Usability of Forensics Tools: A User Study

Usability of Forensics Tools: A User Study Hanan Hibshi

Timothy Vidas

Lorrie Cranor

Carnegie Mellon University Pittsburgh, PA,USA [email protected]

Carnegie Mellon University Pittsburgh, PA, USA [email protected]

Carnegie Mellon University Pittsburgh, PA, USA [email protected]

Abstract Digital forensics has become a critical part of almost every investigation, and users of digital forensics tools are becoming more diverse in their backgrounds and interests. As a result, usability is an important aspect of these tools. This paper examines the usability aspect of forensics tools through interviews and surveys designed to obtain feedback from professionals using these tools as part of their regularly assigned duties. The study results highlight a number of usability issues that need to be taken into consideration when designing and implementing digital forensics tools. Index Terms Usability; Digital Forensics; Forensics; GUI; User Interface.

I. I NTRODUCTION Digital forensics tools play a critical role in providing reliable computer analysis and digital evidence collection to serve a variety of legal and industry purposes. These tools are typically used to conduct investigations of computer crimes by identifying evidence that can be used in a court of law. In addition to criminal investigation, these same tools are used for purposes of maintenance, debugging, data recovery, and reverse engineering of computer systems in private settings. Digital forensics (or “computer forensic”) is rapidly becoming a substantial part of computer investigations all over the world, used by both law enforcement and private sector investigators. Digital forensics tools are designed for use by forensics investigators. It is important to consider the background, computer expertise, workflow, and practices of these users. In practice, users might have any level of an IT background ranging from a veritable computer security expert to a criminal investigator possessing minimal computer skills. With this diverse range of computer expertise, practitioners need “usable” tools that will help them get results easily. Humans prefer to focus on specific tasks for a finite amount time to achieve certain goals. When interrupted with distractions, individuals tend to become confused or complacent, and become distracted from their main goal [1]. In digital forensics, when examiners (or practitioners) conduct an investigation, they are typically seeking answers to specific questions they have in mind. Practitioners often do not care about any underlying technical details that will shift them away from their two main goals: investigative leads and conviction support. Even when giving testimony in court, practitioners may claim to be a certified tool user instead of an expert that understands how a tool works [2]. We have conducted a study to obtain feedback from users that interact with digital forensics tools on a daily basis. The rest of the paper is organized in the following manner: Section 2 contains background and related work. Our methodology is described in detail in Section 3, followed by the results in Section 4. Finally, we present our conclusions and future work in Section 5. II. BACKGROUND & R ELATED W ORK Usability is becoming a critical aspect of any technical product. The international standard ISO 9241-11 defines usability as: “The extent to which a product can be used by specified users to achieve specified goals with effectiveness, efficiency and satisfaction in a specified context of use” [3]. Usability of computer systems is considered an important area of research and is often a metric used to evaluate systems. Therefore, usable security is emerging as a strategic research area. The field of usable security aims to apply computer security metrics in a user-friendly fashion. The research in this area interests academia as well as professional practitioners; and serves government institutes as well as private organizations [4]. In the past 30 years, digital forensics has matured from a very ad-hoc, and possibly destructive, use of system administration tools to formal processes utilizing dedicated tools. Technological advances in court cases have created a need for dedicated digital forensics tools. Today these tools can be used to make best-evidence duplicates and perform non-destructive analysis. Contemporary analysis can recover deleted files, construct event timelines, attribute events to users, and much more. The American Society of Crime Laboratory DirectorsLaboratory Accreditation Board (ASCLDLAB) “recognized digital evidence as a full-fledged forensic discipline” in 2003 [5]. Moreover, the interest in training and education has grown causing a wide number of universities and training organizations to offer a range of computer forensics courses and degrees where students can gain in-depth expertise in the field of digital forensics [6], [7].

