What Forensic Softw...
 
Notifications
Clear all

What Forensic Software do you recommend if buying personally

77 Posts
16 Users
0 Likes
5,095 Views
(@douglasbrush)
Posts: 812
Prominent Member
 

Now I will end my involvement in this fracas with the submission of a pretty good article about this very subject for your perusal

Thank you for this posting; it is a good piece and covers many topics in one article.

It has been said many times before on this board the examiner NOT the tool has to take the stand.

Verified tools and verified results are two different things. As examiners that will be called to testify we need to be able to explain both. Step back and look at is with a wide angle lens at the enviroment we are involved with. Computer forensics is just a sub-set of forensic science and is interpreted by judiciary bodies that follow Federal and/or State Rules of Evidence and Civil Procedure.

In addition we are dealing with triers of fact that have 8th grade level (on average) of education.

When called to produce a report and/or testify we act as translators of many complex issues to base terms that can be evaluated for it's evidentiary weight. The tools in which we perform this translation do matter and should be validated and verified, but the investigation and conclusion depends on the knowledge and analysis of the person presenting the findings who is then asked to take the stand.

Computer forensic tools can automate many tasks but can not think for you.

 
Posted : 18/12/2009 9:57 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Sorry guys, I didn't mean to kick open the hornet's nest. Harlan is absolutely right that if multiple tools can get the same evidence it doesn't matter which one you use as long as the results can be validated. I made a fatal error when I assumed that the tools he is be learning on now will be the ones he will be submitting evidence with later, which is why I was asking for context.

That wasn't an error at all. In fact, it's probably the other way around from what you were thinking…my initial training was on EnCase v3 back in '99. Since then, I've moved on to the open-source and freeware environment.

Still…I don't see why it matters.

I was taught by them that your tools must be repeatable, certifiable and licensed. Open source is usually none of these things.

Sorry, but don't agree with that last statement. Open source tools are definitely repeatable. I can validate and repeat what I find with RegRipper, by using a hex editor if I need to.

How is an open source tool not "certifiable"? Or perhaps another version of the question should be, which non-open-source tools ARE "certified", and certified to what?

Finally, licensing only applies to those tools that require a license. Also, there are a number of open-source tools that are GPL'd, in one form or another.

If you want to use open source to get the data that is fine but you better validate with a certified commercially licensed program when it comes time to submit your evidence.

Why is that?

It is not likely that you will have to testify but you do need to certify the results you submit to the lawyers as accurate.

What does certifying the results as accurate have to do with using a commercial tool? When it comes to certifying something as accurate…have you seen some of the commercial tool user forums?

 
Posted : 19/12/2009 1:13 am
(@seanmcl)
Posts: 700
Honorable Member
 

I was taught by them that your tools must be repeatable, certifiable and licensed.

Um, I think that this statement confuses a couple of issues.

First, as for licensed, the issue with licensing is one of the character of the expert. A witness who is willing to violate software licenses is not a credible witness. Further, the lack of licensing can, by implication, indicate a lack of suitable support (including reports of flaws, fixes, etc.).

Repeatable is a meaningless term, taken literally. In biology, where processes are rarely deterministic, it means that a second investigator following the same method should achieve the same result.

But in the case of a technology, such as EnCase, FTK, etc, I would expect that the same tool used the same way would come up with the same result. Thus, the fact that the outcome was repeatable is of little value. Instead, the outcome must be verifiable, i.e., using a different tool or process, another investigator would arrive at the same outcome.

As Harlan has mentioned, much of what the tools do can be verified using a hex editor if you know how the tool functions. This is true whether you are using open source or commercial tools and, in fact, there have been known flaws with certain functionality in various editions of nearly all commercial tools so, as others have said, verify your results.

Certifiable is another term with little meaning. Who "certifies" the complete functionality of any commercial tool? Is EnCase "certfied"? What about FTK, ProDiscover, X-Ways, Oxygen, etc.?

I was involved in a case in Federal court in South Carolina where my use of TSK/Autopsy was questioned by the opposing "expert". I was able to demonstrate how I used the tool, what was the outcome, and that I could reproduce the same outcome using a different tool.

That was the end of the discussion and none of my testimony was excluded on the basis of Daubert.

Open source is usually none of these things.

Again, name me one commercial tool which has been fully "certified" and by whom or what organization. No such entity exists, at least in the US.

If you want to use open source to get the data that is fine but you better validate with a certified commercially licensed program when it comes time to submit your evidence.

Ignoring the use of the word "certifiable" (unless you mean "accepted in court" which is another loaded phrase), it is our practice to confirm all of our critical evidence using an independent tool, whether it be commercial or open source. WinHex is commercial, but it is only a hex editor. You can't get much more basic than that but there are a number of tools that would allow you to dump whatever is at offset 0xNN of the image which could be used to substantiate WinHex evidence, including dd, an open source tool.

It is not likely that you will have to testify but you do need to certify the results you submit to the lawyers as accurate.

Again, what does it mean to "certify" your own results and conclusions? What s the authoritative body which has responsibilty for the findings of an expert? If such a thing existed, we'd no longer have conflicting expert testimony.

