Thursday, December 16, 2010

Convergence

At the BasisTech Open Source conference (June, 2010), a LEO told me, "we do CP and fraud cases, you do intrusions and malware."

My response at the time was, well, no, we (meaning analysts/examiners who are not LE) solve problems...and the people who call us have intrusion and malware issues. My point was that much of what we do and the skills we bring to the table are (or could be) very useful to LE. In fact, many of us who are not LE have done work on CP cases, some even resulting in plea agreements.

Looking back over some of the work that I and others have done, it occurs to me that there's an ever greater convergence between LE and analysts in the private sector. Say LE has a CP or fraud case...if the claim of "the Trojan did it" is made, then the case becomes a malware case, even to the point that the claim has to be disproved. If the claim is made that an unauthorized user accessed the system and placed the image files on the system, then the case then becomes an intrusion case.

So I guess my point is that there's a convergence in what each of us does, and we're not quite so separate and in our own silos the way some think, and we don't so much have disparate skill sets. I'm just sayin'...

6 comments:

Mark McKinnon said...

Very well stated sir.

Chris Perkins said...

Great points, I agree that the separation can and will continue to be blurred. In my role in the private sector we interact/assist with law enforcement on some situations including fraud and others mentioned. My opinion is that the partnership between the public/private sector provides value due to the similarities of skill sets.

M. W. Picone said...

Your points are exactly right on.

I'm a relative newbie to computer forensics, but I have 32 years experience on the LE side of the picture.

The observation that "we do CP and fraud and you do intrusions and malware" is extremely short sighted. The purpose of a LE investigation is to identify the guilty party and to be able to counter defense objections to your conclusions. If your investigation deals with a computer connected to the Internet (if the machine wasn't, you probably wouldn't have an investigation) you automatically have to be able to counter the defense argument that the evidence was created by an intrusion and/or by malware.

I think that both sides need to be aware that the other side is going to have limitations on what they can share on an individual case. On the LE side, an investigator is limited by law as to what he can and cannot disclose, and also the policies of his or her agency or directives from the prosecutor's office. On the private sector side, an investigator or examiner has to always be mindful of his or her responsibilities to their client. Sometimes they can't share because of limitations imposed by the client.

And then sometimes it's just pure and simple ego that gets in our collective way.

Notwithstanding these limitations, there's no reason why cooperation shouldn't be the order of the day. It would be foolish to conduct an investigation, starting off with "I’m not going to use that resource."

H. Carvey said...

MW...

I agree. But if private sector folks can help LE put together a case such that a plea agreement is reached, and do it in days, rather than weeks or months...isn't that a good thing?

Talk to Maj Carole Newell of the Broken Arrow PD about this, and what Chris Pogue has done for them.

Rob said...

I think a better question is who is "supposed to be doing" the forensic work for Broken Arrow and why is there such a backlog? One thing that will happen is that forensics is not charity work and will eventually start costing the Department money. And with tight budgets the Dept will look to get as much freebies as possible..until it's not. Then what? Keep cutting corners by not having enough personal to do the job? Not training enough folks to do the work?
In some cases it may make sense to just contract out forensic work because there isn't a workload to justify the training and equipment.

H. Carvey said...

I think a better question is who is "supposed to be doing" the forensic work for Broken Arrow and why is there such a backlog?

I'm not sure that's a "better" question, per se...particularly because it's already answered. Maj Newell stated that, like many other PDs throughout the nation, there's simply a lack of staff and funding. This is true at a number of levels. If I remember correctly, Maj Newell stated that she has a department of 124 officers with an annual training budget for the entire department of $20K.

One thing that will happen is that forensics is not charity work...

In this case, it is. Chris stated that he walked into the PD with his credentials and said that he's a father in the community and wants to help. He mentioned having to reach to someone with additional expertise for assistance, and that person did not submit a bill.

Keep cutting corners by not having enough personal to do the job? Not training enough folks to do the work?

I think that those are really easy questions to ask, outside the reality of the situation.

Let's say that in the state of Oklahoma, three regional labs are opened to do just cell phone acquisition and analysis. How will these be paid for? How will they be staffed and trained? What happens when an analyst gets trained up, does 20 exams, and then leaves for the private sector and more money? Even if you do set up these labs, what level do you staff and train them at? For the first year or two, there might not be enough work just to justify having the analysts...regardless of how the work gets paid for. Then, when things really ramp up and the on-scene officers are better trained, that's when the backlog really picks up.