The History of Forensic Ballistics – Ballistic Fingerprinting

Ballistics…sounds like a pretty bombastic word to us plebeians, isn’t it? Well, simply put, ballistics is the study of the flight path of projectiles. And when used in criminal investigations, forensic ballistics or ballistic fingerprinting (also called forensic firearm examination) helps in the reconstruction of a crime scene involving a firearm. It also enables the tracing of the weapon used and thus provides significant leads to identify the suspect(s). Forensic ballistic relies heavily on evidence such as bullets, gunpowder residues, shell casings, firearms, etc. recovered from the crime scene.

Forensic ballistic professionals are adept at examining such evidence to draw conclusive inferences on the exact weapon used, the distance, velocity, and angle of firing, and ultimately the shooter himself. In crime scene investigations, forensic ballistics has now become synonymous with the matching of the recovered bullets and their casings to the firearms from which they were discharged. However, while the modern-day crime drama series may make the application of such techniques look quite contemporary, the fact is that such ballistic work has its roots way back in time.

First Use of Ballistics in Forensics

Before the mass manufacturing of guns began, barrels and bullet molds were handmade by gunsmiths. Thus, the exclusivity of each firearm was unavoidable. This meant that the bullets fired always bore some exclusive impressions which were unique to a specific firearm. Thus began the first instances of the careful examination of a bullet in order to trace it back to the gun used to fire it. And this laid the foundation of what is now called as forensic fingerprinting – the forensic examination of firearms and other evidence (bullets, cartridges etc.) recovered from the crime scene to link them to suspects or the specific weapons used in a crime.

The first case of forensic firearm examination to be documented was in 1835. That was when Henry Goddard applied ballistic fingerprinting to link a bullet recovered from the victim to the actual culprit. On careful inspection, he found that the bullet had a defect on its surface which did not seem to be from the barrel or the result of an impact. It seemed more like a defect acquired during its manufacturing. Anticipating that the shooter would have made the bullet himself, he realized that recovering the bullet mold would easily help him confirm the shooter. He was thus able to exactly zero in on the shooter when the mold found at the suspect’s home matched the marks on the bullet. This proved as a crucial evidence in convicting the shooter though he did also confess to the crime eventually.

Back in 1860, the case of Regina v Richardson showcases another example of the early application of firearm identification. The major evidence, in this case, was a newspaper wadding. Back in the era before cartridges came into existence, such wadding was used to create a seal between the bullet and the gunpowder. The wadding that was found in the two-barreled muzzle-loading pistol recovered from the murder site matched the wadding found in the victim’s wound. Additionally, a wadding that was discovered at the suspect’s home was found to be made up of the same material (London Time’s newspaper) as the waddings recovered before. This helped to confirm that he was the shooter and led to his conviction.

The Birth of Magnification

Over time, as the mass production of guns and ammunition gained pace, the process of rifling became standardized. Thus, whereas a forensic examiner could specifically match the rifling marks on a bullet recovered from the crime scene to those on the firearm’s barrel, it became increasingly difficult to match a bullet to a specific firearm made by a specific manufacturer through simple observation. And as they say, necessity is the mother of invention! So eventually, this paved the way for the magnified observation of bullets.

In 1902, Oliver Wendell Holmes, who later became the justice of the US Supreme Court, is said to have used a magnifying glass to examine a test bullet that he fired into cotton wool to compare its striations with those found on the bullet recovered from the victim during an autopsy.

Later in Paris (1912), Professor Balthazard took numerous photographs of the circumferences of the bullet found at the crime scene. He then enlarged these photographs to compare the markings with those obtained on the bullet that he had test-fired from the suspect’s weapon.

Paving the way for the Development of Comparison Microscope

Eventually, magnification became a crucial part of firearm examinations. However, even though microscopes did exist back then, it was quite challenging to compare two bullets simultaneously. While examining one bullet under the microscope, forensic examiners had to retain the mental image of the other bullet meant for comparison. This posed obvious risks to the validity and reliability of the investigations.

