Evaluating a selection of tools for extraction of forensic data: disk imaging
The evaluation of digital forensic tools evaluation has been recognised as a challenging, and insufficiently examined research topic in the field of digital forensics. The mainstream digital forensic tools deployed in law enforcement and the private sector are close-sourced and expensive commercial packages. Open-source digital forensic tools are the alterative option for organisations with less funding. The reliability of digital evidence that is collected, analysed and presented using those digital forensic tools has been challenged. There are very few organisations that conduct validation research on digital forensic tools. Software vendors may conduct their own validation tests on the software but their findings are usually not available to the public. Three areas related to digital forensic tools have been reviewed in this study, namely overview of the digital forensic environment, legal and technical implications of digital forensic tools and evaluation of disk imaging tools. Imaging the disk drives is a critical process in forensic investigation and disk imaging tools are the subject of this research. The review of relevant literature has guided the research to study the validity of disk imaging tools. A research model is designed and implemented with the aid of testing specifications, requirements, assertions, case scenarios and test sets. The model hypothesises that the completeness and accuracy of image data affect positively the validity of the disk imaging tools. A set of selected tools is subjected to validation to analyse if the disk imaging tools generate complete and accurate results. Various case scenarios are designed and the selected tools are validated under a set of forensically-sound procedures that are defined according to the test specifications. The validation has exposed problems and issues of the selected disk imaging tools that have been evaluated. Some issues of software usability have also been pointed out and discussed. The study has shown that the attributes completeness and accuracy positively affect the validity of the disk imaging tools. The research findings will be valuable for law enforcement and the legal community where forensic disk imaging tools must produce consistent, complete and accurate results. Software developers should focus on ensuring completeness and accuracy of the imaging data when building disk imaging tools. The usability of the tools should not be underestimated. The test result from this study could be used by software developers to improve their tools and by making the necessary changes. Also, this study could enable law enforcement communities or other interested parties to understand the capabilities of the software and become fully aware of the identified shortcomings and issues.