Through the last thirty years of being in digital forensics, the question of what is court approved has come up many different times. This classification is greatly sought after and advertised by many companies that provide technology to the DFIR space. However, there is no magical standard that exists; it comes down to the basics.
The basics can be broken down into three principles: maintain the evidence, know your tool, and document your processes. I understand seeing this breakdown from a company that provides technology may seem biased, but these are simply the hard facts of the process. The burden to determine if the technology is “court-approved” falls on the examiner in most cases.
It’s impossible to know what data you might be missing without cross-validation.
-Commented Amber Schroader, CEO of Paraben Corporation
Maintaining the Evidence
When it comes to maintaining the evidence, it can be either an easy or difficult task based on the type of evidence you are maintaining. For computer-related evidence, such as hard drive images and the data on the machine, the examination process is fairly due to a large variety of write blockers available and the availability of software options that allows examiners to image a drive in a read-only state. The end result is hash values that show that the imaging process was properly executed with no changes made to the machine or data.
However, with mobile evidence that same methodology is not possible. This is when an examiner must document their acquisition process and maintain the evidence in the case form. The case form is the data after it has been acquired that is then used in the analysis. No two mobile images will come up with the same hash value due to the device constantly being in flux. Due to this, maintaining the evidence in the case form is the only alternative to prove that you have made no changes. Hashes of the data collected should be done upon collection and then again once the case is reported and closed to prove that the data collected did not change in the analysis process.
Know your Tool
Most forensic examiners will maintain more than one analysis tool in the lab whenever it is fiscally possible. Today’s DFIR market is saturated with tools, all offering the next hot functionality, and many at prices that will not work with numerous organization’s budgets. The result of this is that many organizations forego having a secondary tool altogether. While for others the acquisition of secondary tools for the lab has fallen to open-source options and more affordable tools. Knowing your tool is not the process of examining the source code, but instead is a validation process to confirm that the functions in the tool are the same as those advertised. Validation can be a daunting task for an examiner who may already have a heavy workload but is still a necessary task to complete.
In an effort to keep it simple, here is a validation guide (http://bit.ly/2Cj5jEO) that will walk the examiner through the steps that need to be taken to show that they really know their tool. Every tool has weaknesses a perfect tool is just a mythical unicorn that will never exist. Knowing your tools’ weaknesses is half the battle. Once you know the weaknesses, you can adjust your examinations to use multiple tools that will complement each other so you gather all necessary data you are looking for. The other critical part of knowing your tool is to understand that your results must be validated, which means that you need to be using more than one tool. Regardless of budget constraints, having more than one tool to process the data is a must and cannot be overlooked. Why? Because different tools will produce different results. It’s impossible to know what data you might be missing without cross-validation.
Document your Process
Out of all of the standards, this one can become the easiest to make into a habit. Based on your organization, you might have a standard or template to keep your notes on during your examination process. Either way, some of the critical details that must be in those notes are date and time, tool version with build number, processes done, and any anomalies that occurred. This is how we can ensure we meet the first principle of maintaining the evidence, by documenting what we did that might have been different. Here is a good example.
An Android device is not processing with the tool that I use as my primary tool, so I need to use a different method. Some options for Android devices include bootloaders, EDL, rooting, and backups. Tool A did a backup so now I want to root the device to try to receive additional information. Documentation is key in this scenario as it lets your process steps be part of your examination to confirm it was a valid process. Documentation in this scenario would include things such as model number, firmware version, and rooting technique used. You would then note the different data that was captured during cross-validation after processing and rooting the backup with Tool B.
This example of documentation allows you to show that you know the capability and possible weaknesses of the tool as well as the proper method that should be used for the examination.
In conclusion, being court approved comes down to the examiner doing the best due diligence possible during the examination with the methods they use in their lab and proper documentation. All forensic tools should contain the basics of hash values and a verification option for those values. In addition, tools should have proper documentation that tells the users what methods were used to obtain those values so they can be validated. There is no unicorn when it comes to DFIR tools, only the proper steps to make sure you have the best-equipped lab possible.
Information contained on this page is provided by an independent third-party content provider. Frankly and this Site make no warranties or representations in connection therewith. If you are affiliated with this page and would like it removed please contact firstname.lastname@example.org