Validation and use ...
 
Notifications
Clear all

Validation and use if 2 Tools

7 Posts
5 Users
0 Likes
547 Views
TMD22
(@tmd22)
Posts: 41
Eminent Member
Topic starter
 

Hi all,

I was curious to know if forensic examiners on this forum use 2 forensic tools to verify results of an image of a drive. Example, I use FTK and plan on using Pro Discovery say to verify and confirm results FTK gives me.

In my training they did not specify 2 tools, rather use one and know how to use it well. Also, would failure to use 2 tools (software programs) come into play in court?

Any input is welcome.

 
Posted : 02/09/2006 3:30 am
(@armresl)
Posts: 1011
Noble Member
 

IMHO all issues relating to will this happen in court or not are a case by case basis.

You will encounter times where you are the expert on one side and the other side has no expert. Or, maybe you come across something someone else has missed.

The validation of tools could come into play if there is someone who is knowledgeable with forensic practices and thinks to go along that line of questioning.

It's always good practice to document document document steps taken, but not necessarily the information you find.

 
Posted : 02/09/2006 6:50 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

While I can easily see how you can find something with one tool, and maybe not see that same thing right off the bat with another, I'm not sure why you'd need to use two tools to verify the same thing.

Say you're looking at the contents of a file, or a Registry entry. If you can see it in ProDiscover, why would you then need to open it in FTK? It there…nothing's going to change that.

 
Posted : 02/09/2006 4:29 pm
(@armresl)
Posts: 1011
Noble Member
 

Harlan,

Have you ever used on tool and received different results when you went to verify? Somewhere along the line someone has……

Maybe it's something one program missed in which case the results would be different and would force you to go back and review the situation.

 
Posted : 04/09/2006 6:23 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

> Have you ever used on tool and received different results when you went to
> verify? Somewhere along the line someone has……

Someone else has what?

I can't say as I've seen results from a tool that are different from someone else's, largely because it's very rare that someone posts what they got. Most often, they say, "I ran a tool", and you have to ask them the name/version of the tool, and have to ask them for the actual output.

> Maybe it's something one program missed…

That, I have seen…which is how I got my rootkit detector working from my first book. Running something locally missed the user-mode rootkit, but running the same or similar tool remotely "saw" it.

 
Posted : 04/09/2006 7:40 pm
(@igpar1)
Posts: 3
New Member
 

We always validate with a second tool. It is mainly for the benefit of the lawyers and to discount any argument that the primary tool may not have been working properly.

I agree that it may seem like overkill but we would rather cut out the argument.

 
Posted : 09/09/2006 1:18 pm
bshavers
(@bshavers)
Posts: 210
Estimable Member
 

I've not used two tools to validate findings, but I use several tools on each exam for different reasons…some are better (ie..easier and faster) at finding certain types of data. Some tools also have better (easier to read) output of data. And sometimes, I just need to find one little piece of evidence, not index a whole image over the weekend.

As Harlan said, if you see it with one tool, another won't change it.

Brett

 
Posted : 12/09/2006 4:30 am
Share: