2. A few reasons for the title
• Proposal for lecture arrived just after I finally get my long overdue vacation …
• Since 2008 I have experience with digital forensics a lot of things that annoy
me and makes me think about …
• Just finished one EnCase v7 training and one Linux and Mobile training too,
that puts me in the mood, since I’m an old grumpy unix sysadmin
• I’d like to put up some thoughts and maybe it will start some process about
fixing it …
Sources
• all around from Internet
• NIST
• SANS
• Porcupine web site
2
3. Lets start - what to talk about
It will be about digital forensics and:
• naming - real name has power, remember Lord of the Rings
• its tools and practices,
• its community,
• practitioners,
• standards and definitions,
• trainings, certificates, curriculums
• people using its results,
• subfields,
• relations with other computing science fields
• ideas of future would looks
• my oppinion
3
4. Forensics definitions
• Forensics is “The application of scientific knowledge to legal problems"
(Merriam-Webster)
• Includes forensic medicine, physics, chemistry, dentistry, fingerprints, DNA,
firearm analysis, accounting, ....
• Forensic sciences widely tied to Locard's Exchange Principle "Every contact
leaves a trace" (Prof. Edmond Locard, c. 1910)
• This is from my favorite source:
• Is Mobile Device Forensics Really "Forensics"?, NIST Mobile Forensics Workshop,
Gaithersburg, June 2014, Gary C. Kessler
4
5. Naming – techie side
The term itself, name, what is correct?
• We have evolution since beginning, comes from debugging …
• Forensic Computing:
• V.Venema, D.Farmer late 1990’s: „Gathering and analyzing data in a manner as
free from distortion or bias as possible to reconstruct data or what has happened
in the past on a system.” this is also SANS definiton
• Digital forensics and Computer forensics (Wikipedia /technical):
• Computer forensics, sometimes known as computer forensic science is a branch
of digital forensic science pertaining to evidence found in computers and digital
storage media. The goal of computer forensics is to examine digital media in a
forensically sound manner with the aim of identifying, preserving, recovering,
analyzing and presenting facts and opinions about the digital information.
• Cyber forensics
• new buzzword or extension into cybernetics in a sense as N. Weiner define
cybernetics or into something more like S. Lem ideas ?
• just read “Tragedy of washing machines” or “Invincible” and think about Internet
of things
5
6. Naming – legal side
• Comes from usage in legal process
• combination of concept of digital evidence and forensic computing gives
current legal definition
• Digital evidence or electronic evidence is any probative information
stored or transmitted in digital form that a party to a court case may use
at trial.
• Judd Robbins: Computer Forensics is simply the application of computer
investigation and analysis techniques in the interest of determining
potential legal (digital) evidence
6
7. Definitions - topics to think about
• Digital forensics is an engineering science, which is again part of a
computer science
• The profession of digital forensics requires continued education,
training, and practice
• Two communities:
• computing science
• law enforcement / legal
• Some discrepancies and rough interfaces because of different
definitions, meanings, terms
• Important concepts like case, evidence etc. comes from law
enforcement but lacks in technical implementations
7
8. Standards and definitions
• Standard exists?
• In theoretical sense yes, but:
• Are tools, data formats, procedures
standardized? NO
• Different legal system has wide
implications
• Compatibility is nonexistent - more in
tools , just try to combine and
compare results from commercial
tools
• What about digital forensic language
which can describe tasks, procedures,
results, data?
• automatisation ?
• results comparation as automated
controls ?
8
9. Current standards and definitions are they correctly
understood?
• In theoretical sense yes, but:
• what about meaning of write-blocking procedures (holly grail almost) in
modern systems
• is it forensically acceptable or perfect?
• remeber what computer is now and what was than
• same for mobile, live acquisition, data analyses, etc.
• What about legal boundaries?
• Locard's “Exchange Principle“ works for Internet perfectly but data is not
available
• In that sense Internet is a big flat room but each spot has it custodian and
different rules
9
10. Relations with other computing science fields
• Because of fast development always something new, undefined,
unbaked
• Prime example mobile forensics
• Gary Kessler, Gary Kessler Associates, ”Is Mobile Device Forensics Actually
"Forensics“”?
