18 www.DFInews.com FALL 2013
bination of open source tools and proprietary software for
purposes of extracting data and reporting the results of the
analysis. Both types of software are open to at least these
two questions: 1) did the extraction software get all of the
pertinent data, and 2) did the presentation software accurately report the results without omissions?
One way to validate software is by feeding it known input and examining the output, and the National Institute
for Standards and Technology (NIST; www.cftt.nist.gov)
is taking a lead role in forensics software testing. Another
way to validate the tools is by examining the source code.
Open source software has an advantage in this regard compared to the closed nature of commercial software. While
proprietary software should not be suspect merely because
it is secret, there are those that argue that closed software
does seem to fly in the face of the Daubert test. 7, 8, 9
As the case studies in the article show, awareness of network commands, general knowledge of Internet protocols,
use of packet sniffing software, and familiarity with Web
sites and programs that yield information from the DNS
are essential tools for digital investigations. The capture
and analysis of network traffic represents a future direction of digital investigations and is a significant departure
from the current way of conducting traditional computer
analysis. Instead of the static scenario in which to conduct a computer examination, live and/or network exams
provide a snapshot in time, one that might not be able to
be replicated or verified. These new types of investigations
will require new tools, processes, and procedures, as well
as new skills on the part of the examiner. They will also
represent a new challenge to the criminal justice system
as practitioners, lawyers, judges, and lawmakers determine
how the methodologies fit into existing laws. 7
While many in the field recommend that computer
forensics examiners take more and more programming
courses, most practitioners do not, in fact, write programs;
most of the tools available today get the job done and are
accepted in courts of law whereas homegrown tools will
face the uphill battle of validation. On the other hand,
knowledge of network analysis and protocols, and the
tools with which to support that activity, are possibly even
more important skills for the computer forensics examiner.
While there are tools that will capture and display network data, the practitioner needs to know how to properly
interpret what they are seeing in the context of their
Put another way, knowledge of network hardware and
application protocols is as essential to a network-based
investigation as knowledge of computer hardware and file
systems is to a computer-based investigation.
From: Kessler, G.C., & Fasulo, M. (2007). The Case for
Teaching Network Protocols to Computer Forensics Examiners.
In Proceedings of the Conference on Digital Forensics, Security
and Law, April 18-20, 2007, Arlington, VA, pp. 115-137.
1. Anti-Phishing Working Group (APWG). (2006), “Sept-Oct Report:
Phish Site Outbreak,” http://www.antiphishing.org/, December 14,
2. Or not! A surprising number of people will enter information in response to phishing e-mails at sites purporting to belong to companies
where they do not have an account.
3. Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach,
P., & Berners-Lee, T. (1999), Hypertext Transfer Protocol—HTTP/1.1.
Request for Comments (RFC) 2616, http://www.rfc-editor.org/rfc/
rfc2616.txt, December 15, 2006.
4. Nikkel, B.J. (2004), “Domain Name Forensics: A Systematic Approach to Investigating an Internet Presence,” Digital Investigation,
1( 4): 247-255.
5. O’Connor, T., & Stevens, M. (2006), “Admissibility of Scientific Evidence Under Daubert,” http://faculty.ncwc.edu/tocon-
nor/425/ 425lect02.htm, December 15, 2006.
6. Supreme Court of the United States. (1993), Daubert v. Merrell
Dow Pharmaceuticals (92-102), 509 U.S. 579. http://supct.law.
cornell.edu/supct/html/92-102.ZS.html, April 16, 2006.
7. Brenner, S. W. (2005), “Requiring Protocols in Computer Search
Warrants,” Digital Investigation, 2( 3): 180-188.
8. Carrier, B. (2003), “Open Source Digital Forensics Tools: The Legal Argument,” http://homes.cerias.purdue.edu/~carrier/forensics/
docs/opensrc_legal.pdf, April 15, 2006.
9. Kenneally, E.E. (2001), “Gatekeeping Out of the Box: Open
Source Software as a Mechanism to Assess Reliability for Digital Evidence,” Virginia Journal of Law and Technology, 6( 3). http://www.
vjolt.net/vol6/issue3/v6i3-a13-Kenneally.html, April 14, 2006.
Gary C. Kessler, Ph.D., CCE, CISSP, is an Associate
Professor of Homeland Security at Embry-Riddle Aeronautical
University, a member of the North Florida ICAC (Volusia
County Sheriff’s Department), and president and janitor of
Gary Kessler Associates, a training and consulting company specializing in computer and network security and digital
forensics. Gary is also a part-time member of the Vermont
ICAC (Burlington Police Department). He is the co-author of
two professional texts and over 70 articles, a frequent speaker
at regional, national, and international conferences, and past
editor-in-chief of the Journal of Digital Forensics, Security and
Matt Fasulo is a Special Agent with the U.S. Secret Service
currently stationed in Portland, Maine. SA Fasulo has been
with the Secret Service since 1998 and a member of the Electronic Crimes Special Agent Program since 1999. During that
time, SA Fasulo has investigated numerous network intrusion