Users of digital forensics tools need to become very familiar with the tools to be able to use them efficiently. In order to make sense of the information these tools provide, users may need to attend professional training [6], [7]. As digital forensics is sufficiently difficult to understand, it has been suggested that it be taught as part of university curriculum[7]. Another reason many feel digital forensics should be incorporated into the university is that it generally requires book-length training materials in order to teach people how to use forensics tools. A 2005 Metropolitan State University study surveyed computer forensics higher-education programs in the US and concluded that computer forensics is a“growing multi-disciplinary field with increasing industry demand” [6]. Reith et al. propose an abstract model as a possible replacement for existing forensic models that were deemed too specific. The authors further observe that existing digital forensics tools are typically too technology specific in a way that tends to become an inconvenience for non-technical users. Such users have typically been trained to use a particular tool, but may not have any foundational education about the underlying technology employed by the tool [8]. Modern digital forensics tools use many specific, complex technologies. For example, modern tools must support a plethora of complex file systems. This complexity led to the creation of specialized classes [9] and books dedicated to the subject [5]. Even though the objective of these classes and books is to provide a technical foundation for forensics examiners to better use their tools, these information sources focus on very low-level topics that are commonly ancillary to an investigator. Garfinkel discusses trends in forensics research and observes that the field is likely “to fall-behind” in the near future. Current forensics tools were designed in an “evidence-oriented” fashion. The author further explains that this way of designing digital forensics tools has created some of the challenges that users face today. Examples include: slow speed, inability to find non-ordinary information, lack of smart reporting functionality, and inability to construct a timeline that helps investigators in their analysis. These are a few of the problems explored by the author that cause investigators to perform some essential tasks manually because the tools they have do not provide a way for them to get obtain needed information[10]. In his Masters thesis, Farrell addressed a number of issues with forensics tools, including usability, and proposed a new approach to forensics reporting. Instead of the current manual method that relies on a trained human operator, the author has suggested a digital tool that will “perform automated analysis and reporting.” Furthermore, he proposed design requirements for an automated reporting tool framework that takes into consideration three main categories: systems, user interface, and reporting intelligence. The thesis emphasized making the tool more efficient for untrained users by following a “user-centric approach that requires minimal human involvement thereby increasing usability and providing results with less time and effort [11]. III. M ETHODOLOGY In this section we describe our study methodology, which included expert interviews and a survey of attendees at a forensics conference. The main goal of this research was to identify usability problems with forensics tools. In future work we plan to explore identified usability problems further through heuristic evaluation and user testing. A. Interviews We first conducted two informal interviews with forensics experts in order to better understand the problem space. We used information gathered during these two informal interviews, plus information from our own review of the major forensics tools available on the market to develop an interview protocol. We interviewed eight additional law enforcement and industry forensics experts in a series of 45-90 minute interviews. We encouraged interviewees to qualify answers by demonstrating everyday use cases with tools they use and issues they face. The experts are very familiar with digital forensics tools as they vocationally support several large law enforcement entities. In particular, they assist their clients by conducting training sessions or helping them solve case-related requests that are complicated or that require advanced technical skills. Our eight experts have a variety of backgrounds, including private-sector forensics and law enforcement field agents. Digital forensics is often a complex application of computer science to legal settings. We had preconceived notions regarding tool usability in the space, but the interviews provided us with valuable insight into the usability problems as experienced by experts in the field. The interview notes and feedback not only helped us form informed theories regarding tool usability, but also greatly assisted the development of our survey. B. Surveys Using the information gathered from the interview process, we developed a survey to assess usability problems with digital forensics tools. Survey questions were shaped to determine if the observed usability issues held with a larger population and to address specific issues not suited for the interview process. Before addressing a larger population, a pilot version of the survey was given to five students enrolled in graduate programs with a focus in digital forensics. We revised and modified the survey questions based on feedback from the pilot. We conducted the survey at the High Technology Crime Investigation Association (HTCIA) 2010 international conference. HTCIA hosts a wide range of practitioners, academics, and policy makers

5,67,8%9,8:,6;.%.