Transcript Why_I_Hate_Digital_Forensics_

Why I Hate Digital
Forensics
Damir Delija
Varaždin, FSEC 2015
A few reasons for the title
Proposal for lecture arrived just after I finally get my long overdue vacation …
Since 2008 I have experience with digital forensics a lot of things that annoy
me and makes me think about …
I’d like to put up some thoughts and maybe it will start some process about
fixing it …
Why I Hate Digital Forensics
2
Lets start - what to talk about
It will be about digital forensics and:
Naming
•Real name has power,
remember Lord of the Rings
Its tools and practices
Its community
Practitioners
Standards and
definitions
Trainings, certificates,
curriculum
People using its results
Subfields
Relations with other
computing science
fields
Why I Hate Digital Forensics
3
Forensics definitions
Forensics is “The application of scientific knowledge to legal problems"
(Merriam-Webster)
• Includes forensic medicine, physics, chemistry, dentistry, fingerprints, DNA,
firearm analysis, accounting, ....
Forensic sciences widely tied to Locard's Exchange Principle "Every contact
leaves a trace" (Prof. Edmond Locard, c. 1910)
This is from my favorite source:
• Is Mobile Device Forensics Really "Forensics"?, NIST Mobile Forensics Workshop,
Gaithersburg, June 2014, Gary C. Kessler
4
Naming – techie side
The term itself, name, what is correct?
We have evolution since beginning, comes from debugging …
• Forensic Computing:
• V.Venema, D.Farmer late 1990’s: „Gathering and analyzing data in a manner as
free from distortion or bias as possible to reconstruct data or what has happened
in the past on a system.” this is also SANS definiton
• Digital forensics and Computer forensics (Wikipedia /technical):
• Computer forensics, sometimes known as computer forensic science is a branch
of digital forensic science pertaining to evidence found in computers and digital
storage media. The goal of computer forensics is to examine digital media in a
forensically sound manner with the aim of identifying, preserving, recovering,
analyzing and presenting facts and opinions about the digital information.
• Cyber forensics
• new buzzword or extension into cybernetics in a sense as N. Weiner define
cybernetics or into something more like S. Lem ideas ?
• just read “Tragedy of washing machines” or “Invincible” and think about Internet
of things
5
Naming – legal side
Comes from usage in legal process
• combination of concept of digital evidence and forensic computing gives
current legal definition
Digital evidence or electronic evidence is any probative information
stored or transmitted in digital form that a party to a court case may use
at trial.
Judd Robbins: Computer Forensics is simply the application of computer
investigation and analysis techniques in the interest of determining
potential legal (digital) evidence
6
Definitions - topics to think about
Digital forensics is an engineering science, which is again part of a
computer science
The profession of digital forensics requires continued education,
training, and practice
Two communities:
• computing science
• law enforcement / legal
Some discrepancies and rough interfaces because of different
definitions, meanings, terms
Important concepts like case, evidence etc. comes from law
enforcement but lacks in technical implementations
7
Standards and definitions
Standard exists?
In theoretical sense yes, but:
• Are tools, data formats, procedures
standardized? NO
• Different legal system has wide
implications
• Compatibility is nonexistent - more in
tools , just try to combine and
compare results from commercial
tools
What about digital forensic language
which can describe tasks, procedures,
results, data?
• automatisation ?
• results comparation as automated
controls ?
8
Current standards and definitions are they correctly
understood?
In theoretical sense yes, but:
• what about meaning of write-blocking procedures (holly grail almost) in
modern systems
• is it forensically acceptable or perfect?
• remeber what computer is now and what was than
• same for mobile, live acquisition, data analyses, etc.
What about legal boundaries?
• Locard's “Exchange Principle“ works for Internet perfectly but data is not
available
• In that sense Internet is a big flat room but each spot has it custodian and
different rules
9
Relations with other computing science fields
Because of fast development always something new, undefined,
unbaked
Prime example mobile forensics
• Gary Kessler, Gary Kessler Associates, ”Is Mobile Device Forensics Actually
"Forensics“”?
