems India Pvt Ltd
• Jessica (Ceres) Hyde, Director, Forensics at Magnet Forensics
• Michael Smith, Cybersecurity, Privacy & Disaster Response
• Rajesh Kumar, Certified Cyber Forensic Professional at State Forensic Science Laboratory, Patna
• Anupam Tiwari , IT Security Enthusiast and Blockchain Learner
• Patrick Siewert, Founder & Principal Consultant, Expert Witness, Nationwide Instructor
• Patrick Eller, CEO – Digital Forensic Examiner – Expert Witness
• Amrit Chhetri, DFIR & AI Researcher
• Aman Agarwal, Cyber Crime Investigator and Incident Responder
• Nikhil Sood, Information Security Auditor
• Om Salamkayala, Digital Forensics Professional
• Kashish Srivastava, Intern @Noida CyberCell
• Rohit Tiwari, SOC Trainee at SOC Experts
• Vipin George, Cyber Forensic Consultant, Kerala Police Academy
• Piyush Kohli, Cyber Threat Engineer – Global Threat Operations
• Bikash Halder,  Cyber Security Analyst
• Atoshe Lohe, Managing Director at INsoftware & Solution/Institute of Information Security and Computer Forensic.
• Shreya Koley,  Summer Intern at KPMG
• Shubham Sangwan, Intern at Gurugram Police
• Kanishka Joshi, Actively seeking opportunities in Auditing and Compliance

Bibliography

ISO standard 44405. ISO/IEC, 2015. [Accessed 24 Sep 2020].

ISO 17025. ISO/IEC, 2017. [Accessed 24 Sep 2020].

ISO 44381. ISO/IEC, 2012. [Accessed 24 Sep 2020].

ISO 44406. ISO/IEC, 2015. [Accessed 24 Sep 2020].

ISO 44407 ISO/IEC, 2015. [Accessed 24 Sep 2020].

About the Author

Mr. Santosh Khadsare is an Digital Forensics Expert from India with two decades of experience and presently is heading a Digital Forensic Laboratory at New Delhi, India. In addition to his Bachelor’s degree he possesses additional qualifications such as CHFI, CEH, RHCSA, Advance Cyber Forensic Course (CDAC), Cyber Crime Investigator, IVTA (CMU, Pittsburgh USA), etc. He has rich experience in the field of Information Security, Digital Forensics, Cyber Audit, Cyber Laws and Incident Response. He has been a speaker in various national / international conferences and has also authored various articles on information security and Digital Forensics in reputed publications.

Contact Details

Email : santoshkhadsare@gmail.com
Linkedin : https://www.linkedin.com/in/santosh-khadsare-3539a818/