Validation of Forensic Tools and Software - Coursework Example

Forensic Tools Forensic tools Forensic tools are used in investigating security issues in various ways. One can use them to collect information in a research. It can also used in the evaluation of software in order to find out their effectiveness in performing an attack or defense. The tools are mostly useful by forensic examiners and attorneys. This report explains the importance of validating forensic tools. It also explains how the tools are validated and the information required in a tool validation report. A summary of a forensic tool validation report has also been provided in the paper with the focus on how the report could be used to support the findings of a forensic examination. a. Why forensic tools need to be validated The tools need to be validated to ensure reliability (Brunty, 2011). They are highly trusted by the community that deals with legal issues. For instance, judges highly trust forensic tools the way scientists trust scientific processes to make their study results consistent and verifiable. Forensic tools should not be used as scientific processes because they are not scientific in nature. They have to be validated before being used. Validation enables the legal community to match a forensic tool with the nature of investigation and types of data to be collected. The validation is also important because it increases one’s confidence when using the tools. The process is vital when giving evidence in court that the tools used are effective before presenting the digital proof. Validation increases the competitiveness of a forensic examiner. Without it, the reputation of even the most experience examiner can be destroyed. Validation of the tools is also necessary because it ensures repeatability. When using the same tool, one should be able to obtain the same results after conducting the same test. This proves that the information presented in the tools is of high quality (Evans, Bond & Bement, 2004). In addition, validation ensures reproducibility when using the tools. This means that when using the tools one can obtain the same results even if the same tests are carried out in different settings. b. Organizations that undertake the validation of forensic tools One of the organizations that undertake the validation of the tools is the National Institute of Standards and Technology (NIST) (NSRL, 2001). This organization conducts various projects in laboratories. The aim of the organization entails establishing methodologies for testing the effectiveness of the forensic tools. For instance, the organization develops the tools specifications and tests sets. It also identifies the general test procedure and standards. The results of the projects conducted by the organization helps the tool users to improve their tools and make effective decisions. The organization also has projects that help with the identification of reference data. The process is vital because it prevents the tool users from using many review files. An additional organization that deals with the validation process is the National Institute of Justice (NIJ). Among the aims of the organization includes setting of technical standards for the technologies used in forensic issues. The organization also provides new solutions in order to improve the quality and processes of forensic science (NIST, 2013). The other organization that deals with the tool validations is the Technical Support Working Group (TSWG). The organization uses similar procedures used in NIST when testing and validating the tools. The organization also supports the validation process by funding the NIST projects. c. The processes and tests used to validate forensic tools The initial process of validating the tools is the development of plan (Brunty 2011). This involves defining the functions of the tools. This process also involves creating a clear outline of the steps used in the testing process and the tools required in each step. During the process, one should also identify the tests that will be used in the evaluation process. For instance, for the tests used in validating forensic imaging tools, the tests should include those that determine the effectiveness of the tool in authenticating baseline image. One can get information about the functions of the tools from the sources found in NIST departments. The departments have validation reports of the tools. The reports can be helpful at this stage since they provide guidance on drafting of internal protocols. The plan should contain information such as the type of tool, the testing manufactures, and the intervals of conducting the test. The next validation process is the creation of controlled information set (Brunty 2011). This is usually the most complicated part of the validation process. It involves putting in place devices and baseline images that will be used in the process. The stage also involves performance of acquisitions and recording of each of the data added to the areas of the tool. This helps in the validation of the basic tools. Examples of basic tools may include hard drive and mobile phones depending on the types of tools to be validated. Apart from self-built baseline images, one may obtain more information from other published disk images. The subsequent step after creating and testing the baseline images should be the documentation of the image contents. Another process includes carrying out the test in a specific setting. This involves conducting internal validity tests of the tools used in the test (Watson & Jones, 2013). This process helps in confirming if the tools are repeatable and reproducible. One should avoid using validation reports from other laboratories. Carrying out one’s validation test enhances the integrity of the evidence while protecting one’s credibility. An additional process entails comparing the test findings with the known and expected results for further validation (Brunty 2011). The comparison process should be done based on the standards of the tool as specified by the validation organizations. In order to ensure that the tools are valid, the test must be repeatable. This should be after conducting at least three tests. In addition, one should ensure that the test is reproducive by comparing the test results with those performed in other settings. This can be done using the peer reviews. d. Information contained