Hi all,
I was curious to know if forensic examiners on this forum use 2 forensic tools to verify results of an image of a drive. Example, I use FTK and plan on using Pro Discovery say to verify and confirm results FTK gives me.
In my training they did not specify 2 tools, rather use one and know how to use it well. Also, would failure to use 2 tools (software programs) come into play in court?
Any input is welcome.
IMHO all issues relating to will this happen in court or not are a case by case basis.
You will encounter times where you are the expert on one side and the other side has no expert. Or, maybe you come across something someone else has missed.
The validation of tools could come into play if there is someone who is knowledgeable with forensic practices and thinks to go along that line of questioning.
It's always good practice to document document document steps taken, but not necessarily the information you find.
While I can easily see how you can find something with one tool, and maybe not see that same thing right off the bat with another, I'm not sure why you'd need to use two tools to verify the same thing.
Say you're looking at the contents of a file, or a Registry entry. If you can see it in ProDiscover, why would you then need to open it in FTK? It there…nothing's going to change that.
Harlan,
Have you ever used on tool and received different results when you went to verify? Somewhere along the line someone has……
Maybe it's something one program missed in which case the results would be different and would force you to go back and review the situation.
> Have you ever used on tool and received different results when you went to
> verify? Somewhere along the line someone has……
Someone else has what?
I can't say as I've seen results from a tool that are different from someone else's, largely because it's very rare that someone posts what they got. Most often, they say, "I ran a tool", and you have to ask them the name/version of the tool, and have to ask them for the actual output.
> Maybe it's something one program missed…
That, I have seen…which is how I got my rootkit detector working from my first book. Running something locally missed the user-mode rootkit, but running the same or similar tool remotely "saw" it.
We always validate with a second tool. It is mainly for the benefit of the lawyers and to discount any argument that the primary tool may not have been working properly.
I agree that it may seem like overkill but we would rather cut out the argument.
I've not used two tools to validate findings, but I use several tools on each exam for different reasons…some are better (ie..easier and faster) at finding certain types of data. Some tools also have better (easier to read) output of data. And sometimes, I just need to find one little piece of evidence, not index a whole image over the weekend.
As Harlan said, if you see it with one tool, another won't change it.
Brett