Digital Forensics Technology: Why Open

Digital Forensics Technology:

Why Open Source Forensic Software Is a Significant Development

Of the many new technologies introduced into digital forensics in the last five years, open source forensic software has been the most significant in its contributions to forensic analysis, the prevention and solving of crimes. Open source forensics software is today being used for the identification of unauthorized access, the presentation and analysis of access points and capturing of a cybertrail that can be used as evidence in U.S. Courts

(Volonino, 2003). This is significant as open source software was initially perceived by the broader it community as lacking the security, reliability and support for proprietary software (Muller-Seitz, Roger, 2009). Despite this reputation however adoption continues to outpace that of proprietary software over the last three years. Enterprise software companies including Microsoft, Oracle, SAP and others have specifically developed extensions to their own applications to capitalize on the economic benefits and rapid pace of innovation open source software provides. These are the same dynamics that are serving as the catalyst of rapid adoption and continual innovation of open source forensic software. The intent of this analysis is to evaluate why open source forensic software is important, how it is proving to be useful to corporations and law enforcement in fighting and in some cases alleviating computer crime, and how its use supports the three steps of gathering digital evidence. Included in those three steps are approaches to acquiring, auditing, authenticating and analyzing the digital evidence so it can be used in a court of law.

The Increasing Importance of Open Source Forensic Software

The escalating rate of computer-based crime in the form of agents, Trojan viruses, and bots and automated Web Services that seek to capture personal information online and also gain access to secured banking, financial services, and military installations is growing at an exponential rate. The rate of growth of these threats is surpassing the ability of securities agencies and software firms to counter them (Abel, 2009). Amid this rapid growth of all forms of Internet-based crime, there have been only partially successful attempts from the leading software securities firms to alleviate this problem (Erickson, 2009). Ironically, proprietary software is not scaling as fast either from functionality or a market adoption standpoint to keep up wit h the onslaught of security weaknesses throughout the myriad of process workflow areas of the Web and its many banking, e-commerce, financial services and government sites. Open source forensic software, despite the criticisms of security, reliability and support (Abel, 2009) continues to be more agile as a development platform in responding to these threats. Open source forensics software has then progressed from fad to enterprise-wide application solution as a result (Rogers, 2003).

Open source forensics software also has a significantly lower Total Cost of Ownership (TCO) and a rapidly expanding base of development support which also combine to create an exceptionally strong catalyst of faster innovation as well (Bates, 1997). For budget-constrained companies, municipal, state and federal organizations, this lower TCO of open source software has been one of the business drivers favoring its adoption. The perceived vulnerabilities of open source, specifically it support of security standards common across digital forensics (Forte, 2008) has been validated through a series of performance audits (Irons, 2006). These have shown that open source software is just as secure as proprietary software and in some cases, even more so given the selection of configuration management selections by programmers in the coding and completion of the open source forensic software.

More fundamentally however, open source forensic software has shown the ability to scale from an architectural standpoint to support the rules-based approaches forensic analysis requires to support the digital evidence gathering process (Berghel, 2003). The basis of forensics software is a series of constraint and rules engines that seek to define the optimal path of evidence to a valid conclusion (Bates, 1997). Depending on the design philosophy of the forensics software the entire application could be based either on rules-based engines or constraint engines (Irons, 2006). It is rare to find one that mixes both rules and constraints, as this would require modeling of each actual scenario being investigated. The majority of forensics software is rules-based where each aspect of the digital evidence gathering process is defined as a set of conditional statements (O'Connor, 2005). These rules do not vary from one application to another, there are specific logic workflows defined and applied across the entire spectrum of digital forensics applications and tools. As a result, there is little if any variation in the security and reliability of open source forensics applications. Both private and public organizations including municipal, state and federal agencies, in their due diligence of evaluating open source forensic software consider this factor in conjunction with TCO analysis and determine that the price/performance of open source-based applications makes sense for their needs. The fact that training and continual development expertise is needed is certainly a factor, yet with the lower TCO and the broader community of development teams makes this more affordable compared to proprietary forensics software (O'Connor, 2005). In many instances larger organizations will license the source code and complete their own customizations, a process that would be quite expensive with proprietary software as well. This customization of open source forensics software to the precise needs of any given organization or government agency would be cost prohibitive with many of the proprietary software companies (Erickson, 2009).

