Requirements of Second Generation Tools

Carrier (2002a) presented a list of the desired features of digital forensic tools, including usability, comprehensiveness, accuracy, and deterministic and verifiable results. Ayers (2009) further defined the existing digital investigation tools as belonging to the first generation because they are mostly helpful in the process of evidence recovery rather than actual case examination and analysis; this means that the tools are mainly used to process the data; but the main examination and analysis on the data is carried out by a human investigator. Current tools hardly offer any decision capabilities to help the forensic investigator during the case analysis phase. Therefore, future tools should be equipped with such capability to remove parts of the investigator‟s workload.

Another weakness of current tools is the lack of re-usability of data and knowledge gained from previous investigations. It is widely understood that previous experience could be valuable for solving current cases, however most forensic examiners agree that the use of previously gathered data is relatively limited (Horsman et al 2012). Therefore, future trends

44

need to be focused towards developing a knowledge base which can be used by the entire digital forensic examination community during investigations.

This could only be achieved if the processes of digital forensics are standardised and have a common benchmark across the various countries and regions (Horsman et al 2012). This would also help to ensure that uniformity is achieved and leads to a harmonious development of digital forensic frontiers worldwide. However, even if such a common knowledge database existed, it would not be compatible across the investigations carried out by different individuals because there is a lack of formal investigation processes.

Ayers (2009) further suggested that the following features should be desirable in second generation digital forensic tools if they had the ability to provide sufficient support in terms of rising data and speeds. These factors are discussed below.

 Higher speeds: second generation tools certainly need to have much faster speed and this can be achieved using a combination of various approaches including (but not limited to) supercomputing, grid computing and parallel computing.

 Higher accuracy: the use of current digital forensic tools can achieve a good level of accuracy. Due to the nature of digital forensic examination and its ultimate aim to convict suspected individuals, it is critical that the highest accuracy can be achieved by using these tools.

 Higher completeness: this means that the tool is capable of finding as much evidence as possible from a given set of data.

 Higher auditability: this is an important parameter due to its role in the legal aspects of digital forensic investigation. Auditable results mean that they can be cross verified making them solid legal evidence.

 Higher automation levels: automation is one of the most important aspects of digital forensic tools as it can be used to save investigator‟s time and effort. As a result, the backlog of computer crime cases could be reduced.

 Faster I/O: most operations related to a digital forensic examination are related to input and output operations (i.e. data is transferred across devices and media during various stages). For instance, the speed of data processing has a significant impact upon the analysis time: the quicker the data processing, the shorter the analysis time. This cannot be achieved by simply improving data storage devices but also needs the improvement of disk storage formats as well. Indeed, first generation tools have the

45

severe limitation of using an almost identical approach to disk storage formats despite increasing storage capacities; therefore, this limitation should be addressed in second generation digital forensic tools.

 Higher comprehension levels: future tools should be capable of providing the information at higher abstraction levels in a more humanly comprehensible format which anyone could interpret, not just technocrats. This is important since the area of digital forensics encompasses experts from a variety of sectors. Legal personnel such as lawyers and judges play one of the most significant roles during the actual prosecution and conviction stages, which are ultimately the goals of any digital forensic investigation.

Ayers (2009) proposed possible solutions to such problems and ways to develop the second generation systems, which could potentially address these requirements and overcome the limitations of the first generation forensic investigation tools.

Several options have been suggested to increase the processing power of analysis systems, such as the use of Beowulf clusters, IBM Bluegene clusters or the use of Grid computing (Ayers, 2009). Techniques such as the use of data clusters for storage could solve storage limitation problems, and the use of more reliable software processes would consequently deliver greater systems reliability.

Hence, it may be argued that various attempts are being made to overcome the shortcomings of the current first generation tools, in order to develop faster and more powerful and reliable second generation forensic investigation tools. This is a continuous process that needs to be undertaken on a joint basis amongst various researchers, agencies and authorities; therefore a uniform level of growth in various sectors and regions of the world can be achieved.

This practice will only ensure that progress in digital forensics investigation is enhanced and better developed. It has also been reiterated several times that building scalable open source tools may be a better option than using expensive proprietary tools (Roussev 2011). This will not only give wider access to people from different areas who can contribute their knowledge to develop improved tools and approaches but also provide a wide testing ground to validate the capabilities of the improved tool sets. It would certainly be beneficial for the digital forensics community as a whole, although Carrier (2002b) suggested that extraction tools

46

could be open source and the presentation tools can be closed sourced with a published design for the purposes of legal admissibility.

The courts are normally concerned with two main aspects of the results produced by digital forensic tools, namely reliability and privacy protection of the general public (Adams, 2008). The concept of reliability is closely linked to the performance that a tool can provide in terms of accuracy and usefulness to an examiner on the ground.

There are various functionalities which an ideal digital forensic tool should be able to fulfil, including hashing (Roussev et al, 2006), data carving (Craiger, 2010), decryption (Casey, 2002) and Steganography analysis (Kessler, 2007). Although many tools seem to have several common capabilities and are well suited to a specific application or set of applications, there is still a need to develop tools which can be used for dealing with a much wider range of tasks.