The National Institute of Standards and Technology (NIST) have released their comprehensive review of current US digital forensic methods
The Digital Investigation Techniques: A NIST Scientific Foundation Review is a draft review covering methods forensic experts use to analyse evidence from computers, mobile phones and other electronic devices.
Evaluating current digital forensic methods
Documenting and evaluating these forensic methods will fill an information gap that has been growing since 2009. The National Academy of Sciences landmark 2009 study, found that many forensic disciplines lack a solid foundation in scientific research, therefore there is a need for a comprehensive and up-to-date record of current methods.
To conduct their review, the authors examined peer-reviewed literature, documentation from software developers, test results on forensic tools, standards and best practices documents and other sources of information.
Investigators found “digital evidence examination rests on a firm foundation based in computer science,” and that “the application of these computer science techniques to digital investigations is sound.”
“Copying data, searching for text strings, finding timestamps on files, reading call logs on a phone. These are basic elements of a digital investigation,” said Barbara Guttman, leader of NIST’s digital forensics research program and an author of the study. “And they all rely on fundamental computer operations that are widely used and well understood.”
Potential challenges for forensic experts
Based on the rapid pace of technological advancements and changes, “digital evidence techniques don’t work perfectly in all cases,” Guttman said.
“If everyone starts using a new app, forensic tools won’t be able to read and understand the contents of that app until they are updated. This requires constant effort.”
To combat this, authors recommended better methods for information sharing between experts along with a more structured approach to testing forensic tools that would increase efficiency and reduce duplication of effort across labs. The report also recommends increased sharing of high-quality forensic reference data that can be used for education, training, and developing and testing new forensic tools.