Friday, June 03, 2005

The need for training

I ran across something interesting this's not new, but it's the first time I've seen it. I was checking out what's new over on the E-Evidence site and somehow made it to an article that quoted Kate Seigfried about a study she'd conducted. The article said that cyberforensics is a discipline still in it's infancy.

Here's an interesting quote from the article:
In academia, Purdue University’s Center for Education and Research in Information Assurance and Security recently produced a study on the state of the computer forensics’ science. The study found forensic investigative procedures at present were still constructed in an informal manner that could impede the effectiveness or integrity of the investigation. Unfortunately, the study pointed out informal nature of the procedures could prevent verification of the evidence collected and might diminish the value of the evidence in legal proceedings.

Forensic investigative procedures are still constructed in an informal manner? What? The article isn't explicit enough to really say a whole lot, but I know that several law enforcement agencies will document their procedures, which other agencies will use as the model.

The article goes on to say that Eugene Spafford sees two key questions:

1. How do we formalize the process of cyber forensic evidence gathering and analysis using appropriate and rigorous scientific method.

Evidence gathering is the easy part. For the most part, there are formalized processes out there for imaging drives. There are issues that need to be addressed, such as terabyte storage capacities (after all, where are the golden eggs kept these days but in jinormous databases??), RAID, etc., but these can be overcome.

Now, finding evidence is a different matter...that involves search and analysis techniques that haven't been formalized. Why is that? Well, I have a couple of thoughts on that, but would like to hear from you with regards to your thoughts on the matter.

2. How do we augment information systems so as to produce better audit and evidentiary trails while at the same time not exposing them to additional compromise.

I'm not sure, but it would seem to me that making use of the inherent capabilities of the system would be a good start. What I find odd is that there are so many "hardening guides" out there for Windows systems, and we still see these systems being compromised. When you talk to admins, they don't seem to have the knowledge themselves, and some say that there are just too many guides out there - which one or ones are "authoritative"? Point them to the NSA guides (after all, who's more "authoritative" than the NSA??) and many of them will blindly install the settings, and then wonder why they can't do anything.

I think what he's referring to is to design and build systems (remember the Orange Book of the Rainbow Series??) with more robust auditing built in...don't make it something the admin has to add or configure separately, because it won't happen.

On a side note, it still mystifies me why MS would produce a "network operating system" that has NO inherent capability to get audit logs (i.e., Event Logs) off of systems. Even with the old NT-style domains, BDCs wouldn't automatically send their logs to the PDC or a designated had to install separate software. How is that a "network" os?

But I digress...

I started looking and found the study referred to in the article (from 2003) entitled, "The Future of Computer Forensics: A needs analysis survey".

This study, conducted by Marcus Rogers and Ms. Seigfried, provides some interesting information that I would think is still true today, almost two years later. Their survey found that training, education, and certification is the top issue mentioned by the respondants, while lack of funding was the least reported issue.

Training, education, and certification? Lack of formalization? Well, they're probably right. I've been to conferences before where one presenter will have "???" in an area of their presentation (the specific example in mind involved NTFS ADSs, OLE documents, and where file summary information is kept...), while another presenter at the same conference had detailed information and even a demonstration that answered the question. The first presenter was a LEO, the second was a private citizen.

A couple of years ago, I was talking to a guy who provided computer forensics training to LEOs. He asked me if NTFS ADSs could be transferred over the network. I told him via file sharing, yes...but not via other protocols, such as FTP and HTTP. He bet me that they could, so we set up a demonstration. Turns out I was right...I knew the answer because I'd already done the research.

My point is that there are folks out there doing reproduceable, verifiable research...but it doesn't seem to be getting out there, even if it's presented at conferences, written into papers, articles, and books. Why is that?


Anonymous said...

Because doing such research is seldom listed as a responsibility on a job description.

Security is one of those fields that requires constant research and training to stay abreast of everything that is going on around us. Often, staff shortages, budget shortages and other resource constraints leave little time for us to take an hour or two out of our day to read a new paper on some new approach to solving a problem.

Hell, if I want to go to a conference, I often have to pay for it myself and take vacation days. And I get to hear my boss grumbling about being out of the office for 3 days. Then he asks me if the recent slowdown on our SQL servers could be the result of that new SQL worm.

Until employers start recognizing the amount of effort security people need to devote to research and reviewing other people's research, there will continue to be this disconnect.


Anonymous said...

Not exactly forensic-related... but rather generally ICT-related, a friend of mine had posted a while ago an article about this very shortcoming, and the need for more TRAINING and EDUCATION for people/IT-personnel:


(sorry for it is in Italian, but I hope that some automatic translation machine will help...)