In fact, a major flaw involving ballistic fingerprinting almost led to the conviction of an innocent Charles F. Stielow in 1915 in the United States. He was convicted and sentenced to death for shooting his employer and employer’s housekeeper using a pistol of 0.22 caliber. However, when investigator Charles E. Waite reevaluated the evidence with microscopy expert, Dr. Max Poser, he confirmed that the bullets recovered from the crime scene couldn’t have been fired from Stielow’s gun. Stielow was then acquitted and released.

Embarrassed and perturbed at the possibilities of such blunders in the future, Waite began cataloging the manufacturing data on guns and ammunition. He also made sure to include foreign sources upon realizing that a majority of firearms back then were imported. In due course, Waite along with physicist John Fisher, Major Calvin Goddard, and chemist Philip Gravelle, established the Bureau of Forensic Ballistics in New York City. Philip Gravelle eventually developed the comparison microscope (two microscopes connected by an optical bridge) solving the challenges of simultaneous comparison.

The first significant application of this microscope was in the investigations of the Saint Valentine’s Day Massacre in 1929. By examining the bullets and cartridge cases recovered from the site, he was able to identify the exact weapons used – a 12-gauge shotgun and two Thompson submachine guns. Furthermore, he was led to the suspect by matching the evidence recovered to the gun retrieved from his home. In 1932, when the FBI laboratory was established, Goddard got to train its first firearm identification professional.

Texial– In the league of busting crimes

Texial – a premier private forensic science laboratory headquartered in Chennai and having a presence all over India, is a valuable addition to the forensic domain in India. With crime rates ascending every year, the dearth of sufficient forensic labs leads to a delay in investigations and the relay of justice. Texial Lab with its repertoire of forensic experts catering to various segments is thus a valuable addition to the country’s forensic requirements. That, coupled with a state-of-the-art forensic laboratory has enabled them to be the frontrunners in investigating a host of complicated cases. They are a futuristic cybercrime and digital forensic center that offers solutions catering to law enforcement agencies, private investigators, individuals, corporates and the government. They firmly believe in leveraging the technical expertise of their forensic experts in providing efficient, fast, and cost-effective services and solutions across a diverse spectrum.

List of 15 Most Powerful Forensic Tools

The history of Forensics has evolved over decades through various branches of forensic science.  Forensics have become an integral part of law enforcement activities across the globe. These applications are central to fighting cybercrime and protecting digital assets in the current age of the internet and advancing globalization. Crime can take many forms and it becomes necessary to gather evidence and obtain a conviction for perpetrators. Forensic tools help investigators to extract crucial pieces of evidence from electronic devices to be presented in a court of law to put the criminals behind bars. 

Disclaimer:–  The tools mentioned in the list have been extensively used by investigators across the world. The order of listing is solely for visualization and does not, in any way, indicate rankings.

Here are 15 most powerful paid and free forensic tools

1. Paladin

Paladin is undoubtedly one of the most versatile collections of forensic tools currently available. The entire suite consists of over 100 tools classified into 33 categories! Whether it is a matter of unauthorized access, data leak, modification of existing data, malicious software like spyware and malware, or even if it is something as simple as a weak password that was cracked through guesswork, Paladin has the forensic tools to help you discern the cause of cybercrime.

The best part about Paladin is its Graphical User Interface (GUI) that makes it user-friendly and interactive.

2. CAINE (Computer Aided Investigative Environment)

CAINE is a suite of forensic tools that is Linux live distribution and provides an interactive GUI for forensic analysts to carry out a broad range of investigative activities. One of the major distinguishing factors about the CAINE suite is its applications for the assessment of database, memory as well as networks. Such a diverse range of investigative abilities enable cyber forensic experts to carry out numerous types of observations and pinpoint the exact cause of a breach.

Being a Live Distribution software, it can be carried around in flash drives (pen drives) and used directly, without having the need to install it.

3. X-Ways Forensics

X-Ways Forensics provides a large array of various types of tools that aid in digital forensics. From data recovery to disk cloning, finding and retrieving lost data, recovering deleted files and many more – X-Ways Forensics has grown to become an absolute must-have for all budding and professional cyber forensic analysts.

