Beruflich Dokumente
Kultur Dokumente
net/publication/240749019
CITATIONS READS
3 481
1 author:
Rory V. O’Connor
Dublin City University
230 PUBLICATIONS 2,278 CITATIONS
SEE PROFILE
Some of the authors of this publication are also working on these related projects:
Overcoming Public Speaking Anxiety of Novice Software Engineers using Virtual Reality Exposure Therapy View project
All content following this page was uploaded by Rory V. O’Connor on 25 November 2015.
Rory V. O’Connor
School of Computing
Faculty of Engineering and Computing
Dublin City University, Dublin, Ireland
E-mail: Rory.OConnor@computing.dcu.ie
1 Introduction
Considering the significant issues regarding both the reliability and admissibility of
digital forensic evidence, a pivotal question for both the courts and the computer forensic
investigator is “what makes a ‘good’ forensic software tool?” and “how does one chooses
a ‘good’ software tool?”
To address these questions, this research examines the current state of practice with
respect to forensic software tool selection and examines the relevant literature to
determine a set of characteristics that may be used by computer forensic investigators to
guide the selection of a forensic software tool.
The purpose of this research is to provide a more comprehensive understanding of the
factors that are significant to the selection of a forensic software tool for use by a
computer forensic investigator in industrial practice. A primary objective of this research
is to develop a generalised set of characteristics that explains the effects of important
selection factors and the relative significance of these factors in explaining the selection
of a particular forensic software tool. Thus, the key research question is: “What are the
forensic software tool characteristics that contribute to the selection of a tool for a given
forensic investigation and what is the relative importance of these characteristics?”
There are three primary reasons why specialised forensic software tools must be
employed in order to conduct a proper computer investigation (Patzakis, 2004):
• Proper acquisition and preservation of evidence
Electronic evidence is fragile by nature and can be easily altered or erased without
proper handling. For example, merely booting a subject computer into a Microsoft
Windows environment will alter critical date stamps, erase temporary data and cause
hundreds of writes to the hard disk.
• Authentication of collected data for court presentation
Computer forensics is largely based on the premise that the data recovered from a
system will ultimately be presented in a court of law. Therefore an important feature
is a verification process that establishes that the investigator did not corrupt or
tamper with the subject evidence at any time during the investigation.
• Recovery of all available data, including deleted files
In addition to the active data normally seen by the computer user, computer forensic
software tools must allow the examiner to recover all deleted files that have not been
completely overwritten, as well as other forms of unallocated or temporary data.
There are a number of forensic computer software tools of varying sophistication. These
tools generally differ in functionality, complexity and cost. In terms of functionality,
some tools are designed to serve a single purpose (Rod, 2002; Arthur and Venter, 2004)
while others offer a suite of functions. Therefore, the functionalities offered by a tool are
exactly what lead to its complexities. These complexities can either be related to design
and algorithmic complexity or ease-of-use; in some instances a tool can offer great
functionality but fall short because of a complex interface. Cost is another final
distinguishing factor, with some of the market-leading commercial products costing
thousands of Euros while other tools are free.
314 R.V. O’Connor
Generally, forensic software tools are designed to specialise in one or two specific
areas of forensic analysis of a computer system. The main areas are forensic imaging,
forensic data recovery and forensic data analysis. Some examples of market-leading and
free forensic software tools are:
• SafeBack – a commercial tool commonly used by law enforcement agencies
throughout the world. It is used primarily for imaging the hard disks of Intel-based
computer systems and restoring these images to other hard disks.
• EnCase – a commercial software package that enables an investigator to image and
examine data from hard disks, removable media and PDAs. Many law enforcement
agencies throughout the world use EnCase and this can be an important factor for
forensic investigators to consider where there is a possibility that an investigation
may be handed over to the police or used in a court of law.
• Paraben E-mail Examiner – a comprehensive e-mail examination tool which is
capable of examining and recovering active and deleted email messages from most
leading proprietary email programs as well as generic mailboxes.
• GetGif – a budget-priced tool which automatically extracts exact copies of graphic
file images and is used to find evidence in corporate, civil and criminal
investigations which involve computer graphic files, e.g., investigations which
potentially involve child pornography.
