This is a free and open peer to peer medium for digital and computer forensics professionals and students. Please help us maintain it by contributing and perhaps linking to us from your own website.
Posted: Tue Nov 17, 2009 10:05 am Post subject: How to get Court Presidence on Forensic Software?
I have been developing Forensic Software for quite some time now, I now have a complete forensic toolkit. As I draw near to completing my application I will need to have my software tested in the field and undergo scrutiny of the prosecution to have it stand up in court, is there any method to have my software undergo these test to become Certified for forensic investigations? I am familiar with several people in the local BCI, Should I contact them to test it alongside programs like FTK for use in court to validate its performance?
Brief Overview of the Application
- Tested for High performance Carving and string searching of Large Images
- Provides File system Analysis such as Thumbs.db files, Internet History, P2P File analysis, File Search with Hashing abilities, Recycle Bin Analysis(both Vista + XP + 7) , Windows Prefetch.
- Write Protection through USB
- Clone Drives, Wipe Drives, Image, etc
- Forensic Automation and Removal of Known Benign files(based on Nist Databases)
Joined: Jan 01, 2007 Posts: 651 Location: Midwest, USA
Posted: Tue Nov 17, 2009 1:13 pm Post subject:
I think the perception that the "big boys" are somehow certified by the courts does a disservice to other developers. Harlan Carvey writes many useful programs that are not really certified, and unless you read his books are probably not well known.
The one program of his I use regularly is RegRipper. At best all I have had to do is explain the use for the program.
I am sure someone in Richfield or London would use your tool.
I think the perception that the "big boys" are somehow certified by the courts does a disservice to other developers.
I'm of the opposite opinion: the concept that there should be thorough and impartial testing at some stage is a very bracing thought, and should be encouraged.
It's unfortunate that such testing far too seldom is done.
If a tool that came with a test design, and test cases, and perhaps even test protocols -- that is a tool I would tend to trust enough to take on for a test.
Somewhere or other I once found an excellent test suite for tar archives (a German project, I think). Of course I tried it out on archive unpackers, AV-software, forensic viewers, etc., with rather disappointing results. That kind of perverse delight in creating tests that crashed so many tar unpackers/viewers is just what the area of computer forensic software needs a bit more of. Even some of the big boys seem to have an very relaxed attitude to quality assurance.
Joined: Jan 01, 2007 Posts: 651 Location: Midwest, USA
Posted: Tue Nov 17, 2009 10:26 pm Post subject:
athulin wrote:
I'm of the opposite opinion: the concept that there should be thorough and impartial testing at some stage is a very bracing thought, and should be encouraged.
I guess I was not clear in my comments. I agree that there should be a way to test and validate software. My comment was that there is some perception that only the few "major" products are the only tools certified by the courts thus stifling development by smaller vendors. The courts do not certify anything. The courts are presented with the results of what an examiner has performed, how it was performed and the tools used to perform the work, then a ruling is made to accept or reject the evidence/testimony. The courts never say, Tool 2.0 is not worthy because it crashes too often and may not produce valid, repeatable results, however Tool 3.0 looks promising.
Posted: Thu Nov 19, 2009 2:31 am Post subject: after asking arouind
I spoke with my Professor yesterday whom is involved in HTCIA, It is true that the courts do not certify a program, just the evidence they produce. I guess im looking for some testers to use my application alongside FTK to prove that the evidence it produces is accurate and usable in court. Developing software and gaining this kind of testing is discouraging but since I have been working on this program for over 2 years i will see it through. The only concern I have is my program has a faster carving engine than FTK and ran faster on less resources. which may cause some concern if it is really as accurate as the big boys(even though my program often found more files )
1TB on FTK 3 would take 19.5 hrs on a Core i7 Quad core 16gb Ram
I did a 1TB on 8gb of ram AMD X2 Dual Core (running Windows 7) in 13hrs
I have a sight concern that if my program proves faster than the big boys than speculation will occur on the vailidty of the evidence...so i guess the best way to verify it is to have testers in the field.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
Forum FAQ
Search
Usergroups
Profile
Log in to check your private messages
Log in