This bundle of cutting-edge cyber forensics software is compatible with all versions of Windows and is known to run on devices of relatively lower configuration. In addition to dealing with lost or corrupted data, X-Ways Forensics also enables an investigator to analyze a device’s memory and ascertain if a particular file is authentic or a duplicate. With so many capabilities rolled into one suite, it’s no wonder that X-Ways has garnered popularity amongst the global community of forensic investigators.

4. Autopsy

The term autopsy is synonymous with the science of forensics. Medical autopsy is performed by a medical examiner to discern the cause and nature of death. Borrowing from the idea, Autopsy is a software toolkit to assess computer hard drives and smartphones and look for evidence to help identify instances of crime or malicious activities.

Some of the features of Autopsy include analysis of emails, recovery of deleted or corrupted media, browsing activity and habits, extraction of logs for calls and messages, determination of location from pictures and videos, discovery of timeline of activity, and so on. An additional bonus is the fact that multiple experts could work on a single instance as Autopsy supports multi-user functionality. This facilitates better resource utilization and pooling of relevant expertise.

All of these features assist investigators in searching for evidence to convict cyber criminals and those that violate compliance measures. Furthermore, Autopsy is open source and features an easy to use GUI, making it a favorite of forensic investigators across the globe.

5. Wireshark

Wireshark is a free open source forensic tool that enables users to watch and analyze traffic in a network. Since every organization maintains an internal network for day-to-day operations, Wireshark is an excellent choice for network administrators as well as cybersecurity experts to study all the activities on a network to identify deviations from established norms and zero-in on any suspicious behavior.

Being an open source software, Wireshark has been embellished over a period of time by several developers from across the world. As networks grow in scale, it becomes increasingly necessary to have a consolidated means of assessing traffic patterns to enforce regulations and ensure compliance. Being free to download and offering a simple GUI, Wireshark has become globally reputed in its usage not only amongst professionals but also amongst causal users and hobbyists.

6. NetworkMiner

NetworkMiner is another open source forensic tool for Windows, Linux, and Mac OS that can be used by network administrators as well as investigators to assess traffic in a network. It is used to analyze or even capture packets transferred on a network to detect devices and corresponding operating systems, names of hosts, open ports, etc. And the best part – activities using the NetworkMiner does not generate traffic on a network.

This forensic tool allows users to fish out credentials, certificates, emails, etc. from a network and presents the extracted information in a user-friendly and interactive manner. Moreover, users can search for a particular piece of information from the extracts using a keyword search option provided.

This is an extremely useful software that enables investigators and senior management to observe and analyze incidents such as data breaches, unauthorized access, illegal modifications, and any suspicious activities.

As a matter of convenience, NetworkMiner is a portable software and comes installed in a custom-made flash drive. Thus, it requires no installation, rendering the job of an investigator quick and easy.

7. SIFT Workstation (Sans Investigative Forensic Toolkit)

The Sans Investigative Forensic Toolkit is one of the world’s most popular software for cyber forensics. With over 1, 00,000 downloads across the world and having been recommended by experts in the field, SIFT has been used by law enforcement agencies and Fortune 500 companies. What’s amazing is that SIFT is an open source forensic software package and so is available for anyone to download.

Given such pedigree, it should come as no surprise that SIFT was developed by an experienced group of forensic specialists and other subject matter experts. The bundle of cutting-edge forensic tools contained within SIFT allows for an in-depth investigation into every type of cyber-attack and makes the generation of incident reports simple.

Reports generated using SIFT Workstation is admissible in the court of law as evidence to get a conviction. It is one of the few software suites that is internationally recognized for its reliability and effectiveness.

In light of so many advantages offered in a single package, HackRead named the SIFT Workstation as the number one forensic toolkit in its list of the “Top 7 cyber forensic tools preferred by specialists and investigators around the world.”

SIFT Workstation requires Ubuntu to be used. It could also work on Windows if Ubuntu were to be installed.

8. ProDiscover Forensic

In the event of a crime, the perpetrators often try to destroy the evidence in order to escape justice. This is an extremely common occurrence in the case of cybercrimes. In such a scenario, it is deleted information on devices that help investigators nab the criminals and restore the damages. Few forensic tools can recover deleted information as well as ProDiscover Forensic. It lets people know if there have been any changes made to any files or stored data.

