By Andy Spruill
March 10, 2010
I’ve been pretty quiet for the last month or so. It’s been a very busy time. Outside of the holidays and New Year festivities, I have also testified in another death penalty case and been immersed in a somewhat famous eDiscovery litigation. I fully intend on posting some blogs on both of these when appropriate as there are some fascinating insights and lessons to be learned from both.
Today I want to jump up on another one of my soap boxes. This was spurred by an email I recently read in one of the digital forensic listservs. The Computer Forensic Tools Testing (CFTT) project at the National Institute of Standards and Technology (NIST) is partnering with the National White Collar Crime Consortium (NW3C) to survey local and state law enforcement agencies to see what digital forensic tools they are currently using and would like to see tested by NIST. This is an outstanding idea. I promptly followed the link and completed the survey based on my casework at Westminster PD.
So here is my issue. As we all know, and may have experienced, tools and systems can become inaccurate or even fail with use. This is why forensic accreditations require practitioners across all forensic disciplines to perform some type of routine testing and calibration of the forensic tools and systems used for the capture and analysis of forensic evidence. This makes perfect sense given the sheer weight these tools and systems may have in someone’s liberty.
Too many times when talking about tool validation procedures, I’ve heard fellow practitioners state they only use NIST validated tools, as if this somehow alleviated them from this testing requirement. Whenever I hear this, my mind goes to the famous Southpark gnome episode… Step 1: NIST Validates Tool, Step 2: “???”, Step 3: Validated Forensic Results. Translation for those of you who don’t watch Southpark: Step 2 is the most critical step—and the one that the gnomes so humorously omitted. You must test and calibrate the tools and systems you are using. Not the ones that NIST used or installed, but the ones sitting on your desk or installed on your systems. The service NIST provides is invaluable to our community as it helps guide us towards those tools and systems that meet certain industry or government standards, but in no way does it relieve you of your responsibility to test your specific tools.
To help us with Step 2, our friends at the CFTT project created the Computer Forensic Reference Data Sets (CFReDS) for digital evidence. Basically, they have made available simulated data sets that can be used to validate your tools.
So, when was the last time you actually tested that write blocker in your kit? If not recently, now might be a great time.
By the way, for being a loyal reader of my blog, I’ve worked out a $100 discount for anyone in the digital forensics field interested in attending CEIC, the leading conference for digital investigations professionals. Simply visit www.ceicconference.com and, during registration, enter the discount code: redrock.