Security

Control Process for Evaluating Forensics Tools

Due to the rising level of the complexity and the growing number of cybercrime cases, the tools we, as forensic investigators, utilize to effectively detect, record, prove, and analyze the systems and programs that cybercriminals use need to evolve as well. Thankfully, our efforts in digital forensics are aided by a magnitude of advanced forensic tools and analyzers, but one question remains, how does one know which are the right tools for the job?

As any information systems-related project relies on the proper research and testing of its tools before the project begins, forensic investigations are quite similar. Using an outdated tool for email recovering, for example, could cause incompatibility issues with the rendered data, thus opening up the possibility for the corruption of collected evidence. Using the wrong type of a disk analyzer can cause problems with backing up hard drive data, thus failing the evidence collection process; these are the reasons that one must carefully and methodically test and rate all digital forensic tools.

            If I were to develop my own digital forensic testing method, it would be comprised of equal parts research and testing, all while documenting everything I can about each testing phase. To begin, I would merely collect data regarding the brand, product number, price, potential uses, potential problems, the hardware/software I would need to use the tool, serial number, etc.; this data will help facilitate later stages of documenting each testing phase, as well as provide the means for a quick product comparison between all of the included digital forensic testing tools. I would also obtain data regarding if the forensic tool offers a trial in which I can use to test the device without purchasing it. All of the previously-mentioned data would be collected into a standardized document on each digital forensic tool, providing a simple, streamlined method of data acquisition. For example, the report could look something like this:

BrandProduct NamePricePotential UsesPotential ProblemsSerial NumberHardware/Software RequiredFree Trial?
        

Next, I would develop a standardized system for testing each digital forensic tool, as well as a standardized document for collecting their results. For the test, I would most likely create sample test subjects ranging from fraudulent emails, email file systems, email databases, social media accounts, social media account data collections, hard drives, and other types of test subjects that a digital forensic tool could identify, scan, analyze, and verify. To ensure the testing process’ results are as accurate as possible, the same test subjects should be used for each different forensic tool. A vital portion of forensic investigations is adhering to various legal processes and regulations, so my research into each different forensic tools should contain possible legal issues I may face.

For example, if I were comparing several digital forensic toolkits’ abilities to extract, analyze, and copy data from a hard drive, I would need to have a separate hard drive with the same contents for each tool. One by one, I would apply the recommended steps to extract and copy the data from each drive using each tool I was testing, all while documenting everything I can about the process. By using the same hard drive test subjects, I could then test for different variables, such as encountering a power outage during a backup of the drive I was testing; if one forensic tool handles this situation better than the others, I would indicate this in my documentation.

            After using my various digital forensic tools in all of my test subjects and by applying different scenarios and variables, I would have an abundance of excellent documentation and data pertaining to which tool performs the best overall, in certain situations, with specific programs/devices, which were the fastest/slowest to achieve their results, and which provided the highest confidentiality, integrity, and availability of the original test subject’s data, the data accumulated from the test, as well as the testing process. I would then create a points system for my results. For example, if a forensic tool finished copying the data from a drive within an hour, it would be granted one point, if completed in two, it would be awarded 0 points (this is merely an example of how it would work).

            At the end of the research, testing, and scoring phases, as well as with finishing applying points to the overall success (or failure) of each digital forensic tool, I would now have each forensic device I was testing ranked by their overall effectiveness. By using the data and rankings of each forensic tool, I could then gauge which tools I should purchase, use for a specific job, or even provide the data to my superiors to assist in additional funding.

Reference

Nelson, B., Phillips, A., & Steuart, C. (2019). Guide to Computer Forensics and Investigations. Boston, MA: Cengage Learning.

Categories: Security

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s