Daubert requires that methodology you use be accepted by established practitioners and pertinent to the case at hand. Would you like to tell me that TSK, written and used by Brian Carrier one of the foremost (excuse the pun) experts on file system forensics, is not accepted by established practitioners?

In point of fact, your own excerpt from the CyberSecurity Institute makes no mention of "commercial" versus non-commercial tools, instead referring to "methodology". The tool is but one part of the methodology and as long as you can achieve the same outcome using a different tool, what does it matter whether it is commercial or open source (except if you are a vendor of the former looking to increase the sales of your $5k product)?

 
Posted : 19/12/2009 1:46 am
(@patrick4n6)
Posts: 650
Honorable Member
 

Open source software IS licensed. The GPL for example is a common license used on open source. GPL = GNU General Public License. Just because you don't require money to use the software doesn't make the license any less valid. Even freeware (free software) has a license. They generally for example have language that grants the user a non-exclusive license to use the software whilst asserting their copyright over the program.

Also, I don't recall ever hearing the expression that results had to be repeatable so much as reproducible. That means that if you produce a file from EnCase or FTK, then I should be able to produce the same file whether I use those tools, or X-Ways, a hex editor, or using dd with the skip and count parameters to carve out the data.

Whilst earlier in this post I recommended using certain tools to improve your productivity, I absolutely refute the suggestion that open source or free tools are any less valid for use in forensics than paid tools so long as they are validated by the examiner. Then again, there have been release versions of certain major paid tools that have had bugs you could drive a truck through, but people still use these tools because the bugs were fixed, and examiners validated their tools again.

 
Posted : 19/12/2009 7:50 am
(@Anonymous)
Posts: 0
Guest
 

"Repeatable with the same result" or "verifiable", still the same thing. That's the basic requirement in any forensic area at the end. What's the important implication is that the (digital) evidence must not be altered in any way during the process. (Please don't say that everyone knows that because I know forensic "experts" who are even able to write their statements on the suspect harddrive cry )

An open source software is definitely not any worse than a commercial software just because it doesn't cost anything. That's just a typical marketing bullshit. Sure it naturally differs - for open source you don't get any guarantee that the potential bugs will be fixed or that the software will be kept updated. Basically you don't get any guarantee whatsoever because you didn't pay for that. It's just a logical implication and I wouldn't take it as a big downside. Why? Let's face it - if you pay for a commercial software do you really get any guarantee of anything?? Of course not! If developer won't fix the bug or release a new update or implement a new feature, there is virtually nothing what you could do about that, even if you have paid tens thousands of dollars.

Both commercial and open source can be good and bad. What is much more important is what actually you can do with these tools (i.e. if you know how to use them).
Commercial tools are usually more feature-rich, have better looking reports etc., that's basically what you paid for. Open source are more focused on the target with less "stupidities around" because programmers are naturally lazy, especially when they do it for free.

However there is one quite important difference between these two groups I would like to stress out.

With an open source, as the name says, you get the source code so you actually can verify yourself what the program does. You don't need any certification. Actually you don't care about any certification because no certification of any kind could be of better value for you than seeing/reviewing the source code with your own eyes. Nothing can give you better assurance of the program's function and reliability than having an option to check it yourself. Moreover, you have a possibility to fix/update/enhance the software. If you are able to. But let's not discuss how many forensic experts are actually educated in programming. What I am talking about here is that you do have these possibilities.

A commercial software, on the other hand, is totally a black box. You have no idea what the program is doing. You know nothing (let's put aside a reverse engineering option). All you have is just a word given by some private commercial subject (the developer), who is not rarely some kind of LLC, Ltd. etc., i.e. his liability is limited. How much can you trust such a subject? Now you really do need to know some certifications, references, reputation etc., because that's the only thing what may indicate (but still just indicate!) that he can be trustworthy. You have no possibility to do anything with the software (fix/update/improve), you are fully in power of the developer and you actually paid to be in such unpleasant situation.

Don't get me wrong. I am not saying that the commercial software is evil and should not be used in forensics. Just it's good to be aware of all the implications.

As for certifications, as it was already said it's important who issued such a certification. If it's some trustworthy subject (the best would be some state institution) or if it's just another private commercial subject. NIST is doing some testing of computer forensics tools, that's one source I would rely on.

However you can do some kind of certification yourself. You can validate a commercial tool using an open source tool as a reference. If you do some tests with the open source (which you know exactly what it does) and it gives you some result and then you take the commercial and it gives you the same result then you can somewhat assume that the function of given commercial tool may be the same. Now you only need to repeat these tests in all possible scenarios and you will maybe get some level of certainty 8)

If I would speak for myself, I personally use both, commercial as well as open source software. But when writing the expert statements, I am careful what commercial software I will mention. Because when it comes down to my testimony at the court (and I stand there within every criminal case I am involved in) and the lawyer from the defendant side (or even the judge) asks me how can I prove that the (commercial) software did what I claim (that it claims) it did and that it didn't do anything else, I must know what to answer. And there is indeed not too much to say. I can start prattling about how respectable the company who created the software is, how many times the software has been used at the U.S. supreme court, what respectable subjects are using this software, but all this is just a bla bla bla, no real proof at all. I am from the Czech Republic and there is very low awareness of even very well-known forensics tools, so saying "FTK" or "Encase" will not get much respect. Likewise, the above mentioned "bla bla bla" stories will definitely not impress anybody either. Which is not a bad thing. Well, definitely not worse than than the excessive (blind) relying on just a brand as seen sometimes in U.S. these days. So it's very good to be prepared for such a question and be able to say, for example, that I validated the process using the open source tool whose function (as having 23 years experience in programming) I can prove beyond any doubt.