• The Coroner’s Toolkit – a collection of (essentially) free tools designed to be used in
the forensic analysis of a UNIX machine. This is specifically designed to be of use in
the investigation of a computer break-in and has tools to help reconstruct the
activities of an intruder.
There is much by way of published material (see Kenneally, 2001; Patzakis and
Limongelli, 2004 for example) dealing with examples of the usage of forensic software
tools in gathering digital evidence and subsequent court prosecutions in both civil and
criminal cases. In the current business climate such tools are also used in common
business practices. For example, (Patzakis, 2004) details one Fortune 500 company
where an employee’s hard disk is imaged upon resignation, termination or internal
transfer as a matter of standard procedure, to allow subsequent examination should it
need to take place.
In the last few years the forensic software tool market has undergone remarkable
changes. The number of tools has increased significantly, prices have declined
dramatically and such tools are now being used by a diverse group of users. Many of
these tools were developed to fit different user needs and designed to execute on a variety
of hardware platforms. Owing to the complexity of the product and the profusion of
alternatives a systematic process of selection can be formidable and expensive.
To further complicate the situation, selecting the best forensic software product
may not be the responsibility of a single individual, for group decision making is
common place in most organisations. A group approach to software selection offers many
benefits, including improved overall decision quality and decision-making effectiveness.
Software selection: towards an understanding of forensic 315
Still the process of appraising forensic software tools or any other IT investment may be
a political process as decisions touch many people and groups. Clearly, software selection
is not a well-defined or structured decision problem. The presence of multiple criteria
(both managerial and technical) and the involvement of multiple decision-makers will
expand the decision from one to many dimensions, thus increasing the complexity of the
solution process. It seems obvious that we cannot solve the software selection problem by
simply grinding through a mathematical model or computer algorithm.
3.1 Standards
Forensic investigators may use tools which are not readily understood by the public and
the courts. It is therefore vital for an investigator to ensure that doubt cannot be
introduced into the appropriateness of tools deployed in the collection and presentation of
evidence (Armstrong, 2003).
There is a critical need in the law enforcement community to ensure the reliability of
computer forensic tools. The National Institute of Standards and Technology (NIST) in
partnership with law enforcement and other agencies has developed a programme for
testing computer forensic software tools. A goal of the Computer Forensic Tool Testing
(CFTT) project at NIST is to establish a methodology for testing computer forensic
software tools (Wick et al., 2004). CFTT provides a mechanism for users to determine if
a specific computer forensic tool meets their needs. It does this by:
• defining a means for classifying requirements for different types of tools (currently
disk imaging and hard disk write blocking tools)
• specifying these requirements
• defining tests to determine if these tools meet the requirements
In addition, a US Air Force programme1 was set up in 2001 to address the issue of
defining a framework for the area of digital forensics as a whole. However, to date
such programmes have investigated technical issues regarding testing and reliability
of a limited number of tools and have not addressed the meta-level question of
suitability of tools, the selection of tools and the justification/defence for the selection of
a particular tool.
4 Research method
When a user starts to think about whether to adopt a new tool, s/he will think about cost,
benefits and risks. This thinking may not be deep and rigorous, but it is clear from prior
research that a certain amount of such thinking takes place (Lethbridge, 2004). There is a
long history of general research into adoption or non-adoption of technical innovations.
Perhaps the most influential researcher is Rogers (2003) who points out that there
are numerous reasons why individuals do not adopt innovations, or adopt them slowly.
Software selection: towards an understanding of forensic 317
One of his key points is that an individual’s adoption decision is based on his or her
perception of various factors rather than absolute truths about those factors. In Rogers’
model, adoption starts with the ‘knowledge stage’ in which people become aware of the
existence of the innovation. Then they move to the ‘persuasion stage’ in which they form
‘favourable or unfavourable attitude’ towards the innovation, perhaps influenced by
marketing or interaction with others. Only after forming a favourable attitude do they
move to the ‘decision stage’, where they consciously or subconsciously consider the
various factors that may lead to trial use or more intense use. In this paper we will focus
on the issues considered during the decision stage.
