There are a number of excellent opensource forensic tools (OSDF) available online and utilisation of these tools can lead to inexpensive investigations and information gathering in relation to electronically sourced information (ESI)- this will include all data that is stored in electronic format.
Opensource tools are tools which is available mostly free of charge or at low cost online which can inter alia be utilised for investigations. The term Opensource in itself is explanatory in relation to the fact that the code is openly available and can therefore be updated/ amended/ changed with a fair amount of ease for a particular purpose. This may mean that the version available at the time of litigation may not be the version that was utilised and your service provider may be utilising a tool that they have adapted to their own needs, which may not be openly available or precisely recorded or repeatable- one of the aspects considered a requirement as a standard operating procedure in digital forensics (and off course to meet the evidentiary burden in terms of the Electronic Communications and Transactions Act, 2002):
- Section 14 relates to the integrity of the data from the time when it was first generated in its final form and has passed assessment in terms of if the information has remained complete and unaltered.
- Section 15 relates to the admissibility and evidential weight of data messages and states that the rules of evidence must not be applied so as to deny the admissibility of a data message on the grounds that it is in the form of a data message. It also stipulates that in assessing the evidential weight of a data message, regard must be had to the reliability of the manner in which the data message was generated, stored or communicated and the reliability of the manner in which the integrity of the data message was maintained.
One of the greatest challenges with Opensource tools is that updates and amendments to source codes as well as bug fixes (or the identification of bugs within the source code), is not always freely communicated or followed by users. (This in itself is one of the more significant reasons for preferring commercial off-the-shelf software where version control etc. is par for the course).
When selecting your service provider to source ESI a number of aspects to take into consideration to mitigate your risks, must be checked-off first, especially if your final requirement is that the information gathered will be required in subsequent legal action and you will have to lay a basis for the veracity of your information to have a court or tribunal accept the ESI as Evidence.
- What is the extent of the information that must be collected?
- How much data is involved?
- What is the format of the data?
- What is the purpose of the data? (information or evidence gathering)
- Does your partner have the experience/ knowledge to collect the data securely and later testify in any forum (locally or internationally), depending on the extent of your investigation on the collection of the information?
- Does the software used track and log all processes and comply with International Accepted best Practice Standards?
- Due to the fact that OSDF software can be modified and altered, the digital forensic practitioner might be required to testify on the functioning of the software every time he testifies since it will be virtually impossible for the court to take judicial notice of the functioning of the software if it can be easily and constantly be modified. Address your service partners capabilities early on in the investigation.
- Has your service provider kept track of and been alerted to source code changes over the time and will they be able to explain the significance, if any, of changes on the data they collected or results utilising the newer version of the Opensource tool. It can therefore mean that if a digital forensic practitioner does not stay abreast with these type of developments, that he might be using outdated or malfunctioning software. The onus therefor rests on the practitioner to constantly monitor chat rooms and support groups to detect these aspects.
- When considering the use of Opensource software consider that the function of forensic software can be divided in two main areas nl Acquisition and Analysis. The COTS software (Commercial off the Shelf licenced software) and mainstream OSDF software has been extensively tested in terms of their accuracy and reliability in creating evidence files or forensically copying electronic evidence. Studies such as the The United States National Institute of Standards and Technology (NIST)) testing methodology has proven that both sets of software fare evenly and can be tested relatively easily (for more information see https://www.nist.gov/). There is however very few tests between the two sets of software in terms of the analysis function.
Cyanre - The Digital Forensic Lab (Pty) Ltd
Tel: + 27 (0) 12 664 0066