This wonder tool has the ability to recover just about any data that was deleted from the hard drives of any computer. In addition to that, it can do so in a format that is both secure and admissible as evidence in the court of law. The remote forensic capability offered by ProDiscover Forensic has been a boon for investigators, which has made it the top choice for hundreds of customers in over 40 countries.

9. Volatility Framework

Volatility Framework is a unique forensic tool that lets investigators analyze the runtime state of a device using system information found in the volatile memory or RAM. Whenever we turn a device off, all unsaved data, which is present in the RAM gets deleted. It is only when we save something that it gets transferred from the RAM to permanent memory.

In the field of cyber forensics, it often becomes crucial to be able to extract data from the volatile memory in order to find out about recent activities. So, it goes without saying how useful Volatility Framework has become amongst law enforcement and intelligence agencies, in addition to military and civilian investigators. It is supported by professional forensic experts from around the world and is based on many years of academic research on advanced memory analysis techniques. It was released at a Black Hat event, which in itself speaks about its status in the international cybersecurity community.

Volatility Framework was named among the Top 7 cyber forensic tools preferred by specialists and investigators around the worldHackRead.

10. Oxygen Forensic Suite

Developed by Oxygen Forensics, this suite of cutting-edge tools is one of the most effective applications when it comes to gathering information from mobile phones.

In the era of mobile applications, smartphones are almost always vital sources of forensic evidence that highlight the digital paper trail for investigators to follow. Even though the actual crime may have been committed using other electronic devices, the intent and plan to commit the crime may have been discussed and shared among acquaintances.

This is evidence enough to press formal charges and gain leverage in a court of law. A large percentage of crimes (cyber or otherwise) across the world have been solved using clues found on the victims’ or perpetrators’ mobile phones. And this number is only increasing with each passing year. It is no wonder that the Oxygen forensic Suite has been popular with law enforcement agencies, defense and homeland security organizations, as well as private enterprises.

The company that developed this maverick tool, Oxygen Forensics, has over 10,000 customers in more than 150 countries, which is a testament to its credibility.

11. Computer Online Forensic Evidence Extractor (COFEE)

The Computer Online Forensic Evidence Extractor or COFEE was developed by Microsoft to aid law enforcement officers in extracting information from Windows computers. It is an easy to use platform offering more than 150 forensic tools that investigators can use to analyze computer memory to discern actionable evidence.

It features an interactive GUI and can be installed on flash drives or external hard drives to be used directly without any installation on the required device. Microsoft offers technical support for COFEE free of charge to law enforcement agencies.

12. XRY

Another world-class forensic tool for the extraction of data from smartphones is Xry. Developed by a company named MSAB, which is a global leader in digital forensics technology, Xry enables investigators to extract actionable information such as call history, SMS, pictures, contacts, etc. even if they have been deleted.

Furthermore, Xry is applicable to devices that run on Android, iOS and even Blackberry operating systems. It is well known that smartphones are a vital piece of evidence and MSAB’s software does an excellent job of retrieving crucial evidence to help solve cases.

The fact that Xry is used by Police, Law Enforcement, Military, Government Intelligence Agencies and Forensic Laboratories in more than 100 countries goes on to show its capabilities. MSAB has been in business for more than 35 years and has firmly established its position as an industry stalwart.

The company is a major supplier of forensic software for most of the police forces of the United Kingdom.

13. Xplico

Xplico is a highly popular tool used in network forensics that used to extract information used by internet-based applications exchanged over a network. After intercepting the packets, Xplico is able to reconstruct them and enable administrators to know who used which applications for what purpose.

This makes Xplico a useful tool for network administrators in large corporations that have numerous employees exchange large amounts of data. It is highly effective in tracing unauthorized access and enforcing regulatory compliance.

14. WindowsSCOPE

In the aftermath of a cyberattack, it is extremely important to evaluate the scenario and determine how the attack was carried out. WindowsSCOPE happens to be one of the best tools for incident response. In the event of an attack, this tool reverse engineers the entire operating system and all running processes, ports, open files, and so on.

This allows forensic analysts to paint a clear picture of the sequence of events surrounding the attack and shed light on the causation. It can be used on Windows-based computers to reveal everything entered including URLs, credentials, and any other information. Moreover, WindowsSCOPE is also capable of conducting system-wide reverse-engineering since it can access both user-level and kernel-level applications.

