Forensic Tool Capabilities
3.4 Forensic Tool Capabilities
Forensic software tools strive to handle conventional investigative needs by addressing a wide range of applicable devices. More difficult situations, such as the recovery of deleted data from the memory of a device, may require more specialized tools and expertise and disassembly of the device. The range of support provided, including mobile device cables and drivers, product documentation, PC/SC readers, and the frequency of updates, can vary significantly among products. The features offered such as searching, bookmarking, and reporting capabilities may also vary considerably.
Discrepancies in recovering and reporting the test data residing on a device have been noted in previous testing of tools. They include the inability to recover resident data, inconsistencies between the data displayed on workstation and that generated in output reports, truncated data in reported or displayed output, errors in the decoding and translation of recovered data, and the inability to recover all relevant data. On occasion, updates or new versions of a tool were also found to be less capable in some aspects than a previous version was.
Quality measures should be applied when choosing a tool to ensure its acceptability and reapplied when updates or new versions of the tool become available. These results play a factor in deciding the appropriateness of the tool, how to compensate for any noted shortcomings, and whether to consider using a different version or update of the tool. Validating a tool entails defining and identifying a comprehensive set of test data, populating the data onto the device, following acquisition procedures to recover the test data, and assessing the results [Aye11, Jan09]. Present-day tools seldom provide the means to obtain detailed logs of data extraction and other transactions that would aid in validation. An Quality measures should be applied when choosing a tool to ensure its acceptability and reapplied when updates or new versions of the tool become available. These results play a factor in deciding the appropriateness of the tool, how to compensate for any noted shortcomings, and whether to consider using a different version or update of the tool. Validating a tool entails defining and identifying a comprehensive set of test data, populating the data onto the device, following acquisition procedures to recover the test data, and assessing the results [Aye11, Jan09]. Present-day tools seldom provide the means to obtain detailed logs of data extraction and other transactions that would aid in validation. An
The most important characteristic of a forensic tool is its ability to maintain the integrity of the original data source being acquired and also that of the extracted data. The former is done by blocking or otherwise eliminating write requests to the device containing the data. The latter is done by computing a cryptographic hash over the contents of the evidence files created and recurrently verifying that this value remains unchanged throughout the lifetime of those files. Preserving integrity not only maintains credibility from a legal perspective, but it also allows any subsequent investigation to use the same baseline for replicating the analysis.
Forensic Hash Validation: A forensic hash is used to maintain the integrity of an acquisition by computing a cryptographically strong, non-reversible value over the acquired data. After acquisition, any changes made to the data may be detected, since a new hash value computed over the data will be inconsistent with the old value. For non-forensic tools, hash values should
be created using a tool such as sha1sum and retained for integrity verification. Even tools labeled as forensic tools may not compute a cryptographic hash, and in these cases an integrity hash should be computed separately.
Note that mobile devices are constantly active and update information (e.g., the device clock) continuously. Therefore, back-to-back acquisitions of a device will be slightly different and produce different hash values when computed over all the data. However, hash values computed over selected data items, such as individual files and directories, generally remain consistent. Hash inconsistencies may occur requiring the examiner to perform an element-by-element verification ensuring data integrity. Hash validation across multiple tools is challenging due to proprietary reporting formats.