Extensive tool evaluation is generally a very time- and resource-intensive process.
Hence we segment our study of the tool selection process into three stages. The first stage
of this investigation is concerned with the state of best practices in computer forensic
investigations. As previously discussed, there is little by way of direct guidance in the
relevant literature regarding the selection of forensic software tools. However, the
literature and marketplace is worth examining in order to fully explore the general issues
surrounding forensic software tools.
The second stage of this study was to assess the state of practice by computer forensic
investigators in relation to tool selection. In order to explain the use of a particular tool
one must first understand the organisational context and the nature of the investigation
together with the intentions and actions of the computer forensic investigators involved.
Accordingly, this research investigated the underlying variables and the beliefs of
practising computer forensic investigators regarding the influences of these variables
upon the selection decision.
The third stage of this research involved bringing together the principal
characteristics identified in the previous two stages to form a generalised set of
characteristics that describes the primary forensic software tool selection criteria which
may be used to assist the various stakeholders in the selection process.
Category 1 Category 2
Disk imaging String searching
EnCase EnCase
FTK Imager DTSearch
Norton Ghost AccessData Forensic Toolkit (FTK)
DD/DCFLDD Paraben Email Examiner
Software selection: towards an understanding of forensic 319
5 Selection criteria
During these interviews, four distinct areas of concern emerged as common themes:
• General managerial (non-technical) issues – applicable to both forensic and
non-forensic software tools
• General technical considerations applicable to all categories of forensic
software tools
• Specific technical considerations in relation to the two categories (disk imaging and
string searching) under consideration
• Legal issues related to subsequent civil prosecution based on digital evidence
obtained by a forensic software tool.
In-depth analysis of the outcomes of the interviews resulted in further decomposition of
the selection themes above to show the decision criteria and variables as identified by the
participants, as illustrated in Figure 1. The following sections will discuss these criteria.
involving forensically recovered digital evidence do not end up in the courts or result in
an out-of-court settlement (Ernst and Young, 2005), but the injured party values the
threat of a court prosecution.
• Non-repudiation
The issue of non-repudiation of digital evidence (the ability of a party to an offence
to deny having performed a particular action (McCullagh and William, 2002) was
considered to be of extremely high importance for criminal cases and very important
for civil cases.
• Verifiability
Forensic tools produce a demonstrably accurate result, as objection to authenticity
may involve questioning the reliability of the computer program that generated or
processed the computer evidence in question. In such cases the proponent of the
evidence must testify to the validity of the program utilised in the process (Patzakis
and Limongelli, 2004).
• Repeatability
Repeatability of an investigation or deduction of an action/data from an original
source was considered important, as a subsequent court action would require a
complete explanation or demonstration of how digital evidence was obtained.
• Product maturity
Issues such as how stable the tool is in terms of its evolution and if it would
continue to evolve. The issue of continuing evolution (in terms of product
improvement/enhancement) was ranked as being moderately important.
• Vendor choice
The main issues in relation to vendors were the availability and choice of vendors
and the firm’s allegiance or strategic business alliance with any specific vendor. In
the main, this was not identified as being a particularly important issue.
• Vendor support
The quality of ongoing vendor support was of importance. Important indicators of
reliable vendors include: availability of immediate (24-hour) telephone support,
quality of consulting services, and quality of training services. In addition, several
participants took into account the endorsement and evaluation of the vendor and the
vendor’s product from other current users and industry sources.
• Training
The availability of professional (usually vendor-backed) training was seen as
an important issue. Specifically issues such as average training time, associated
costs, availability of suitable training materials and ease of access to training
were identified.
• Presentation/Reporting
The depth, level and nature of the reports produced from tools are considered very
important from two perspectives – that of the forensic investigator who requires
in-depth technical data for scrutiny and that of the non-technical audience (managers,
lawyers, judge, jury, etc.).
• Usability
Whilst usability has a broad definition covering ease of learning, ease of use,
flexibility of use, effectiveness of use and user satisfaction with a system, the
principal usability issues for computer forensic investigators were speed and
ease of learning.
• Reliability
The reliability of both the forensic software tool and its output has potentially serious
ramifications, particularly when most legal systems require very high levels of
assurances regarding evidentiary offers of proof.
