Well, the short and rather disingenuous answer to the question “What does forensically sound mean?” is: “it depends. “
Remember that answer, because it applies to any number of questions about mobile forensics in general.
The more helpful answer is that it’s a term used in digital forensics to qualify, justify and, if necessary, defend the use of a particular forensic technology or method. Typically, it’s relevant when you are attempting to argue for the admissibility of digital evidence in court proceedings.
It’s a common question that often coincides with the follow up “Is your tool approved for court use?” The answer to that particular question can be found in much more detail here: http://bit.ly/2LvNk2W
Why Define “Forensically Sound?”
Quite simply because it helps smooth the introduction of evidence. If a particular tool has shown itself to be consistently reliable and historically has always produced verifiable digital evidence which was validated through the use of other tools, then the more likely it is to be accepted as evidence in the future. That’s not to say that you should ever take things for granted, as evidence should always be tested, but it should at least speed up tool validation to help verify the evidence.
How does one know if something is “forensically sound?”
In short: testing, comparison and independent evaluation reports of the tool from trusted sources.
Validation is the confirmation by examination and the provision of objective evidence that a tool functions correctly and as intended. For example: buy a new test phone and manually add some data and make a record of the entries you’ve made. Then extract data from the test phone using the tool to see if the results match as expected.
Verification is the confirmation of a validation with laboratory tools, techniques and procedures. Can you verify the results obtained by one forensic tool with another similar forensic tool that can perform the same function? Do the results corroborate each other, so that you can verify the results?
Unfortunately, many digital forensic practitioners work in high pressure environments. They often find it difficult to meet the demands of validation and verification of their tools. Many agencies have limited budgets and can’t afford to purchase all the available digital forensic tools for verification. Similarly, they work to tight deadlines and don’t always have the time to do all the necessary checks.
That’s where standards come in, such as ISO 17025 or ISO 27037:2012. These are used to ensure digital forensic practices follow guidelines to ensure the evidence produced is forensically sound.
These standards state that each provider of evidence needs to undertake their own tool testing. So unfortunately (despite many people asking us) MSAB can’t validate our tools for you. That’s something you have to do for yourself if you intend to produce evidence in court.
Nevertheless, we know that independent validation and verification of complex forensic tools such as XRY is expensive and time consuming, and so many practitioners will rely on independent reports for an indication of a tool’s suitably to produce ‘forensically sound’ evidence.
There are some very useful published documents that can help, such as NIST: The U.S. Department of Homeland Security Science and Technology Directorate Cyber Security Division – National Institute of Standards and Technology (NIST). Tool testing publications like these help give a strong indication of suitability of the tool for forensically sound – digital forensic evidence:
Just don’t forget that even if the tool and evidence are deemed ‘forensically sound’ you can still have your evidence thrown out at court if some basic requirements are not in place.