Sunday, March 11, 2007

Forensic Challenges

Whenever something new comes out, one of the things people in particular fields ask is, how will this affect us and what we do? This is especially true in our field. With the recent release of new technologies, not the least of which is Vista, lots of folks have been asking about the challenges to digital forensics these new technologies will pose.

Thinking about this, I would suggest that the challenges don't come from "new" technologies being introduced, but rather from our community's myopic point of view.

I know what you're thinking...what did he just say? Well, I'm suggesting that new technologies...increased storage capacities, increased sophistication in cybercrime, new operating systems, etc...aren't imposing the "challenges" we think they are...we are. As a community, we're limiting ourselves, and imposing these challenges on ourselves somewhat artificially.

Rather than trying to describe my reasoning, let's look at a couple of examples. First, increased storage capacity...newer, smaller hard drives with greater capacity make things like iPods and cell phones that do everything for you possible. However, this is something that the forensic community has been dealing with for some time. This is not a 'new' challenge at all. The same holds true with new technologies, like Vista. New operating systems have been coming out all the one time, Windows NT 4.0 was "new" (heck, even I remember that!).

What about drive encryption? Is this particularly a "new" challenge? Encryption has been around for a while, and we have to deal with encrypted files all the time. With freeware encryption for files, and even commercial products, it's not unusual to have to deal with such things. Those of us that haven't had to deal with such things specifically need to keep some knowledge of what to do, an "SOP", if you will, in mind in case we do encounter these things.

IMHO, the real challenges to the digital forensic community are largely self-imposed. New technology doesn't necessarily impose new challenges on the community, as the introduction of "new" technologies is almost a steady-state in this industry, isn't it? DOS led to Windows 3.1 and OS/2, which led to Windows 95 and NT 3.51/4.0, etc., etc. Storage capacity has increased over time. New devices have been introduced. There's really no "challenge" in this, per se...simply wait until someone produces a product to deal with the "new" technology, and things continue as before.

It appears that the real challenge is incorporating new ways of doing things, such as live response. Now, we won't always have the opportunity to employ live response, as not all of us have the benefit of talking to the "victim" prior to them taking some action on the affected system(s), but live response is one of those things that flies in the face of the traditional (dare I say "purist") approach to computer/digital forensics. However, live response can do a great deal to help us solve some of the other perceived challenges, if we can change the mindsets of the major players in the community. From there, this mindset change will permeate the minds of others...corporate IT, lawyers, etc.

What challenges do you see?


Bill Ethridge said...

"I would suggest that the challenges don't come from "new" technologies being introduced, but rather from our community's myopic point of view"

I believe the myopia is partially caused by the reliance on Forensic Suites. If a new technology or new threat comes along and the solution isn't built into your tool, and the instructions for working it are not in your help file, then panic sets in and the sky is falling and CF is dead.

If like some of us, you use Suites when appropriate (i.e. when you can use their strengths) and you rely on maual operations and testing and experimentation, you either build a solution or have input to someone who builds a solution.

Its kind of like your car, if you don't know how to perform basic safety and operational checks, and some basic maintenance then you freak out when you're stuck on the side of the freeway and don't know whats wrong.


Keydet89 said...

I think that in a lot of cases, the solutions are right there, and can be exploited through the current tools that are used. However, things such as live response/acquisition are "too new" and fly in the face of the traditional/purist approach to forensic analysis, and are hard for many to accept.

Many times I've heard people say that they won't be doing live response until the data collected is accepted in court...and they say this without understanding that at one point, fingerprints, DNA, and even computer evidence itself weren't accepted in court.

echo6 said...

I agree with you Harlan, at least in the US you have the DAUBERT standard by which evidence, such as live analysis evidence can be admitted into proceedings.

"In most European countries, where criminal procedure is dominated by the notion of an examining magistrate, admissibility rules are either absent or informal, depending largely on a “relevancy” test."..Peter Sommer

This makes it harder, but not impossible. The only way the courts will accept it is if it is tested preferably using something akin to the DAUBERT standard. We will only see the courts accept it if we take those steps to introduce it in the first place.

Having said that I do think that a sound methodology should be used to reduce the risks of the evidence becoming inadmissable.

Keydet89 said...


Agreed. I also think that we've pounded the methodology quite a bit, as well. I'd suggest that it's time to start actually using it.

Bill Ethridge said...

....I agree with you Harlan, at least in the US you have the DAUBERT standard by which evidence, such as live analysis evidence can be admitted into proceedings.....

In North Carolina, and some other states I believe there is no Daubert Standard. It's up to each judge to set his standard.

But I agree.. we have to start using it and let the legal system handle the acceptability side