It is very important to test and validate your digital forensic tools before use. This not only gives you the confidence in your tools but allows you to testify in court that your tools were working properly before exposing important digital evidence to them. Try your hand at developing a simple testing plan based on a specific software or hardware tool. For example, you may decide you want to test the forensic acquisition functionality of FTK Imager (which is available for free from http://www.accessdata.com/support/product-downloads); you may want to visit a site that provides free forensic software tools (like http://forensiccontrol.com/resources/free-software/) and test one you find there; or you could even choose something as simple as your own word processing software. Pick just ONE specific aspect of the tool you choose (such as the ability of FTK Imager to capture physical memory, or the ability of your word processor to view a document’s properties or metadata), and design a simple step-by-step method to test or validate that aspects of the tool’s process.
Drafting a testing and validation plan is not difficult; we do this type of thing in our daily lives all the time without knowing it. The basic question is: “How do I know that my ______ is working properly?” That’s it… Bottom line. For example, consider something as simple as a pair of scissors. If you were going to test a pair of scissors, what types of question would you ask yourself?
1. What are scissors for? Cutting, of course.
2. What could I use them for? Of what are they capable? Cutting paper. Cutting fabric. Cutting meat. Opening beer.
3. Could I design a test to validate that these scissors can, in fact, cut paper? Yes.
4. What will I need for this test? Scissors. 5 pieces of paper. About 5 minutes.
5. What action will I take to test this function? 1) Pick up scissors. 2) Pick up paper. 3) Open scissors. 4) Insert paper between blades. 5) Close scissors.
6. What is my standard for a completed test? That the two blades of the scissors came together in a scissoring motion when I closed the scissors.
7. What result would validate that these scissors can successfully be used for cutting? The paper was cut into two separate pieces along the points where the blades of the scissors met.
8. How do I know this isn’t a fluke or a coincidence? Repeat 4 more times. If same result, then the ability of the scissors to cut paper is confirmed. Meaning, I can say that I tested them, and I’d be confident using them in the future and reasonably sure I would get the same result.
It is that simple. Obviously, your testing of a forensic tool should be presented in a more “official” and formal way than just a serious of questions and short answers, but you get the idea… If you want to check out some testing anf validation reports created by professionals, check out the NIST Computer Forensic Tool Testing (CFTT) Project.
Drafting a testing and validation plan is not difficult; we do this type of thing in our daily lives all the time without knowing it. The basic question is: “How do I know that my ______ is working properly?” That’s it… Bottom line. For example, consider something as simple as a pair of scissors. If you were going to test a pair of scissors, what types of question would you ask yourself?
1. What are scissors for? Cutting, of course.
2. What could I use them for? Of what are they capable? Cutting paper. Cutting fabric. Cutting meat. Opening beer.
3. Could I design a test to validate that these scissors can, in fact, cut paper? Yes.
4. What will I need for this test? Scissors. 5 pieces of paper. About 5 minutes.
5. What action will I take to test this function? 1) Pick up scissors. 2) Pick up paper. 3) Open scissors. 4) Insert paper between blades. 5) Close scissors.
6. What is my standard for a completed test? That the two blades of the scissors came together in a scissoring motion when I closed the scissors.
7. What result would validate that these scissors can successfully be used for cutting? The paper was cut into two separate pieces along the points where the blades of the scissors met.
8. How do I know this isn’t a fluke or a coincidence? Repeat 4 more times. If same result, then the ability of the scissors to cut paper is confirmed. Meaning, I can say that I tested them, and I’d be confident using them in the future and reasonably sure I would get the same result.
It is that simple. Obviously, your testing of a forensic tool should be presented in a more “official” and formal way than just a serious of questions and short answers, but you get the idea… If you want to check out some testing anf validation reports created by professionals, check out the NIST Computer Forensic Tool Testing (CFTT) Project.
Comments
Post a Comment