• That is why I’m for “Forensic Computing” approach in general, but with
size of data we have to deal with, its more like data mining
• do we apply anything what was learned in data mining and data science to
practical digital forensics?
• since I mentioned “practice”, again more in tools
10
11. Tools and practices
• Tools – plenty
• Usual story about open / commercial and corporate policy
• Commercial
• mostly based on evolution of a tool someone from law enforcement
developed ages ago
• by law enforcement – for law enforcement
• Free
• development from good computing theory but lacking development pace
• mostly not for “law enforcement forensics” but for incident response and
analyses
• for engineer type of mind-set
11
12. Commercial tools
• Preferred in legal part / law enforcement (why?)
• What about reliability – a lot of talk about in legal
circles in EU
• Stephen Mason: challenges of international
investigations (search and seizure) and other trial
considerations (methods of presentation, admissibility
tests)
• Mostly based on evolution of a tool someone from law
enforcement developed ages ago for his usage
• In commercial constant development but a lot of
misfires
• Last story about encase v7 is perfect horror example,
many about others tools too ..
• Not well funded theory (better to say not taken into
account)
• Not best computing practices also taken into account
• Lack of standardization
• Physical evidence files are standardizes but nothing after
that
• Lack of cross compatibility
• Just try to combine mobile forensics tools
• Just try to use logical evidence files
• Very expensive and inflexible
• All bad choices of MS philosophy of computing
incorporated
• No chance of automatization or piping tools
• Scripting practically no existing
• Practically no UNIX platform in mainstream forensics
12
13. Free / open source tools and practices
• Again plenty of tools
• Usual story for open source
• Special commercial – free versions
• Some wonderful tools like FTKimager
• Free / test versions
• Venema, Farmer, Carrier developed good tools, but for mass usage
community knowledge and skills are missing
• Developed in sense as forensic science is extension of ordinary science
• You have to be very good in medicine to become forensic pathologist – this
is the same attitude for these tools and missing from ordinary curriculums
• Most recent python development very promising
• But I'll say in current state of mind we need “forensic python” which works
forensically sound on all supported OS platforms
13
14. Its community and practitioners
• Trainings, certificates, curriculums
• There is a lot but not well defined and profiled
• Computing and other basics (often) missing
• Some horrible side effects as “hexadecimal fetish” in training
• My opinion is that knowledge and skillset is needed,one which ages ago
described system programmer, with some modern add-ons
• Often no careere path
• Continuous learning is a problem too, because of organisationa issues,
• Some interesting initiatives like OLAF but again quality of materials and
tools are questionable
14
15. People using its results
• Again lack of understanding and different mindsets
• An classical communication problem among experts
• Some definitions are outdated
• What is forensically acceptable ?
• What is forensically correct today?
• When we are talking about computer as network of subsystems
• Write-blocking on disk which is a computer itself or SD disk
• Live forensics
• Mobile devices
• How to cooperate, how to trust, how to precisely define tasks and
results?
• Things get complicated because of mindset issues
• Computer is a bit untrusted
• Computer can’t do work alone
• Labs and communication chains are not set by common computing sense
15
16. Subfields
• Subfields – what are subfields?
• Can we even list subfields of digital forensics/cyberforensics ?
• Some subfields are not even clear what they are
• “mobile forensics” is perfect example
• starting with “what is mobile device ?”
• How a subfield can be defined?
• Skills and practices than …?
• Who defines new rules (theory sets one thing)?
• From engineers of law enforcement?
• Remember - it’s application of science in legally acceptable way
16
17. Future?
• Grim of glorious ?
• Here in Balkans its a grim ....
• World?
• All around the world a lot of glorious
opportunities?
• But IT security which forensics is part of, is in very
bad shape
• Just read reports and do some analyses
• In IT security we don't have technical problems but
organizational and management problems
• Something's sounds almost religious
• … Oh lord give us a security Messiah who’ll expel
evil from our corporate / governmental networks
and IT systems ...
• What about elementary hygiene and practices?
• Its attitude that should be changed!
17
18. Conclusion and Questions?
• Since IT penetration is unstoppable it should be safe and controlled
• Lets think about all this
• How we can help to fix this issues?
• How this kindergarten type of problems will influence future?
18