All of these factors are contributing to the development of enterprise information assurance programs (Barbin, Patzakis, 2002). These programs are comparable in scope to enterprise compliance and quality management programs that rely on content management systems. Open source forensics software is moving from being an investigative tool to a compliance platform (Irons, 2006) and as a result is taking on the characteristics of content management systems as a result. Inherent in the design of the most advanced open source forensics software applications is support for enterprise-wide assurance programs that include their own databases, evidence management systems, audit features including the preservation of cybertrails captured electronically and recovery routines for records potentially lost from illegal activity. In short, open source forensics software is also acting as a catalyst for the development of enterprise-wide security platforms that can manage the entire scope of security workflows within organizations, government and federal systems (Irons, 2006). This is significant in that the databases that form the foundation of these systems now support access- and role-based taxonomies that can be used for analyzing trends in both authorized and unauthorized access to systems. The preservation and identification of these audit results, often called a cybertrail (Irons, 2006) is admissible as evidence in U.S. Courts as well (Volonino, 2003). Use of open source forensic software for electronic recovery and retention of electronic records that were compromised is also achieved through the use of the rules-based approach to verifying and validating their source and recovery (Barbin, Patzakis, 2002). The emergence of the enterprise information assurance programs and the support for enterprise compliance and quality management from a security standpoint illustrates how state-of-the-art open source forensics software is becoming. It is anticipated that within the next five years this progression of development will result in Service Oriented Architectures that include Web Services to automate these processes over secured Internet connections. To counter the exponential levels of threats that are occurring that seek to steal intellectual property and personal information, the developed of SOA platforms for compliance and Web Services is a necessity (Abel, 2009).

In conclusion the catalysts that are driving the rapid adoption of open source forensic software are going to accelerate in the next give years as organizations and government agencies seek to define compliance as a deterrent strategy, while also continually refining the audit process of how electronic access to systems is used. Through the use of rules-based logic workflows in open source forensics software is also going to lead to more use of predictive analytics to anticipate when illegal activity is about to occur and then thwart it through controls and the use of redirects. All of these advanced innovations will be made possible due to the broad base of support that open source software has generated in the digital forensics industry over the last five years and will continue to fuel into the future (Abel, 2009).

How Open Source Software Supports the Digital Evidence Gathering Process

The three steps of the digital evidence gather process of acquiring, authenticating and analyzing evidence all (Irons, 2006). Beginning with the acquisition process of digital evidence, open source forensic software's reliance interpreting and identifying unauthorized access to systems and the ability to audit each of these attempts to a quality level that is consistent with ISO Standard 15489:1 is essential for its use from a verifiability standpoint (Irons, 2006). Second the acquisition phase includes the capture of all forms of digital evidence with an emphasis on auditable activity over the Internet in the form of unauthorized attempts to gain access to systems and sites. Computer, website, FTP site, JavaScript access attempts and site re-directs, and the pervasive use of phishing all are events tracked by digital forensics systems as evidence (Abel, 2009). The rapid development of predictive routing algorithms that seek to anticipate security breaches are also becoming more commonplace (Erickson, 2009). Evidence acquisition through digital forensics seeks to also define preservation of all patterns of potential crime, regardless of the origination point (Irons, 2006). The collaboration that occurs in the open source forensic software industry acts as a catalyst of creativity specifically on this point. There are online communities that seek to define more efficient approaches to this area of evidence acquisition through collaboration of development efforts. Their results over the long-term are changing the use of forensic software, both from an open source and proprietary standpoint.

The authentication phase of gathering digital evidence centers on the integrity of the data captured and stored. This specific phase relies heavily on evidential integrity and authenticity of records (Barret, 2004) in addition to compliance to ISO 15489:1 (2001) a records management standard that has been proven admissible in courts for the preservation of digital evident. This standard is considered integral to evidential integrity of digital evidence (Irons, 2006). As part of this standard, authenticity of records are verified by the sender and received, the time they were created, send and read and the validity of what their intended purpose is. All of these factors are taken into account in defining the veracity of claims regarding their use for legal vs. illegal purposes (Abel, 2009). As forensic software is based on a series of rules and in some cases constraints, the rules-driven approach to defining evidential integrity is also used and a relative score is provided for each series of authorized vs. unauthorized actions. This in effect creates a benchmarking of threat levels by activity and can over time be used for predicting which potential sequence of activities will lead to an illegal activity or not (Irons, 2006). In this way the acquisition of digital evidence is supported through the advanced intelligence that the rules engine in forensic software provides. Just as with the acquisition of evidence this phase of authentication is also benefiting from the collaborative efforts of developers in the open source development community. The concentration of how to ensure compliance to the ISO standard is an area of continual collective effort on the part of developers in the digital forensics development community.