So yeah, the software used within forensic examinations is a kinda tricky question. The opinions like those of "eyespy" are quite common, sadly, but the reality is simply not that black and white. I believe it's just a matter of time until some common basic rules and requirements to people and software used in digital forensics will get standardized into ISOs which will consequently open the doors to the real certifications done by accredited authorities, pretty much the same as what information security and ISMS have in ISO 17799 and 2700x.

 
Posted : 19/12/2009 8:23 am
(@seanmcl)
Posts: 700
Honorable Member
 

"Repeatable with the same result" or "verifiable", still the same thing.

Not at all (in fact, you go on to illustrate the differences).

Repeatable (the root meaning do again) means that if you follow the same process, you get the same result. You can be repeatedly wrong, as the last administration so convincingly demonstrated.

Verifiable (the root of the word means truth), means that you can independently validate the result using a different method.

The distinction is important with respect to forensic tools since the former would not be sufficient to establish systemic flaws.

 
Posted : 19/12/2009 6:05 pm
(@Anonymous)
Posts: 0
Guest
 

You are right, I expressed myself incorrectly. What I meant as "still the same thing" was related to the persistence requirement. My bad, sorry.

However, this is interesting anyway. I wonder whether the situation in U.S. is different from what we have here in CZ.

Here we are required to perform our examination steps in such a way that the evidence is not destroyed so that we can anytime repeat (demonstrate) given step again and get to the same result. Furthermore, we are required to describe our steps in the statement in such a depth that also anyone else can repeat it after us and reach the same result.

Whether the step or the method used was actually suitable or wrong or just simply pointless is a different question. That's related to another requirement - to justify/explain why we actually did what we did. And if we are asked why we haven't done something else, we must be ready to answer that.

But we are not required to do every step twice, using different methods. We are not required to validate (verify) our own work. And neither we are required to do only such examination steps which are verifiable by using an alternate way.

Are U.S. forensic experts explicitly (by some written rule) required to validate their own examination, or do only activities verifiable by using a different method?

Well, is there actually anything what can't be done also in a different way? Isn't in fact everything verifiable by default?

 
Posted : 19/12/2009 7:51 pm
(@seanmcl)
Posts: 700
Honorable Member
 

Are U.S. forensic experts explicitly (by some written rule) required to validate their own examination, or do only activities verifiable by using a different method?

The most widely accepted standard, the Daubert standard, uses a two-pronged approach to accepting expert testimony

The evidence/opinion must be relevant to the issue at hand.

The methods used to reach these opinions must be reliable, i.e.,

* the methods are based upon a hypothesis which can be tested
* the methods have been peer reviewed
* the methods are generally accepted by the peer community
* the rate of error of the method is known

There is no requirement that the expert validate his/her results but there is an obvious risk if they don't which is that should an opposing expert be unable to verify the results (not, necessarily, the conclusions), those results can be called into question, as can any opinions based upon them.

 
Posted : 19/12/2009 8:05 pm
Beetle
(@beetle)
Posts: 318
Reputable Member
 

It may be worthwhile at this point to clarify the difference between testifying as to facts and expert testimony.

Expert testimony is opinion evidence that would normally be excluded as hearsay, when you are describing what you did and the result, you are not testifying as an expert. It is only when you are asked "In your opinion, what does this mean?" then you are testifying as an expert and the court will consider whether your opinion provides any probative value and what weight they will assign to your opinion. This is why you need to verify the results with other tools, the 4th leg of a Daubert test, you are determining the error rate.

 
Posted : 19/12/2009 8:53 pm
(@Anonymous)
Posts: 0
Guest
 

There is no requirement that the expert validate his/her results but there is an obvious risk if they don't which is that should an opposing expert be unable to verify the results (not, necessarily, the conclusions), those results can be called into question, as can any opinions based upon them.

I see. So there is actually not any major difference.

The only problem here is that the Police is naturally trying to save the money as much as possible (and unfortunately, as usual, on the wrong places) so they would not pay me that excessive amount of hours I would have spent within the validations. Well, actually they would, but only once. Next time they would simply appoint some other (cheaper) expert -/

I am limited by the deadline and budget. I can do only as much as I manage within the given time and only in such an extent they are willing to pay. The former is not really a problem because I don't need to do everything myself, but then I would have even higher expenses which, again, no one is going to reimburse.

 
Posted : 19/12/2009 9:13 pm
Page 4 / 8
Share: