Hello all,
I'm currently validating all forensic software in my lab and would like some advice…
The environment I'm working in has three different hardware builds, with all the software installed on each build. I've been using images from dftt.sourceforge.net, but get widely mixed results from different software programs such as EnCase, FTK, and X-Ways… I've spent a great amount of time trying different things to get it to match the known outcomes, but I haven't been successful so far.
I'm planning on doing a clean install of an NTFS and FAT XP build and populating it with some evidence (Files, Internet browsing, etc etc) and then identifying core functions in the software such as Acquiring, Hashing, Data Carving, Keyword search, File Sig Analysis, modules (EnCase) etc to cross-validate the outcomes between all builds and softwares.
Am I on the right track? Has anybody done this for a lab themselves?
Other places I have worked at seem to do validation in the same day they receive a new product. Am I ovecomplicating this? Should I just do a couple of functions and say it's working? My main goal is to just say the software works in this environment…
Thanks.
As a student myself still new to the industry I was taught to always use the "Daubert" standard for testing methodology. If you can answer these five questions you should have a valid piece of software that will hold up in court.
http//
1. Be falsifiable, refutable, and testable;
2. Been subjected to peer review and publication;
3. Has a known or potential error rate;
4. The existence and maintenance of standards and controls concerning its operation ;
5. The degree to which the theory and technique is generally accepted by the relevant scientific community.
I've done validation tests before and besides doing the actual validation I've copied others tests as well. I hope that helps a bit.
What specifically are you having problems verifying?
Generally speaking, I think you should break it down into exactly what you want to validate/verify.
For example, the acquisition process and hashing, not modifying the image files while examining, recovery of deleted files, etc.
There are so many variables that if you tried to validate every single aspect of every single process of every kind of situation, you would never get around to doing an exam.
I would recommend concentrating on the larger most basic functions of your forensic software and remember that whenever you find "smoking gun" types of evidence, you should validate that finding using different tools.
See if this document helps any.
http//