SlideShare a Scribd company logo

Why i hate digital forensics - draft

Damir Delija
Damir Delija

A few remarks on digital forensics, tools, practices etc

Education
1 of 18
Download to read offline
Why I Hate Digital Forensics 2015
A few reasons for the title • Proposal for lecture arrived just after I finally get my long overdue vacation … • Since 2008 I have experience with digital forensics a lot of things that annoy me and makes me think about … • Just finished one EnCase v7 training and one Linux and Mobile training too, that puts me in the mood, since I’m an old grumpy unix sysadmin • I’d like to put up some thoughts and maybe it will start some process about fixing it … Sources • all around from Internet • NIST • SANS • Porcupine web site 2
Lets start - what to talk about It will be about digital forensics and: • naming - real name has power, remember Lord of the Rings • its tools and practices, • its community, • practitioners, • standards and definitions, • trainings, certificates, curriculums • people using its results, • subfields, • relations with other computing science fields • ideas of future would looks • my oppinion 3
Forensics definitions • Forensics is “The application of scientific knowledge to legal problems" (Merriam-Webster) • Includes forensic medicine, physics, chemistry, dentistry, fingerprints, DNA, firearm analysis, accounting, .... • Forensic sciences widely tied to Locard's Exchange Principle "Every contact leaves a trace" (Prof. Edmond Locard, c. 1910) • This is from my favorite source: • Is Mobile Device Forensics Really "Forensics"?, NIST Mobile Forensics Workshop, Gaithersburg, June 2014, Gary C. Kessler 4
Naming – techie side The term itself, name, what is correct? • We have evolution since beginning, comes from debugging … • Forensic Computing: • V.Venema, D.Farmer late 1990’s: „Gathering and analyzing data in a manner as free from distortion or bias as possible to reconstruct data or what has happened in the past on a system.” this is also SANS definiton • Digital forensics and Computer forensics (Wikipedia /technical): • Computer forensics, sometimes known as computer forensic science is a branch of digital forensic science pertaining to evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the digital information. • Cyber forensics • new buzzword or extension into cybernetics in a sense as N. Weiner define cybernetics or into something more like S. Lem ideas ? • just read “Tragedy of washing machines” or “Invincible” and think about Internet of things 5
Naming – legal side • Comes from usage in legal process • combination of concept of digital evidence and forensic computing gives current legal definition • Digital evidence or electronic evidence is any probative information stored or transmitted in digital form that a party to a court case may use at trial. • Judd Robbins: Computer Forensics is simply the application of computer investigation and analysis techniques in the interest of determining potential legal (digital) evidence 6
Definitions - topics to think about • Digital forensics is an engineering science, which is again part of a computer science • The profession of digital forensics requires continued education, training, and practice • Two communities: • computing science • law enforcement / legal • Some discrepancies and rough interfaces because of different definitions, meanings, terms • Important concepts like case, evidence etc. comes from law enforcement but lacks in technical implementations 7
Standards and definitions • Standard exists? • In theoretical sense yes, but: • Are tools, data formats, procedures standardized? NO • Different legal system has wide implications • Compatibility is nonexistent - more in tools , just try to combine and compare results from commercial tools • What about digital forensic language which can describe tasks, procedures, results, data? • automatisation ? • results comparation as automated controls ? 8
Current standards and definitions are they correctly understood? • In theoretical sense yes, but: • what about meaning of write-blocking procedures (holly grail almost) in modern systems • is it forensically acceptable or perfect? • remeber what computer is now and what was than • same for mobile, live acquisition, data analyses, etc. • What about legal boundaries? • Locard's “Exchange Principle“ works for Internet perfectly but data is not available • In that sense Internet is a big flat room but each spot has it custodian and different rules 9
Relations with other computing science fields • Because of fast development always something new, undefined, unbaked • Prime example mobile forensics • Gary Kessler, Gary Kessler Associates, ”Is Mobile Device Forensics Actually "Forensics“”? • That is why I’m for “Forensic Computing” approach in general, but with size of data we have to deal with, its more like data mining • do we apply anything what was learned in data mining and data science to practical digital forensics? • since I mentioned “practice”, again more in tools 10
Tools and practices • Tools – plenty • Usual story about open / commercial and corporate policy • Commercial • mostly based on evolution of a tool someone from law enforcement developed ages ago • by law enforcement – for law enforcement • Free • development from good computing theory but lacking development pace • mostly not for “law enforcement forensics” but for incident response and analyses • for engineer type of mind-set 11
Commercial tools • Preferred in legal part / law enforcement (why?) • What about reliability – a lot of talk about in legal circles in EU • Stephen Mason: challenges of international investigations (search and seizure) and other trial considerations (methods of presentation, admissibility tests) • Mostly based on evolution of a tool someone from law enforcement developed ages ago for his usage • In commercial constant development but a lot of misfires • Last story about encase v7 is perfect horror example, many about others tools too .. • Not well funded theory (better to say not taken into account) • Not best computing practices also taken into account • Lack of standardization • Physical evidence files are standardizes but nothing after that • Lack of cross compatibility • Just try to combine mobile forensics tools • Just try to use logical evidence files • Very expensive and inflexible • All bad choices of MS philosophy of computing incorporated • No chance of automatization or piping tools • Scripting practically no existing • Practically no UNIX platform in mainstream forensics 12
Free / open source tools and practices • Again plenty of tools • Usual story for open source • Special commercial – free versions • Some wonderful tools like FTKimager • Free / test versions • Venema, Farmer, Carrier developed good tools, but for mass usage community knowledge and skills are missing • Developed in sense as forensic science is extension of ordinary science • You have to be very good in medicine to become forensic pathologist – this is the same attitude for these tools and missing from ordinary curriculums • Most recent python development very promising • But I'll say in current state of mind we need “forensic python” which works forensically sound on all supported OS platforms 13
Its community and practitioners • Trainings, certificates, curriculums • There is a lot but not well defined and profiled • Computing and other basics (often) missing • Some horrible side effects as “hexadecimal fetish” in training • My opinion is that knowledge and skillset is needed,one which ages ago described system programmer, with some modern add-ons • Often no careere path • Continuous learning is a problem too, because of organisationa issues, • Some interesting initiatives like OLAF but again quality of materials and tools are questionable 14
People using its results • Again lack of understanding and different mindsets • An classical communication problem among experts • Some definitions are outdated • What is forensically acceptable ? • What is forensically correct today? • When we are talking about computer as network of subsystems • Write-blocking on disk which is a computer itself or SD disk • Live forensics • Mobile devices • How to cooperate, how to trust, how to precisely define tasks and results? • Things get complicated because of mindset issues • Computer is a bit untrusted • Computer can’t do work alone • Labs and communication chains are not set by common computing sense 15
Subfields • Subfields – what are subfields? • Can we even list subfields of digital forensics/cyberforensics ? • Some subfields are not even clear what they are • “mobile forensics” is perfect example • starting with “what is mobile device ?” • How a subfield can be defined? • Skills and practices than …? • Who defines new rules (theory sets one thing)? • From engineers of law enforcement? • Remember - it’s application of science in legally acceptable way 16
Future? • Grim of glorious ? • Here in Balkans its a grim .... • World? • All around the world a lot of glorious opportunities? • But IT security which forensics is part of, is in very bad shape • Just read reports and do some analyses • In IT security we don't have technical problems but organizational and management problems • Something's sounds almost religious • … Oh lord give us a security Messiah who’ll expel evil from our corporate / governmental networks and IT systems ... • What about elementary hygiene and practices? • Its attitude that should be changed! 17
Conclusion and Questions? • Since IT penetration is unstoppable it should be safe and controlled • Lets think about all this • How we can help to fix this issues? • How this kindergarten type of problems will influence future? 18

Recommended

Draft current state of digital forensic and data science
Draft current state of digital forensic and data science Draft current state of digital forensic and data science
Draft current state of digital forensic and data science
Damir Delija
 
6528 opensource intelligence as the new introduction in the graduate cybersec...
6528 opensource intelligence as the new introduction in the graduate cybersec...6528 opensource intelligence as the new introduction in the graduate cybersec...
6528 opensource intelligence as the new introduction in the graduate cybersec...
Damir Delija
 
Forensic Lab Development
Forensic Lab DevelopmentForensic Lab Development
Forensic Lab Development
amiable_indian
 
Digital forensics research: The next 10 years
Digital forensics research: The next 10 yearsDigital forensics research: The next 10 years
Digital forensics research: The next 10 years
Mehedi Hasan
 
Cyber forensic standard operating procedures
Cyber forensic standard operating proceduresCyber forensic standard operating procedures
Cyber forensic standard operating procedures
Soumen Debgupta
 
DF Process Models
DF Process ModelsDF Process Models
DF Process Models
Costas Katsavounidis
 
Digital Forensic Case Study
Digital Forensic Case StudyDigital Forensic Case Study
Digital Forensic Case Study
MyAssignmenthelp.com
 
Digital Forensic
Digital ForensicDigital Forensic
Digital Forensic
Cleverence Kombe
 

Recommended

Draft current state of digital forensic and data science
Draft current state of digital forensic and data science Draft current state of digital forensic and data science
Draft current state of digital forensic and data science
Damir Delija
 
6528 opensource intelligence as the new introduction in the graduate cybersec...
6528 opensource intelligence as the new introduction in the graduate cybersec...6528 opensource intelligence as the new introduction in the graduate cybersec...
6528 opensource intelligence as the new introduction in the graduate cybersec...
Damir Delija
 
Forensic Lab Development
Forensic Lab DevelopmentForensic Lab Development
Forensic Lab Development
amiable_indian
 
Digital forensics research: The next 10 years
Digital forensics research: The next 10 yearsDigital forensics research: The next 10 years
Digital forensics research: The next 10 years
Mehedi Hasan
 
Cyber forensic standard operating procedures
Cyber forensic standard operating proceduresCyber forensic standard operating procedures
Cyber forensic standard operating procedures
Soumen Debgupta
 
DF Process Models
DF Process ModelsDF Process Models
DF Process Models
Costas Katsavounidis
 
Digital Forensic Case Study
Digital Forensic Case StudyDigital Forensic Case Study
Digital Forensic Case Study
MyAssignmenthelp.com
 
Digital Forensic
Digital ForensicDigital Forensic
Digital Forensic
Cleverence Kombe
 
Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research Challenge
Aung Thu Rha Hein
 
Computer Forensic
Computer ForensicComputer Forensic
Computer Forensic
Tawhidur Rahman
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic tools
Parsons Corporation
 
The Future of Digital Forensics
The Future of Digital ForensicsThe Future of Digital Forensics
The Future of Digital Forensics
00heights
 
Digital Forensics by William C. Barker (NIST)
Digital Forensics by William C. Barker (NIST)Digital Forensics by William C. Barker (NIST)
Digital Forensics by William C. Barker (NIST)
AltheimPrivacy
 
Computer forensic 101 - OWASP Khartoum
Computer forensic 101 - OWASP KhartoumComputer forensic 101 - OWASP Khartoum
Computer forensic 101 - OWASP Khartoum
OWASP Khartoum
 
Digital forensics ahmed emam
Digital forensics ahmed emamDigital forensics ahmed emam
Digital forensics ahmed emam
ahmad abdelhafeez
 
Survey & Review of Digital Forensic
Survey & Review of Digital ForensicSurvey & Review of Digital Forensic
Survey & Review of Digital Forensic
Aung Thu Rha Hein
 
Digital forensic principles and procedure
Digital forensic principles and procedureDigital forensic principles and procedure
Digital forensic principles and procedure
newbie2019
 
Fundamental digital forensik
Fundamental digital forensikFundamental digital forensik
Fundamental digital forensik
newbie2019
 
Brief introduction to digital forensics
Brief introduction to digital forensicsBrief introduction to digital forensics
Brief introduction to digital forensics
Marco Alamanni
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensic
Online
 
Computer Forensic Softwares
Computer Forensic SoftwaresComputer Forensic Softwares
Computer Forensic Softwares
Dhruv Seth
 
Role of a Forensic Investigator
Role of a Forensic InvestigatorRole of a Forensic Investigator
Role of a Forensic Investigator
Agape Inc
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
Lalit Garg
 
Sued or Suing: Introduction to Digital Forensics
Sued or Suing: Introduction to Digital ForensicsSued or Suing: Introduction to Digital Forensics
Sued or Suing: Introduction to Digital Forensics
Anyck Turgeon, CFE/GRCP/CEFI/CCIP/C|CISO/CBA
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
Vidoushi B-Somrah
 
[❤PDF❤] The Basics of Digital Forensics The Primer for Getting Started in Dig...
[❤PDF❤] The Basics of Digital Forensics The Primer for Getting Started in Dig...[❤PDF❤] The Basics of Digital Forensics The Primer for Getting Started in Dig...
[❤PDF❤] The Basics of Digital Forensics The Primer for Getting Started in Dig...
AngelinaJacobs2
 
Computer +forensics
Computer +forensicsComputer +forensics
Computer +forensics
Rahul Baghla
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
Vidoushi B-Somrah
 
Towards Research-driven curricula for Law and Computer Science - Wyner and Pa...
Towards Research-driven curricula for Law and Computer Science - Wyner and Pa...Towards Research-driven curricula for Law and Computer Science - Wyner and Pa...
Towards Research-driven curricula for Law and Computer Science - Wyner and Pa...
Adam Wyner
 
POWRR Tools: Lessons learned from an IMLS National Leadership Grant
POWRR Tools: Lessons learned from an IMLS National Leadership GrantPOWRR Tools: Lessons learned from an IMLS National Leadership Grant
POWRR Tools: Lessons learned from an IMLS National Leadership Grant
Lynne Thomas
 

More Related Content

What's hot

Digital Forensics by William C. Barker (NIST)
Digital Forensics by William C. Barker (NIST)Digital Forensics by William C. Barker (NIST)
Digital Forensics by William C. Barker (NIST)
AltheimPrivacy
 
Digital forensic principles and procedure
Digital forensic principles and procedureDigital forensic principles and procedure
Digital forensic principles and procedure
newbie2019
 
Brief introduction to digital forensics
Brief introduction to digital forensicsBrief introduction to digital forensics
Brief introduction to digital forensics
Marco Alamanni
 
[❤PDF❤] The Basics of Digital Forensics The Primer for Getting Started in Dig...
[❤PDF❤] The Basics of Digital Forensics The Primer for Getting Started in Dig...[❤PDF❤] The Basics of Digital Forensics The Primer for Getting Started in Dig...
[❤PDF❤] The Basics of Digital Forensics The Primer for Getting Started in Dig...
AngelinaJacobs2
 
Computer +forensics
Computer +forensicsComputer +forensics
Computer +forensics
Rahul Baghla
 

What's hot (20)

Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research Challenge
 
Computer Forensic
Computer ForensicComputer Forensic
Computer Forensic
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic tools
 
The Future of Digital Forensics
The Future of Digital ForensicsThe Future of Digital Forensics
The Future of Digital Forensics
 
Digital Forensics by William C. Barker (NIST)
Digital Forensics by William C. Barker (NIST)Digital Forensics by William C. Barker (NIST)
Digital Forensics by William C. Barker (NIST)
 
Computer forensic 101 - OWASP Khartoum
Computer forensic 101 - OWASP KhartoumComputer forensic 101 - OWASP Khartoum
Computer forensic 101 - OWASP Khartoum
 
Digital forensics ahmed emam
Digital forensics ahmed emamDigital forensics ahmed emam
Digital forensics ahmed emam
 
Survey & Review of Digital Forensic
Survey & Review of Digital ForensicSurvey & Review of Digital Forensic
Survey & Review of Digital Forensic
 
Digital forensic principles and procedure
Digital forensic principles and procedureDigital forensic principles and procedure
Digital forensic principles and procedure
 
Fundamental digital forensik
Fundamental digital forensikFundamental digital forensik
Fundamental digital forensik
 
Brief introduction to digital forensics
Brief introduction to digital forensicsBrief introduction to digital forensics
Brief introduction to digital forensics
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensic
 
Computer Forensic Softwares
Computer Forensic SoftwaresComputer Forensic Softwares
Computer Forensic Softwares
 
Role of a Forensic Investigator
Role of a Forensic InvestigatorRole of a Forensic Investigator
Role of a Forensic Investigator
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
Sued or Suing: Introduction to Digital Forensics
Sued or Suing: Introduction to Digital ForensicsSued or Suing: Introduction to Digital Forensics
Sued or Suing: Introduction to Digital Forensics
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
[❤PDF❤] The Basics of Digital Forensics The Primer for Getting Started in Dig...
[❤PDF❤] The Basics of Digital Forensics The Primer for Getting Started in Dig...[❤PDF❤] The Basics of Digital Forensics The Primer for Getting Started in Dig...
[❤PDF❤] The Basics of Digital Forensics The Primer for Getting Started in Dig...
 
Computer +forensics
Computer +forensicsComputer +forensics
Computer +forensics
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 

Similar to Why i hate digital forensics - draft

20120911 delija kukina - education of digital forensics experts
20120911 delija kukina - education of digital forensics experts20120911 delija kukina - education of digital forensics experts
20120911 delija kukina - education of digital forensics experts
Damir Delija
 
DIGITAL FORENSICS_PRESENTATION
DIGITAL FORENSICS_PRESENTATIONDIGITAL FORENSICS_PRESENTATION
DIGITAL FORENSICS_PRESENTATION
Amina Baha
 
2017 aals clinical_final
2017 aals clinical_final2017 aals clinical_final
2017 aals clinical_final
John Mayer
 

Similar to Why i hate digital forensics - draft (20)

Towards Research-driven curricula for Law and Computer Science - Wyner and Pa...
Towards Research-driven curricula for Law and Computer Science - Wyner and Pa...Towards Research-driven curricula for Law and Computer Science - Wyner and Pa...
Towards Research-driven curricula for Law and Computer Science - Wyner and Pa...
 
POWRR Tools: Lessons learned from an IMLS National Leadership Grant
POWRR Tools: Lessons learned from an IMLS National Leadership GrantPOWRR Tools: Lessons learned from an IMLS National Leadership Grant
POWRR Tools: Lessons learned from an IMLS National Leadership Grant
 
So, you wanna be a pen tester ctsc2017
So, you wanna be a pen tester ctsc2017So, you wanna be a pen tester ctsc2017
So, you wanna be a pen tester ctsc2017
 
Remote forensics fsec2016 delija draft
Remote forensics fsec2016 delija draftRemote forensics fsec2016 delija draft
Remote forensics fsec2016 delija draft
 
20120911 delija kukina - education of digital forensics experts
20120911 delija kukina - education of digital forensics experts20120911 delija kukina - education of digital forensics experts
20120911 delija kukina - education of digital forensics experts
 
DIGITAL FORENSICS_PRESENTATION
DIGITAL FORENSICS_PRESENTATIONDIGITAL FORENSICS_PRESENTATION
DIGITAL FORENSICS_PRESENTATION
 
SHAREmodule1
SHAREmodule1SHAREmodule1
SHAREmodule1
 
Systemising advice
Systemising adviceSystemising advice
Systemising advice
 
Bit by Bit: Effective Use of People, Processes and Computer Technology in the...
Bit by Bit: Effective Use of People, Processes and Computer Technology in the...Bit by Bit: Effective Use of People, Processes and Computer Technology in the...
Bit by Bit: Effective Use of People, Processes and Computer Technology in the...
 
2017 aals clinical_final
2017 aals clinical_final2017 aals clinical_final
2017 aals clinical_final
 
10 commandments in rdm funder compliancy
10 commandments in rdm funder compliancy10 commandments in rdm funder compliancy
10 commandments in rdm funder compliancy
 
Exo cortex
Exo cortexExo cortex
Exo cortex
 
Helping Developers with Privacy
Helping Developers with PrivacyHelping Developers with Privacy
Helping Developers with Privacy
 
Legal education of the future is information and technology
Legal education of the future is information and technologyLegal education of the future is information and technology
Legal education of the future is information and technology
 
DataScience_introduction.pdf
DataScience_introduction.pdfDataScience_introduction.pdf
DataScience_introduction.pdf
 
Human computer interaction -Design and software process
Human computer interaction -Design and software processHuman computer interaction -Design and software process
Human computer interaction -Design and software process
 
Starting From Scratch - the ELN Reality
Starting From Scratch - the ELN RealityStarting From Scratch - the ELN Reality
Starting From Scratch - the ELN Reality
 
Privacy, Encryption, and Anonymity in the Civil Legal Aid Context
Privacy, Encryption, and Anonymity in the Civil Legal Aid ContextPrivacy, Encryption, and Anonymity in the Civil Legal Aid Context
Privacy, Encryption, and Anonymity in the Civil Legal Aid Context
 
How obedient digital twins and intelligent beings contribute to ethics and ex...
How obedient digital twins and intelligent beings contribute to ethics and ex...How obedient digital twins and intelligent beings contribute to ethics and ex...
How obedient digital twins and intelligent beings contribute to ethics and ex...
 
Codebits 2010
Codebits 2010Codebits 2010
Codebits 2010
 

More from Damir Delija

Uvođenje novih sadržaja u nastavu digitalne forenzike i kibernetičke sigurnos...
Uvođenje novih sadržaja u nastavu digitalne forenzike i kibernetičke sigurnos...Uvođenje novih sadržaja u nastavu digitalne forenzike i kibernetičke sigurnos...
Uvođenje novih sadržaja u nastavu digitalne forenzike i kibernetičke sigurnos...
Damir Delija
 
Concepts and Methodology in Mobile Devices Digital Forensics Education and Tr...
Concepts and Methodology in Mobile Devices Digital Forensics Education and Tr...Concepts and Methodology in Mobile Devices Digital Forensics Education and Tr...
Concepts and Methodology in Mobile Devices Digital Forensics Education and Tr...
Damir Delija
 
Olaf extension td3 inisg2 2
Olaf extension td3 inisg2 2Olaf extension td3 inisg2 2
Olaf extension td3 inisg2 2
Damir Delija
 
Moguće tehnike pristupa forenzckim podacima 09.2013
Moguće tehnike pristupa forenzckim podacima 09.2013 Moguće tehnike pristupa forenzckim podacima 09.2013
Moguće tehnike pristupa forenzckim podacima 09.2013
Damir Delija
 
Cis 2013 digitalna forenzika osvrt
Cis 2013 digitalna forenzika osvrt Cis 2013 digitalna forenzika osvrt
Cis 2013 digitalna forenzika osvrt
Damir Delija
 
Tip zlocina digitalni dokazi
Tip zlocina digitalni dokaziTip zlocina digitalni dokazi
Tip zlocina digitalni dokazi
Damir Delija
 
Sigurnost i upravljanje distribuiranim sustavima
Sigurnost i upravljanje distribuiranim sustavimaSigurnost i upravljanje distribuiranim sustavima
Sigurnost i upravljanje distribuiranim sustavima
Damir Delija
 
Improving data confidentiality in personal computer environment using on line...
Improving data confidentiality in personal computer environment using on line...Improving data confidentiality in personal computer environment using on line...
Improving data confidentiality in personal computer environment using on line...
Damir Delija
 

More from Damir Delija (20)

6414 preparation and planning of the development of a proficiency test in the...
6414 preparation and planning of the development of a proficiency test in the...6414 preparation and planning of the development of a proficiency test in the...
6414 preparation and planning of the development of a proficiency test in the...
 
Uvođenje novih sadržaja u nastavu digitalne forenzike i kibernetičke sigurnos...
Uvođenje novih sadržaja u nastavu digitalne forenzike i kibernetičke sigurnos...Uvođenje novih sadržaja u nastavu digitalne forenzike i kibernetičke sigurnos...
Uvođenje novih sadržaja u nastavu digitalne forenzike i kibernetičke sigurnos...
 
Ecase direct servlet acess v1
Ecase direct servlet acess v1Ecase direct servlet acess v1
Ecase direct servlet acess v1
 
Cis 2016 moč forenzičikih alata 1.1
Cis 2016 moč forenzičikih alata 1.1Cis 2016 moč forenzičikih alata 1.1
Cis 2016 moč forenzičikih alata 1.1
 
Concepts and Methodology in Mobile Devices Digital Forensics Education and Tr...
Concepts and Methodology in Mobile Devices Digital Forensics Education and Tr...Concepts and Methodology in Mobile Devices Digital Forensics Education and Tr...
Concepts and Methodology in Mobile Devices Digital Forensics Education and Tr...
 
Deep Web and Digital Investigations
Deep Web and Digital Investigations Deep Web and Digital Investigations
Deep Web and Digital Investigations
 
Datafoucs 2014 on line digital forensic investigations damir delija 2
Datafoucs 2014 on line digital forensic investigations damir delija 2Datafoucs 2014 on line digital forensic investigations damir delija 2
Datafoucs 2014 on line digital forensic investigations damir delija 2
 
EnCase Enterprise Basic File Collection
EnCase Enterprise Basic File Collection EnCase Enterprise Basic File Collection
EnCase Enterprise Basic File Collection
 
Ocr and EnCase
Ocr and EnCaseOcr and EnCase
Ocr and EnCase
 
Olaf extension td3 inisg2 2
Olaf extension td3 inisg2 2Olaf extension td3 inisg2 2
Olaf extension td3 inisg2 2
 
LTEC 2013 - EnCase v7.08.01 presentation
LTEC 2013 - EnCase v7.08.01 presentation LTEC 2013 - EnCase v7.08.01 presentation
LTEC 2013 - EnCase v7.08.01 presentation
 
Moguće tehnike pristupa forenzckim podacima 09.2013
Moguće tehnike pristupa forenzckim podacima 09.2013 Moguće tehnike pristupa forenzckim podacima 09.2013
Moguće tehnike pristupa forenzckim podacima 09.2013
 
Usage aspects techniques for enterprise forensics data analytics tools
Usage aspects techniques for enterprise forensics data analytics toolsUsage aspects techniques for enterprise forensics data analytics tools
Usage aspects techniques for enterprise forensics data analytics tools
 
Cis 2013 digitalna forenzika osvrt
Cis 2013 digitalna forenzika osvrt Cis 2013 digitalna forenzika osvrt
Cis 2013 digitalna forenzika osvrt
 
Ibm aix wlm idea
Ibm aix wlm ideaIbm aix wlm idea
Ibm aix wlm idea
 
Aix workload manager
Aix workload managerAix workload manager
Aix workload manager
 
2013 obrada digitalnih dokaza
2013 obrada digitalnih dokaza 2013 obrada digitalnih dokaza
2013 obrada digitalnih dokaza
 
Tip zlocina digitalni dokazi
Tip zlocina digitalni dokaziTip zlocina digitalni dokazi
Tip zlocina digitalni dokazi
 
Sigurnost i upravljanje distribuiranim sustavima
Sigurnost i upravljanje distribuiranim sustavimaSigurnost i upravljanje distribuiranim sustavima
Sigurnost i upravljanje distribuiranim sustavima
 
Improving data confidentiality in personal computer environment using on line...
Improving data confidentiality in personal computer environment using on line...Improving data confidentiality in personal computer environment using on line...
Improving data confidentiality in personal computer environment using on line...
 

Recently uploaded

Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
kauryashika82
 
Making and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdfMaking and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdf
Chris Hunter
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
QucHHunhnh
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
heathfieldcps1
 
Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptx
negromaestrong
 

Recently uploaded (20)

Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docx
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptx
 
Making and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdfMaking and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdf
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
Energy Resources. ( B. Pharmacy, 1st Year, Sem-II) Natural Resources
Energy Resources. ( B. Pharmacy, 1st Year, Sem-II) Natural ResourcesEnergy Resources. ( B. Pharmacy, 1st Year, Sem-II) Natural Resources
Energy Resources. ( B. Pharmacy, 1st Year, Sem-II) Natural Resources
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
 
Food Chain and Food Web (Ecosystem) EVS, B. Pharmacy 1st Year, Sem-II
Food Chain and Food Web (Ecosystem) EVS, B. Pharmacy 1st Year, Sem-IIFood Chain and Food Web (Ecosystem) EVS, B. Pharmacy 1st Year, Sem-II
Food Chain and Food Web (Ecosystem) EVS, B. Pharmacy 1st Year, Sem-II
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SD
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
 
Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptx
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 

Why i hate digital forensics - draft

  • 1. Why I Hate Digital Forensics 2015
  • 2. A few reasons for the title • Proposal for lecture arrived just after I finally get my long overdue vacation … • Since 2008 I have experience with digital forensics a lot of things that annoy me and makes me think about … • Just finished one EnCase v7 training and one Linux and Mobile training too, that puts me in the mood, since I’m an old grumpy unix sysadmin • I’d like to put up some thoughts and maybe it will start some process about fixing it … Sources • all around from Internet • NIST • SANS • Porcupine web site 2
  • 3. Lets start - what to talk about It will be about digital forensics and: • naming - real name has power, remember Lord of the Rings • its tools and practices, • its community, • practitioners, • standards and definitions, • trainings, certificates, curriculums • people using its results, • subfields, • relations with other computing science fields • ideas of future would looks • my oppinion 3
  • 4. Forensics definitions • Forensics is “The application of scientific knowledge to legal problems" (Merriam-Webster) • Includes forensic medicine, physics, chemistry, dentistry, fingerprints, DNA, firearm analysis, accounting, .... • Forensic sciences widely tied to Locard's Exchange Principle "Every contact leaves a trace" (Prof. Edmond Locard, c. 1910) • This is from my favorite source: • Is Mobile Device Forensics Really "Forensics"?, NIST Mobile Forensics Workshop, Gaithersburg, June 2014, Gary C. Kessler 4
  • 5. Naming – techie side The term itself, name, what is correct? • We have evolution since beginning, comes from debugging … • Forensic Computing: • V.Venema, D.Farmer late 1990’s: „Gathering and analyzing data in a manner as free from distortion or bias as possible to reconstruct data or what has happened in the past on a system.” this is also SANS definiton • Digital forensics and Computer forensics (Wikipedia /technical): • Computer forensics, sometimes known as computer forensic science is a branch of digital forensic science pertaining to evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the digital information. • Cyber forensics • new buzzword or extension into cybernetics in a sense as N. Weiner define cybernetics or into something more like S. Lem ideas ? • just read “Tragedy of washing machines” or “Invincible” and think about Internet of things 5
  • 6. Naming – legal side • Comes from usage in legal process • combination of concept of digital evidence and forensic computing gives current legal definition • Digital evidence or electronic evidence is any probative information stored or transmitted in digital form that a party to a court case may use at trial. • Judd Robbins: Computer Forensics is simply the application of computer investigation and analysis techniques in the interest of determining potential legal (digital) evidence 6
  • 7. Definitions - topics to think about • Digital forensics is an engineering science, which is again part of a computer science • The profession of digital forensics requires continued education, training, and practice • Two communities: • computing science • law enforcement / legal • Some discrepancies and rough interfaces because of different definitions, meanings, terms • Important concepts like case, evidence etc. comes from law enforcement but lacks in technical implementations 7
  • 8. Standards and definitions • Standard exists? • In theoretical sense yes, but: • Are tools, data formats, procedures standardized? NO • Different legal system has wide implications • Compatibility is nonexistent - more in tools , just try to combine and compare results from commercial tools • What about digital forensic language which can describe tasks, procedures, results, data? • automatisation ? • results comparation as automated controls ? 8