in forensic tool validation reports A validation report is usually divided into several parts depending on the procedures for testing an item. One of the contents of part A of forensic validation report is the test plan and design (NIST, 2014). This includes a description of the tool to be tested. This includes the function of the tool and the specific functions to be tested. The report also contains methodologies that were used in testing. The first part also contains a description of a controlled environment in which the test was carried out. This should include a description of the primary tools used in the test. For instance, one should specify the hardware and software used in the test. The second part of the report contains the variances and anomalies. Variances and anomalies are the expected finding of a test and the actual finding (Jansen & Delaitre, 2009). It is also the difference between the findings of a test and the finding in peer reviews. The third part of the report is the summary of the results. This part the report contains a description of observations made during and after the test. For instance, observation made on the repeatability of tests should be made. The inconsistencies of the test should be clearly specified at this stage. This part of the report also contains actual results of the test. e. How a forensic tool validation report could be used to defend the findings in a report of a forensic examination A forensic tool validation report shows the result of the effectiveness of tool in conducting an investigation (Liu, Singhai & Wijesekera, 2012). The report is an effective way through which examiners communicate their findings to requesters. They can defend or attack the results of forensic examination depending on the findings of a test. For instance, if the report shows that test was reputable, the report can defend the effectiveness of the tool. However, the inconsistency of the test can be used examiners to support their arguments against the use of a specific tool in conduction the investigation. The report also helps forensic examiners to know the relevance of the tool to the case (Carroll, Brannon & Song, 2008). This means that forensic examiners can know if the tool will give the best results in the case investigation by analyzing the report. The report also gives forensic examiners the confidence to defend a finding since it gives them enough information about a forensic tool. Without the report, examiners would not be very sure about the reliability of the tools. Defending or attacking the finding using a report as evidence makes examiners to sound more convincing. f. Summary of a NIST forensic tool validation report a. Overview of the tool This is a validation report of Forensic Software Testing Support Tools (FS-TST 2.0). The forensic software helps with testing the tools for disk imaging which is used when carrying out investigations (NIST, 2005). It also helps forensic examiners compare disk pairs, and alterations in disk contents. The tool also initializes disks drives. b. How the tool was tested The tool was tested for its effectiveness in performing it functions (NIST, 2005). The test was conducted in a controlled environment that was the National Institute of Standards and Technology (NIST). The test included interaction of the software with MS-DOS operating system. Testing of the supporting tools was also done. The hardware used in the test included the host computers and hard disk drives (NIST, 2005). The software used was Disk Editor VERSION 8.0 and Partition Magic version 6.0. c. Results of the testing The results showed that apart from only two programs that showed inconsistency, other tools passed the test. There were also no anomalies observed in the test. The code review report also shows that all results of the tests were valid. Conclusion Validation is important because it ensures that the forensic tools used in carrying out specific investigations are reliable and accurate. In addition, it helps in increasing the quality of the investigation results. Forensic examiners should create reports after conducting the validation tests so that they will be used to attack and defend the findings of forensic examinations. The validation of forensic tools can only be conducted by trusted organizations. An example of such organizations is the National Institute of Standards and Technology (NIST). Such organization set standards for the procedures and methodologies of the forensic tool s tests. They also create reports of the validation tests. An example of such reports includes one for FS-TST 2.0 that indicates the effectiveness of the tools used in initializing and detecting changes in disk drives. References Brunty, J. (2011). Validation of forensic tools and software: A quick guide for the digital forensic examiner. Digital Forensic Investigator. Retrieved from: http://www.dfinews.com/articles/2011/03/validation-forensic-tools-and-software-quick- guide-digital-forensic-examiner Carrol, O., Brannon, S. & Song, T. (2008). Computer forensic. United States Attorneys, 56 (1). Retrieved from: http://www.justice.gov/usao/eousa/foia_reading_room/usab5601.pdf Evans, D. Bond, J. & Bement, A. (2004). PDA Forensic tools: An overview an Analysis. Retrieved from: http://csrc.nist.gov/publications/nistir/nistir-7100-PDAForensics.pdf Jansen, W. & Delaitre, A. (2009). Mobile forensic reference materials: A methodology and reification. Retrieved from: http://csrc.nist.gov/publications/nistir/ir7617/nistir-7617.pdf Liu, C., Singhai, A. & Wijesekera, D. (2012). A model towards using evidence from security events for network attack analysis. Retrieved from: http://www.nist.gov/itl/upload/WOSIS_2014_with-NIST-comments.pdf National Software Reference Library. (2001). Computer forensics Guidance. NSRL. Retrieved from: http://www.nsrl.nist.gov/itlbulletin.html NIST. (2005). FS-TST 2.0: Forensic software testing support tools. Retrieved from: http://www.cftt.nist.gov/diskimaging/fs-tst%20B%20report.pdf NIST. (2013). Welcome to the computer forensic toll testing (CFTT) Project Web Site. Retrieved from: http://www.cftt.nist.gov/ NIST. ( 2014). CFTT Methodology overview. Retrieved from: http://www.cftt.nist.gov/Methodology_Overview.htm Watson, D., & Jones, A. (2013). Digital Forensics Processing and Procedures: Meeting the Requirements of ISO 17020, ISO 17025, ISO 27001 and Best Practice Requirements. Read More