And so goes the chant, ad nauseam, throughout the forensic community. Be warned that the following is a rant and a plea for change. The primary reason expressed for appending this chant to every mention, verbal or otherwise, of applications and procedures? Defense attorneys. The chant is to rally the forensic troops against any weakness in their defensive formation against the tides of defense workers. Should there be a weak link in the validation chain, cases shall crumble, reputations be ruined, and offenders set loose upon society. In short, apocalypse.

The above may be slightly dramatized, but no more than the pervasiveness of the chant. First, what does it mean to validate? One would think “test” (and to do so with great scrutiny). However, a quick Google search only shows “test” in two results. Merriam-Webster was not polled by Google, but let’s take a look at one variation: “to support or corroborate on a sound or authoritative basis.” No specific reference to “test.” Dictionary.com offers a similar result: “to make valid; substantiate; confirm.” A quick check of valid yields: “producing the desired result; effective.”

At this point, we can be relatively sure that “test” is not a direct quality of validate. We merely need to confirm the produced result is the desired result. This is easy enough and is a concept employed by forensic practitioners the world over. How many validation papers have been written for VLC, IrfanView, or notepad? I am guessing zero. Why aren’t defense attorneys demanding we verify our viewers? Probably because it does not make much sense. Anyone who has used the player knows it displays the content as expected. Is it exact? Who knows, but it plays downloaded Youtube videos daily without creating a shadow of doubt. The newest Pepsi commercial doesn’t suddenly become child exploitation when using Xine instead of VLC.

Why is this same concept frowned upon when working with other tools such as EnCase or FTK? Is it the difficulty in relating the examiner’s experience to a level easily understood by the layperson? “I am relatively sure ForensicSuite was able to carve out all the video files because I was able to perform a similar search in UberSuite and I came up with the same number of results.” That is a bit wordy and not easily reproduced in the court room. However, does it not boil down to the same as the accepted MD5 hash value? “The numbers match.” This action is no more than a comparison of results and not a validation of the product.

At the end of the day, the real question is “did the examiner make a fault” and not “is the software flawed”. We can not absolve examiners of fault across the board. However, let’s take a worst case scenario. Let’s assume the examiner was at fault. Does that matter? Those involved with law enforcement should be familiar with the concept of “good faith.” Attorneys should be familiar with negligence and “should have known.” Even at fault, did the examiner operate within reason? Did they miss warning signs of fault that they should have noticed? If the perfect validation existed, these questions would probably still arise. They are the root of the validation issue.

How do we address what was reasonable? We can set forth some “best practices” that includes general procedures for workflow. These can not be absolute and must give the examiner the flexibility to make decisions based on feedback. In other words, these should probably not be official, gold stamped policy, but rather accepted guidelines for the implemented working environment. Documenting helps, but co-workers (if available) can (hopefully) attest that the practice of swinging hard drives around by ribbon cables is not usually practiced.

Be reasonable. Be consistent (aka: “best practices). And pray your prosecutor is on par with the defense.

TL;DR

Please stop assaulting everyone’s ears with “Validate.” This is not a clever “Cover Your Ass” statement. It is part of the indoctrination of forensic examiners. Validation may be important, but is not to be used solely as a shield against defense attorneys. Be reasonable and not another sheep bleating “Validate” any chance you get.