Clear all

Forensic Tool Testing

New Member

OK, confession time. Does anyone actually test (validate) their forensic tools? Not just write blockers but everything including EnCase and FTK!

Anecdotally, I'd guess that a minority have a rigorous write blocker testing policy in place (and is used) and even fewer will test the investigation software, relying (a bit too) heavily on the fact that "it's the software that everyone uses".

Topic starter Posted : 25/01/2008 2:22 pm
Senior Member

Not quite a fair answer, as I don't actually do forensic work for a living … However as a student, I have been taught to validate all results by using one or more tools, and the preference has always been for validating results by going to the location provided by EnCase/FTK/Whatever in a HEX editor and confirming both the actual existance of the data, and the interpretation against what is documented offically.

I've been marked down for not doing this, and thus now it is somewhat of a habit - however I do appriciate that I am working with very small "theoretical cases" set up by my tutors. Doing this on a large scale case would be impossible given time limitations, however, I would guess that verification of one type of artifact might suffice to allow one to assume that all artifacts of that type are being reported correctly ?

Maybe simply assuming that FTK and EnCase are both right 95% of the time and that both of them reporting the same thing would allow you a certainty of 99.7%.

Ok, I had to look up the formula for that calculation …

p(x)p(y) + (1-p(x))(1-p(y))

I don't know if that is acceptable or not really - Is there a chance that both are wrong ? Yes. Is it enough to induce reasonable doubt ? Not to me, but I don't honestly know.

If you chuck a 3rd 95% accurate tool into the mix though, you are looking at 99.99% …

So perhaps verification is the route to take, rather than test where it comes to tools ?

Posted : 25/01/2008 5:29 pm
New Member

I verified all my write blockers–it really doesn't take long at all. The algorithm is available multiple places but I used the NIST method. The key is I found an old, make that o-l-d 5 gb hard drive that still spins and doesn't create that many errors. Hence verification is a snap, and I was done with a card reader, USB block, and Digital Intelligence (Tableu) T-35 in under 2 hours.

I intend to use that same image to verify the tools, but I haven't completed that yet.

Verifying the write blockers is a snap and I was taught that it was industry standard–so why wouldn't you?

Paul L

Posted : 27/04/2008 12:18 pm
Active Member

Well, according to this link http// 55% of all examiners do have a routine process for verifying their toolset.

Posted : 27/04/2008 7:41 pm
Share to...