Digital Forensic Tool Testing
Principal Investigator: Marcus Rogers
Our project directly addresses the National Academies’ concerns related to measurement validity in the digital evidence domain. Researchers from the University of Central Florida, Purdue University, and law enforcement digital forensic experts will conduct studies to identify issues with the reliability and accuracy of the most accepted software and hardware in use by law enforcement forensic examiners. Our research design is based on employing these tools to conduct the common forensic tasks across varying operating system and file system conditions following the NIST Computer Forensics Tool Testing Guidelines. We have selected popular commercial forensic suites as well as some free and open source software for inclusion in our test bed. These tools run under Windows OS, Mac OS X or Linux. Our research design includes the most frequently encountered file systems, and includes several file systems for each of Windows OS, Mac OS X, and Linux distributions. We have also included select hardware write blockers in our research design, as they are crucial to the forensic examiner’s ability to duplicate media without changing the original evidence.
We have selected black box testing and comparative analysis as methods for identifying issues with accuracy and reliability of our selected hardware and software. In black box testing the software serves essentially as a “black box” and the performance of the application is evaluated against functional requirements. In a digital forensics context, testing is performed using a tool to perform forensics tasks under various conditions, such as; different file systems, various digital artifacts, different hardware, and various software parameters (switches and settings ; Craiger et al., 2006). Comparative analysis is a method that is useful when a validated reference data source is either unavailable, or the creation of which would require a significant investment of time and resources that would imprudently delay the actual examination of the evidence (Craiger et al., 2006).