• Underlying technology
Participants identified the need to understand the scientific principles underlying the
tool. It is therefore necessary to understand the underlying technologies behind the
various tools used and their ability to present scientifically valid information.
• Speed
This refers to the speed at which a tool operates and speed at which results may be
obtained from the forensic examination of a system. In particular, due to the growing
size of hard disk capacities, imaging and searching speeds were considered
particularly important.
The main technical issues applicable to this category of forensic software tool which
affect the selection decision are:
• A complete forensically accurate bit-stream duplicate (image) of a disk (or partition,
other media device) must be made
• The tool should be able to verify the integrity of the disk image
• The tool must not alter the original disk in any way
• The investigator must be able to prove the duplicate data hasn’t been modified from
the original acquisition
• The tool should be reliable in that it must work correctly each time it is used and an
identical image should be produced
• The tool should log all I/O errors.
• The tool should produce no false positives, i.e., a test should not report, incorrectly,
that it has found the target string where none exists in reality.
• The tool should produce no false negatives, i.e., a test should not report, incorrectly,
that the target string(s) were not detected when, in fact, they are present.
Practitioners reported that false negatives had a much more serious impact than false
positives. The rationale behind this being that a small amount of time had to be
invested in the clarification of a false positive, by comparison to the potential
damage of not identifying suspect data (false negative).
• The tool should be able to accomplish/implement all the features as ‘promised’ by
the product data sheet. For example, Boolean style search, stemming, indexing, etc.
5.6 Summary
Table 2 lists the decision criteria and variables as discussed above (and illustrated in
Figure 1) along with and their associated level of importance (Not important, moderately
important, important, very important) as ranked by the participants in this study.
Software selection: towards an understanding of forensic 325
6 Conclusions
6.1 Future research
There are a number of limitations in the current study. Future studies should include a
larger number of forensic practitioners and firms, a greater diversity of participants in
terms of country of origin and commercial versus law enforcement organisations
operating in more than one country. This increase in sample size would allow for the
development of a more comprehensive and significant set of selection factors. In
addition, future studies should be broadened to include a larger set of forensic software
tool categories that would allow for multiple selection characteristic sets.
Despite its limitations, this study makes an important contribution to our
understanding of forensic software tool selection by computer forensic investigators and
the selection issues in the current business environment.
In addition to the above, there are a number of key issues to be addressed in the future
with regard to both the development, evolution and selection of forensic software tools.
Three leading issues are software reliability, the open-source debate and the need for a
formalised decision model for the selection of forensic software tools. These issues will
be discussed in the following sections.
326 R.V. O’Connor
Greathouse presented a twist in computer forensic case law: rather than the typical
situation in which the defence challenges the prosecution’s use of a particular tool, the
defence argued instead that the prosecution should have used a specific market-leading
tool (EnCase) (Kenneally, 2001).
There remains an open issue for forensic software investigators. Should evidence
derived from proprietary software be scrutinised just because the source code is made
secret? Closed mechanisms are inherently incompatible with the reliability requirements
of digital evidence such as embodied in the Daubert test, and as such create a dilemma
for judges when the instrument’s reliability is legitimately called into question.
6.2 Summary
This paper has reported on the issues facing computer forensic investigators in law
enforcement agencies, governments and companies in the selection of the most
appropriate forensic software tool for a given situation. It has discussed the issues of
reliability and admissibility of digital forensic evidence gathered using forensic software
tools and has highlighted the need for both the courts and computer forensic investigators
to justify answers to the questions of “what makes a ‘good’ forensic software tool?” and
“how to make a ‘good’ choice of forensic software tool?”
This research set out to provide a more comprehensive understanding of the
factors that computer forensic investigators and their firms consider significant to
the selection of a forensic software tool for use in a computer investigation in
industrial practice and thereby address the key research question: “What are the
forensic software tool characteristics that contribute to the selection of a tool for a
given forensic investigation?”
328 R.V. O’Connor
Acknowledgements
The author acknowledges the assistance of the students of the MSc in Security and
Forensic Computing class of 2004–2005 and the cooperation of the forensic computing
practitioners and organisations who participated in this study. The author also
acknowledges the assistance of Professor Kurt Engemann and the anonymous reviewers
for their helpful comments in the preparation of this article.
