Anyone care to give a brief summary of the current state of open source forensics (i.e. imaging and analysis)?
How do open source tools compare with the well-known commercial packages?
How are open source tools viewed in the courtroom?
Jamie
OSS seems to suffer from a poor reputation in this industry for similar reasons to questions raised about it in the boardroom. The coded by a spotty kid stereotype and the lack of a complaint channel. These are both misnomers which are heavily devalued by the degree to which we, as forensic investigators, swap best practice and process in forums like this in a way that closely mirrors my experience as a unix/linux sysadmin.
Ultimately I would like to see Open Source tools mandated in the court room and I don't see how you can avoid it. At some point a commercial tool is going to make a mistake that could lead to questions about the status of its exact operation in such a way that it source code will end up in court or the case will be dropped.
How can people vouch for the correct operation of software when they do not have access to its source code? When we write statements for the court one of the normal clauses is concerned with the correct operation of the computer hardware and software on which we performed the analysis. That statement is in my view critically flawed when the analysis is performed with software, which crashes on a daily basis.
While some products in the commercial world are now becoming mature products the same can not be said of open source and we are lacking some critical tools in these environments such as meta data analysis of office documents and, what is certainly a big deal for me, the processing of Outlook Personal Folders are imperfect as is NTFS support. Net Analysis is also without doubt the premier tool for looking at Internet histories lacks a anything comparable in the OSS environment. Indexed searching is also something where I don't see any OSS in competition with DTSearch in the forensic arena.
What is required to mature a product? The answer to that is users and I believe that as with the best OSS products, like apache and samba, wide competent user bases are the key to giving developers the feed back to produce solid products.
Forensics also has a strange time scale. One of the reasons I like this job is that I work a case and at the end, I run the back up and move on to new problems. However, we archive everything for a long time and case can come back five years down the line and you had better be able to defend what you wrote at that time. This means that you are going to have to be able to read your formats. In the OSS world this is never going to be a problem in commercial software all to often with closed formats, over those periods of time, converters are hard to come by.
James,
A very warm welcome to Forensic Focus.
I think we're both in broad agreement regarding the value (in all senses of the word) of open source forensic software. Without the profit motive of commercial vendors the growth and acceptance of open source solutions can stagnate, and I fear this has been true for some open source forensic solutions.
Personally, I'm more than happy to give OSS at least as much exposure as any commercial software and am delighted to hear of your strong support for open source. I hope you will become a regular in our new forums!
Jamie
Ultimately I would like to see Open Source tools mandated in the court room and I don't see how you can avoid it.
Tools will never be mandated by the court. Tools used in support of cases must be "generally accepted within the community", and what usually gets attacked (according to attendees at LEO conferences such as HTCIA, etc) is the processes used by the investigators.
For example, at this point, anyone going to court and having used ILook version 7.x will more than likely get shot down before they even step foot inside the court room.
…meta data analysis of office documents…
I've written tools that do this, and provided them for free, and as open source.
With regards to searching Internet histories, what about the tools provided by Foundstone?
H. Carvey
"Windows Forensics and Incident Recovery"
I saw this old thread from back in 2004. I was wondering, as an industry outsider, if people would care to comment on the state of open source forensics now in 2006. Have courts come to accept open source software?
I tend to believe that this is a chicken-or-the-egg situation…open source tools won't be accepted in court until they are used.
The issue many don't seem to understand is that it's really not a technical issue, as much as it is documenting and then explaining your justification for doing what you did. Most of the closed source tools accepted by the courts weren't accepted until some sort of justification and documentation were performed.
Harlan
Many will claim (as was previously mentioned) that free software is written by the pimply faced geek and will be inadmissable in court. The reality is that many OSS tools have been certified by the US Govt for forensic use and several are the benchmark from which other tools are compared.
I, for one, use OSS tools exclusively. The toolkits provide source code so any action taken by the application can be proven. This cannot be said for closed source applications. What goes on under the hood? We will never know. The application could be 'making it up based on previously discovered information' is how I explain it. While the application I'm using comes with complete source code, so every piece of data can be validated.
I, for one, use OSS tools exclusively.
It would be really interesting to know what your tool-kit consists of if you would be prepared to give us that information
I know that my CD has been used in a number of court cases with no issues, and much of it is open source,
Perhaps more important than the tool is the operator …
regards,
farmerdude
This is an interesting post which part answers a question I was interested in, but in 7months and 21 days has anything changed.
Does anyone else now use OSS tools such as Farmers or Helix and if so have you had difficulties backing up your evidence either in a LE or corporate case?
If you have what could be done to change this attitude towards OSS now that has'nt been tried in the past?
Or maybe OSS is not appropriate for a professional role and should stay with pimply geeks and then to be a forensics expert you simply need the cash to buy the forensics software to make you into one.
Im not that pimply and i'm only a semi geek in other words i'm married with a small amount of life away from the screen.
But the world of Forensic Computing at the moment looks very closed to me unless I join a company who has the commercial software, or I save my pennies and purchase the software.
I would like an OSS solution