Additionally, experts can also reverse engineer malware using this forensic tool to study them and implement preventive measures.

15. Encrypted Disk Detector

This is another forensic tool used in the aftermath of an attack to check for encrypted volumes on a computer. Unlike various other tools, the Encrypted Disk Detector has a command-line interface.

Knowing the presence of encrypted drives on a computer helps forensic investigators make informed decisions regarding the case under review.

A Dive into the Forensic Universe: Forensic Standardisation

What is Forensic Standardization? 

Computers have been an integral part of daily life in recent decades. Many that commit offenses, unfortunately, are not immune to the computer revolution. As a result, techniques that allow prosecutors to retrieve data from devices used in unlawful activities and use it as evidence in criminal cases are becoming increasingly relevant to law enforcement. Standardization of the compilation, analysis, interpretation, and reporting of forensic evidence is essential to a common approach to how evidence is used. This allows states to share facts and intelligence in order to exonerate the accused or convict the guilty.

HISTORY

The first Digital Forensic Research Workshop (DFRWS), conducted in Utica, New York in 2001, described digital forensics as “the application of scientifically derived and proven methods to the storage, processing, confirmation, identification, examination, interpretation, recording, and presentation of digital evidence derived from digital sources for the purpose of facilitating criminal investigations.” or assisting with the rehabilitation of violent cases, or assisting in the anticipation of unauthorized activities that have been seen to interrupt scheduled operations.” Digital forensic evidence, on the other hand, maybe used in both criminal and civil trials.

ISO/IEC 27043:2015 (ISO/IEC 27043:2015) is an international standard that covers information infrastructure, encryption techniques, and incident investigation standards and processes. The specification defines a component of a larger investigation that can be used in accordance with other international standards such as ISO/IEC 27035, ISO/IEC 27037, and ISO/IEC 27042. The ISO/IEC 27043 standard was created with the primary goal of defining and following certain standardized investigation principles and procedures in order to obtain the same results for different investigators under similar circumstances. The concepts of reproducibility and repeatability are critical in any criminal investigation. Throughout the inquiry process, the ISO/IEC 27043 specification is also intended to provide consistency and transparency in the collected findings for each specific process (including report generating).

UNDERSTANDING THE NEED FOR STANDARDISING FORENSIC REPORT PROCESS

Report generation is a process in ISO/IEC 27043 that focuses on the analysis of digital data. In general, the presentation phase of a digital forensic investigation assists in the confirmation of the forensic theory, while report generation as a procedure is encapsulated within the investigative process and is one of the classes of the digital investigation process. Although report generation is not a method for conducting investigations, it has been presented as a process for displaying or interpreting the results. We believe that forensic reports should be prepared or produced in a standardized manner, rather than being lumped into one of the digital investigation categories (investigative process class). It’s worth noting that if forensic reports aren’t prepared, presented, and interpreted properly, they may lead to misinterpretations of the forensic theory or investigative fact throughout several cases. This is a major flaw in the standard.

SCOPE OF DIGITAL FORENSIC INVESTIGATIONS

It’s important to remember that a forensic report can cover the full spectrum of the automated forensic investigation process as it’s being written or produced. At this stage, information from a digital forensic investigation cannot be retrieved without observing specified procedures; this must be stated clearly since the digital forensic investigation’s importance cannot be overstated. Which provides for open investigative notification to all interested stakeholders. One might also look at the possibility of using Blockchain to ensure the credibility of the report’s data.

LIMITATIONS

There is no such thing as a flawless automated forensic examination. As a result, any decisions to skip such procedures, protocols, or investigative behavior, as well as any known shortcomings in the methods and strategies used, should be reported. 

CONCLUSION AND FUTURE DIRECTIONS

The need to standardize the report generation process in order to improve the presentation of forensic evidence before and after trial while adhering to the ISO/IEC 27043:2015 standard. Future study will focus on defining the core components of a standardized report generation process, for example in collaboration with the international digital forensic group, as well as investigating how modern technology like augmented reality, Blockchain, and machine learning can be used to make the process easier.