References
Armstrong, C. (2003) ‘Developing a framework for evaluating computer forensic tools’,
Proceedings of Evaluation in Crime and Justice Conference, Canberra, Australia, March.
Arthur, K. and Venter, H. (2004) ‘An investigation into computer forensic tools’, Proceedings 4th
Annual Information Security South Africa Conference, July.
Carrier, B. (2002) ‘Open source digital forensics tools: the legal argument, Research Report,
@Stake Inc., October.
Coombes, H. (2001) Research Using IT, Palgrave.
Ernst and Young (2005) Computer Forensic Case Studies, http://www.ey.com/global/content.nsf/
Ireland/tsrs_computer_forensics_case_studies_overview, Ireland, (retrieved January 2005).
Hwang, C.L. and Yoon, K. (1981) Multiple Attribute Decision Making: Methods and Applications,
Springer Verlag.
Jones, S. (1985) ‘Depth interviewing’, in R. Walker (Ed.) Applied Qualitative Research, Gower.
Kenneally, E. (2001) ‘Gatekeeping out of the box – open source as a mechanism to assess
reliability for digital evidence’, Virgina Journal of Law and Technology, Vol. 6, No. 3.
Kenneally, E. (2002) ‘Computer forensics – beyond the buzzword’, Login, August, Vol. 27, No. 4.
Kim, S. and Yoon, Y. (1992) ‘Selection of a good expert system shell for instructional purposes in
business’, Information and Management, Vol. 23, No. 5.
Lai, V., Trueblood, R. and Wong, B. (1999) ‘Software selection: a case study of the application of
the analytical hierarchical process to the selection of a multimedia authoring system’,
Information and Management, Vol. 36, No. 4.
Lethbridge, T. (2004) ‘Value assessment by potential tool adopters: towards a model that considers
costs, benefits and risks of adoption’, Proceedings of 4th International Workshop on
Adoption-Centric Software Engineering, May.
McCullagh, A. and William, C. (2002) ‘Non-repudiation in the digital environment, First Monday,
Vol. 5, No. 8.
Meyers, M. and Rogers, M. (2004) ‘Computer forensics: the need for standardisation and
certification’, International Journal of Digital Evidence, Vol. 3, No. 2.
Muralidhar, K., Santhanam, R. and Wilson, R. (1990) ‘Using the analytic hierarchy process
for information system project selection’, Information and Management, Vol. 18, No. 2,
pp.87–95.
Software selection: towards an understanding of forensic 329
O’Connor, R. (2004) ‘A decision framework for forensic software tool selection’, in K. Engemann
and G. Lasker (Eds.) Advances in Decision Technology and Intelligent Information Systems,
IIAS, Vol. V.
Patzakis, J. (2003) ‘Maintaining the digital chain of custody’, Infosecurity Europe
Conference, April.
Patzakis, J. (2004) ‘Computer forensics as an integral component of the information security
enterprise’, Guidance Software White Paper, www.guidancesoftware.com/corporate/
whitepapers (retrieved December 2004).
Patzakis, J. and Limongelli, V. (2004) EnCase Legal Journal, Guidance Software, December.
Rod, M. (2002) ‘Options in computer forensic tools’, Computer Fraud and Security, November,
No. 11, pp.8–11.
Rogers, E.T. (2003) Diffusion of Innovations, Free Press.
Stephenson, P. (2004) ‘The right tools for the job, digital investigation’, The International Journal
of Digital Forensics and Incidence Response, Vol. 1, No. 1, pp.24–27.
White, L. (1996) ‘Maladjusted contrivances and clumsy automation: a jurisprudential
investigation’, Harvard Journal of Law and Technology, Vol. 9, No. 2.
Wick, C., Avramov-Zamurovic, S. and Lylem, J. (2004) ‘Hard disk interface used in computer
forensic science’, Proceedings of the IEEE Instrumentation and Measurement Technology
Conference, May.
Note
1 Digital Forensics Research Workshop, www.dfrws.org