A Model for Evaluating Digital Forensic Tools

Abstract

Digital Forensic Investigators (DFIs) rely on tools to assess, gather and analyze digital evidence. They are used to unravel criminal acts and prove crime in a court of law. However, most of these tools are used without being evaluated because tool evaluation is expensive and time consuming. In addition, most DFIs assume that a tool would do exactly what the vendor claims it would do. If a tool is not evaluated, it remains unknown whether the results it produces are reliable or not. Unreliable results may jeopardize the whole forensic investigation process and in some cases lead to improper civil judgements resulting in criminals walking free thereby being encouraged to commit the same crime again. This may also lead to time wasting, trial and error, loss of money etc. Therefore, in this study, we designed and implemented a model for evaluating digital forensics tools to help DFIs with evaluating the tools that they would want to use. We used data from the Computer Forensic Tool Testing (CFTT) project which we aggregated and classified using Bayesian networks. We implemented our model using Java programming language and MySQL database. We tested using the data from the CFTT project in conjunction with the feedback provided by DFIs to recommend a suitable tool to use for investigations based on the task a DFI wants to perform, the category of the tool and its cost. The model attained a utility performance of 91.7%.