Digital forensic examiners rely on their expertise to interpret the data their tools retrieve. Although this requires utmost trust in the tools themselves, it also assumes that the tools are doing the job correctly. Not knowing how the tools do the job—not having access to their underlying code, as is the case with proprietary digital forensics tools—creates a veil of abstraction between examiners’ minds and the truth. Each layer of abstraction is a possible source for error or distortion.

That isn't to say the conscientious examiner needs to cease use of any and all proprietary tools. However, it is important to validate what they find—to make sure results are repeatable (identical items tested by the same examiner, in the same lab, using the same equipment and methodology) and reproducible (identical items tested by different examiners, in different labs, using different equipment and methodology).

Performed at regular intervals, reproducible tests typically use one proprietary tool to validate another. For the purposes of the legal test known as the Daubert Standard, this is usually enough. However, the more attorneys on both civil and criminal sides learn about digital evidence, the more they may start questioning how forensic tools actually obtain their data. If the science underlying the evidence cannot be explained, then it cannot be accepted as a science, and the credibility of both digital evidence and digital forensic examiner will be undermined.

In some cases, the engineers who design proprietary forensic tools have been brought to court to testify as to how the tools work. However, this should only be a last resort; the designers of every proprietary tool an examiner uses may be unavailable, or prohibitively costly to bring to trial. There’s an easier, faster, and cheaper way to validate findings that use these tools. That way is to use open source forensic tools.

What is open source software, and why use it for validation?
True open source software is freely redistributable, provides access to the source code, allows the end user to modify the source code at will, and doesn’t restrict the software’s end use. Of particular interest for validation purposes is access to source code.

Innately, open source forensic tools “show their work.” You can execute the tool, examine the options and output, and finally examine the code that produced the output to understand the logic behind the tool’s operation.