  • 9. Current standards and definitions are they correctly understood? • In theoretical sense yes, but: • what about meaning of write-blocking procedures (holly grail almost) in modern systems • is it forensically acceptable or perfect? • remeber what computer is now and what was than • same for mobile, live acquisition, data analyses, etc. • What about legal boundaries? • Locard's “Exchange Principle“ works for Internet perfectly but data is not available • In that sense Internet is a big flat room but each spot has it custodian and different rules 9
  • 10. Relations with other computing science fields • Because of fast development always something new, undefined, unbaked • Prime example mobile forensics • Gary Kessler, Gary Kessler Associates, ”Is Mobile Device Forensics Actually "Forensics“”? • That is why I’m for “Forensic Computing” approach in general, but with size of data we have to deal with, its more like data mining • do we apply anything what was learned in data mining and data science to practical digital forensics? • since I mentioned “practice”, again more in tools 10
  • 11. Tools and practices • Tools – plenty • Usual story about open / commercial and corporate policy • Commercial • mostly based on evolution of a tool someone from law enforcement developed ages ago • by law enforcement – for law enforcement • Free • development from good computing theory but lacking development pace • mostly not for “law enforcement forensics” but for incident response and analyses • for engineer type of mind-set 11
  • 12. Commercial tools • Preferred in legal part / law enforcement (why?) • What about reliability – a lot of talk about in legal circles in EU • Stephen Mason: challenges of international investigations (search and seizure) and other trial considerations (methods of presentation, admissibility tests) • Mostly based on evolution of a tool someone from law enforcement developed ages ago for his usage • In commercial constant development but a lot of misfires • Last story about encase v7 is perfect horror example, many about others tools too .. • Not well funded theory (better to say not taken into account) • Not best computing practices also taken into account • Lack of standardization • Physical evidence files are standardizes but nothing after that • Lack of cross compatibility • Just try to combine mobile forensics tools • Just try to use logical evidence files • Very expensive and inflexible • All bad choices of MS philosophy of computing incorporated • No chance of automatization or piping tools • Scripting practically no existing • Practically no UNIX platform in mainstream forensics 12
  • 13. Free / open source tools and practices • Again plenty of tools • Usual story for open source • Special commercial – free versions • Some wonderful tools like FTKimager • Free / test versions • Venema, Farmer, Carrier developed good tools, but for mass usage community knowledge and skills are missing • Developed in sense as forensic science is extension of ordinary science • You have to be very good in medicine to become forensic pathologist – this is the same attitude for these tools and missing from ordinary curriculums • Most recent python development very promising • But I'll say in current state of mind we need “forensic python” which works forensically sound on all supported OS platforms 13
  • 14. Its community and practitioners • Trainings, certificates, curriculums • There is a lot but not well defined and profiled • Computing and other basics (often) missing • Some horrible side effects as “hexadecimal fetish” in training • My opinion is that knowledge and skillset is needed,one which ages ago described system programmer, with some modern add-ons • Often no careere path • Continuous learning is a problem too, because of organisationa issues, • Some interesting initiatives like OLAF but again quality of materials and tools are questionable 14
  • 15. People using its results • Again lack of understanding and different mindsets • An classical communication problem among experts • Some definitions are outdated • What is forensically acceptable ? • What is forensically correct today? • When we are talking about computer as network of subsystems • Write-blocking on disk which is a computer itself or SD disk • Live forensics • Mobile devices • How to cooperate, how to trust, how to precisely define tasks and results? • Things get complicated because of mindset issues • Computer is a bit untrusted • Computer can’t do work alone • Labs and communication chains are not set by common computing sense 15
  • 16. Subfields • Subfields – what are subfields? • Can we even list subfields of digital forensics/cyberforensics ? • Some subfields are not even clear what they are • “mobile forensics” is perfect example • starting with “what is mobile device ?” • How a subfield can be defined? • Skills and practices than …? • Who defines new rules (theory sets one thing)? • From engineers of law enforcement? • Remember - it’s application of science in legally acceptable way 16
  • 17. Future? • Grim of glorious ? • Here in Balkans its a grim .... • World? • All around the world a lot of glorious opportunities? • But IT security which forensics is part of, is in very bad shape • Just read reports and do some analyses • In IT security we don't have technical problems but organizational and management problems • Something's sounds almost religious • … Oh lord give us a security Messiah who’ll expel evil from our corporate / governmental networks and IT systems ... • What about elementary hygiene and practices? • Its attitude that should be changed! 17
  • 18. Conclusion and Questions? • Since IT penetration is unstoppable it should be safe and controlled • Lets think about all this • How we can help to fix this issues? • How this kindergarten type of problems will influence future? 18