Forensic software tools strive to handle conventional investigative needs by addressing a wide range of applicable devices. More difficult situations, such as the recovery of deleted data from the memory of a device, may require more specialized tools and expertise and disassembly of the device. The range of support provided, including mobile device cables and drivers, product documentation, PC/SC readers, and the frequency of updates, may vary significantly among products. The features offered, such as searching, bookmarking, and reporting capabilities, may also vary considerably.
Discrepancies in recovering and reporting the data residing on a device have been noted in the previous testing of tools. They include the inability to recover resident data, inconsistencies between the data displayed on the workstation and generated in output reports, truncated data in reported or displayed output, errors in the decoding and translation of recovered data, and the inability to recover relevant data. On occasion, updates or new versions of a tool were also less capable in some aspects than a previous version was.
Tools should be validated to ensure their acceptability and reapplied when updates or new versions of the tool become available. These results play a factor in deciding the appropriateness of the tool, how to compensate for any noted shortcomings, and whether to consider using a different version or update the tool. Validating a tool entails defining and identifying a comprehensive set of test data, following acquisition procedures to recover the test data, and assessing the results. Present-day tools seldom provide the means to obtain detailed logs of data extraction and other transactions that would aid invalidation. An examiner can compare the output of several tools to verify the consistency of results. While tool validation is time-consuming, it is a necessary practice to follow. As a quality measure, forensic specialists should also receive adequate, up-to-date training in the tools and procedures they employ.
An important characteristic of a forensic tool is its ability to maintain the integrity of the original data source being acquired and the extracted data. The former is done by blocking or otherwise eliminating write requests to the device containing the data. The latter is done by computing a cryptographic hash over the contents of the evidence files created and recurrently verifying that this value remains unchanged throughout the lifetime of those files. Preserving integrity maintains credibility from a legal perspective and also allows any subsequent investigation to use the same baseline for replicating the analysis.