What does ‘Forensically Sound’ mean?

Well, the short and rather disingenuous answer to the question “What does forensically sound mean?” is: “it depends. “

Remember that answer, because it applies to any number of questions about mobile forensics in general.

The more helpful answer is that it’s a term used in digital forensics to qualify, justify and, if necessary, defend the use of a particular forensic technology or method. Typically, it’s relevant when you are attempting to argue for the admissibility of digital evidence in court proceedings.

It’s a common question that often coincides with the follow up “Is your tool approved for court use?” The answer to that particular question can be found in much more detail here:

Why Define “Forensically Sound?”

Quite simply because it helps smooth the introduction of evidence. If a particular tool has shown itself to be consistently reliable and historically has always produced verifiable digital evidence which was validated through the use of other tools, then the more likely it is to be accepted as evidence in the future. That’s not to say that you should ever take things for granted, as evidence should always be tested, but it should at least speed up tool validation to help verify the evidence.

How does one know if something is “forensically sound?”

In short: testing, comparison and independent evaluation reports of the tool from trusted sources.

Validation is the confirmation by examination and the provision of objective evidence that a tool functions correctly and as intended. For example: buy a new test phone and manually add some data and make a record of the entries you’ve made. Then extract data from the test phone using the tool to see if the results match as expected.

Verification is the confirmation of a validation with laboratory tools, techniques and procedures. Can you verify the results obtained by one forensic tool with another similar forensic tool that can perform the same function? Do the results corroborate each other, so that you can verify the results?

Unfortunately, many digital forensic practitioners work in high pressure environments. They often find it difficult to meet the demands of validation and verification of their tools. Many agencies have limited budgets and can’t afford to purchase all the available digital forensic tools for verification. Similarly, they work to tight deadlines and don’t always have the time to do all the necessary checks.

That’s where standards come in, such as ISO 17025 or ISO 27037:2012. These are used to ensure digital forensic practices follow guidelines to ensure the evidence produced is forensically sound.

These standards state that each provider of evidence needs to undertake their own tool testing. So unfortunately (despite many people asking us) MSAB can’t validate our tools for you. That’s something you have to do for yourself if you intend to produce evidence in court.

Nevertheless, we know that independent validation and verification of complex forensic tools such as XRY mobile data extraction software is expensive and time consuming, and so many practitioners will rely on independent reports for an indication of a tool’s suitably to produce ‘forensically sound’ evidence.

Useful Guides

There are some very useful published documents that can help, such as NIST: The U.S. Department of Homeland Security Science and Technology Directorate Cyber Security Division – National Institute of Standards and Technology (NIST). Tool testing publications like these help give a strong indication of suitability of the tool for forensically sound – digital forensic evidence:

Just don’t forget that even if the tool and evidence are deemed ‘forensically sound’ you can still have your evidence thrown out at court if some basic requirements are not in place.

Forensically Sound – don’t forget the human element…

The chain of custody is term used to describe the requirement to ensure that evidence is not interfered with and can be relied upon in court. Showing the digital forensic evidence has not been altered and is a reliable copy of the original contents of a mobile device is critical. So make sure you understand how to present and verify in court that the data you originally extracted in the lab is still exactly the same.

Likewise make sure you understand the technology. Most likely in order for evidence to be accepted in court, it needs to be introduced by a witness who makes a sworn statement of evidence. If you are required to introduce digital evidence, then you can be called to court and asked to explain how the evidence was produced and whether or not it can be relied upon.

It’s rare but there have been cases where perfectly good ‘forensically sound’ evidence was thrown out of court, simply because the witness introducing the evidence was unable to satisfy the court that they understood how the technology actually worked. This is why training of digital forensic professionals is so important.