Development of an Open Source Tool and a Multi-Platform for Generation of Forensic Reports

Computer Forensics is a science that is part of computer security and focuses on identifying, preserving, analyzing and presenting electronic evidence that has been found on a device. This process has to be thoroughly documented by the expert who carries it out, and must be adapted to standards such as UNE 197010:2015 or ISO/IEC 27042:2015. However, there are no tools to facilitate this task. Therefore, in this work, a multiplatform and open source tool is developed to facilitate the expert’s elaboration of the report, and the management of the documentation related to the case, while keeping this information safe.


Introduction
Computer forensics is a science that takes parts of informatics security and focuses on identifying, preserving, analyzing and showing electronic evidence that has been found in a device [1]. This process has to be carefully documented by an expert witness in order to describe the starting stage, check that evidence has not been manipulated, record the process followed and finally to write a conclusion. The documentation has to be in a report that, in this case, has to be carried to the court. For this reason, it is important that it is adapted to specific standards like rule UNE 197010:2015 ("General judgements for the production of reports and forensic expert opinions about Information Technologies and Communications") and the guide ISO/IEC 27042:2015 that lists specific instructions that must include the forensic report [1].
However, the legislation does not specify which tool or tools the expert witness has to use neither for the report redaction nor for the relative documentation management. Typically, the expert witness will make use of different tools to achieve this goal (word processor, file system of the OS itself to store the information, encryption tools to protect such information, etc.). However, this process is tedious, partly repetitive and prone to error. To automate this process, as far as possible, would be of great help to the expert witness, while providing greater certainty and more guarantees as to the correct wording of the report.
Due to the absence of specific tools for producing expert witness reports, this work is based on the development of a desktop, multi-platform, open-source application, which makes it easier for the expert witness to produce the report, while keeping the information safe.

Development
To achieve this development, an incremental development methodology has been followed, in which new functionalities have been added in each iteration. For the implementation we used the Python 3.0 language and the GTK+ library, allowing the result to be a multi-platform application.
The analysis and design deals with the corresponding use cases of each iteration, considering in each case the corresponding design decisions. Using the Balsamiq tool, the respective prototypes were created for each iteration.
The most basic functionalities of the application consist of adding and editing the expert cases. This process allows the user to fill in the fields corresponding to each phase of the expertise process (complying with the ISO/IEC 27042 guide), and also saving the case. For the storage, the user is offered the possibility of choosing the folder in which to store the case. Subsequently, a folder is created with the name of the case, in which all the documentation belonging to the case will be stored. The report will be stored in XML format to offer flexibility when exporting it to other formats.
A highlight of the storage process is the encryption of the information. Hybrid cryptography is used to store the encrypted report. This consists of using symmetric cryptography to encrypt the document (using a random key for each) and asymmetric cryptography to encrypt the random key (see Figure 1). Another functionality of the tool is evidence management. To store the evidence in a folder within the case, the user can drag it into the application. These will be stored encrypted, and the name will be displayed for easy reference.
The main data of the expert should always go at the beginning of the report. Since these will not vary from one case to another, the tool allows the insertion (and editing) of the data independently of the case. In this way, the user will only have to introduce them once, and it will be the tool itself that will attach them to the beginning of each generated report.
Finally, the application implements authentication to be able to access the reports already generated. During the first access a new password is requested and the key pair (public and private) is generated. This password will be valid to store the private key in a safe way. This way, the password will be necessary to decrypt a report and be able to edit it. If for any reason the user forgets the password, it is possible to revoke it and create a new one (with its respective key pair), leaving the cases generated so far inaccessible.

Results and Conclusions
The drafting of the expert's report is one of the most important phases of the expertise. This tool offers functionalities such as password access, a clear and simple interface, the secure storage of the report through encryption and exporting the report to different formats, among others. In short, it offers the user an easy way to manage the report and all the documentation pertaining to an expert case, complying with the aforementioned standards.