That is why I’m for “Forensic Computing” approach in general, but with
size of data we have to deal with, its more like data mining
• do we apply anything what was learned in data mining and data science to
practical digital forensics?
• since I mentioned “practice”, again more in tools
10
Tools and practices
Tools – plenty
Usual story about open / commercial and corporate policy
Commercial
• mostly based on evolution of a tool someone from law enforcement
developed ages ago
• by law enforcement – for law enforcement
Free
• development from good computing theory but lacking development pace
• mostly not for “law enforcement forensics” but for incident response and
analyses
• for engineer type of mind-set
11
Commercial tools
Preferred in legal part / law enforcement (why?)
What about reliability – a lot of talk about in legal
circles in EU
Stephen Mason: challenges of international
investigations (search and seizure) and other trial
considerations (methods of presentation, admissibility
tests)
Mostly based on evolution of a tool someone from law
enforcement developed ages ago for his usage
In commercial constant development but a lot of
misfires
Lack of cross compatibility
•
•
Just try to combine mobile forensics tools
Just try to use logical evidence files
Very expensive and inflexible
All bad choices of MS philosophy of computing
incorporated
No chance of automatization or piping tools
Scripting practically no existing
Practically no UNIX platform in mainstream forensics
Last story about encase v7 is perfect horror example
Not well funded theory (better to say not taken into
account)
Not best computing practices also taken into account
Lack of standardization
•
Physical evidence files are standardizes but nothing after
that
12
Free / open source tools and practices
Again plenty of tools
Usual story for open source
Special commercial – free versions
• Some wonderful tools like FTKimager
• Free / test versions
Venema, Farmer, Carrier developed good tools, but for mass usage
community knowledge and skills are missing
• Developed in sense as forensic science is extension of ordinary science
• You have to be very good in medicine to become forensic pathologist – this
is the same attitude for these tools and missing from ordinary curriculums
Most recent python development very promising
• But I'll say in current state of mind we need “forensic python” which works
forensically sound on all supported OS platforms
13
Its community and practitioners
Trainings, certificates, curriculums
•
•
•
•
There is a lot but not well defined and profiled
Computing and other basics (often) missing
Some horrible side effects as “hexadecimal fetish” in training
My opinion is that knowledge and skillset is needed,one which ages ago
described system programmer, with some modern add-ons
• Often no careere path
• Continuous learning is a problem too, because of organisationa issues,
• Some interesting initiatives like OLAF but again quality of materials and
tools are questionable
14
People using its results
Again lack of understanding and different mindsets
An classical communication problem among experts
Some definitions are outdated
• What is forensically acceptable ?
• What is forensically correct today?
When we are talking about computer as network of subsystems
• Write-blocking on disk which is a computer itself or SD disk
• Live forensics
• Mobile devices
How to cooperate, how to trust, how to precisely define tasks and
results?
Things get complicated because of mindset issues
• Computer is a bit untrusted
• Computer can’t do work alone
• Labs and communication chains are not set by common computing sense
15
Subfields
Subfields – what are subfields?
Can we even list subfields of digital forensics/cyberforensics ?
• Some subfields are not even clear what they are
• “mobile forensics” is perfect example
• starting with “what is mobile device ?”
• How a subfield can be defined?
• Skills and practices than …?
• Who defines new rules (theory sets one thing)?
• From engineers of law enforcement?
• Remember - it’s application of science in legally acceptable way
16
Future?
Grim of glorious ?
• Here in Balkans its a grim ....
World?
• All around the world a lot of glorious
opportunities?
• But IT security which forensics is part of, is in very
bad shape
• Just read reports and do some analyses
• In IT security we don't have technical problems but
organizational and management problems
Something's sounds almost religious
• … Oh lord give us a security Messiah who’ll expel
evil from our corporate / governmental networks
and IT systems ...
What about elementary hygiene and practices?
Its attitude that should be changed!
17
Conclusion and Questions?
Since IT penetration is unstoppable it should be safe and controlled
Lets think about all this
How we can help to fix this issues?
How this kindergarten type of problems will influence future?
18