Further to Chris' useful article here, I'd like to propose that 'Anti-forensics' is a sixth category for sound MSc research.  

- Fab4

Further to Chris' useful article here, I'd like to propose that 'Anti-forensics' is a sixth category for sound MSc research.

Not sure about that -- it doesn't seem to target 'computer forenics' in the same way; it seems more to be quality assurance of tools but with the goal of exploiting identified problems.

Perhaps 'antiforensics' is to computer forensics as pen-testing is to computer security. It's interesting, but it does not really further the field in any important way.  

- athulin

Perhaps 'antiforensics' is to computer forensics as pen-testing is to computer security. It's interesting, but it does not really further the field in any important way.

I think the analogy to pen testing is a good one, but I do think it furthers field. Perhaps not technically but an 'anti-forensic' mind set encourages an analyst not to take things at face value but to question and verify findings. Im thinking of programs like Timestomp  

- 96hz

Perhaps not technically but an 'anti-forensic' mind set encourages an analyst not to take things at face value but to question and verify findings. Im thinking of programs like Timestomp

And?

We already know that there are API calls for changing these time stamps: that's obvious from Microsoft documentation. Timestomp is little more than proof of function of those system calls. At least nowadays -- once Microsoft patched the ability to set illegal timestamps which then caused problems with, e.g. EnCase.

And pure bugs (like that exFAT field mixup that has been reported on the EnCase forum recently) don't seem useful either -- perhaps part of as MSc in software engineering, but not in digital forensics. Applying software engineering testing techniques on forensic tool validation might be something, though. (But then that's already covered by the article.)

That is, antiforensic targets weaknesses in tools or analysts. That might also be a research fields: what or where are those weaknesses? But again, that's not really digital forensics, it's more an education or training problem.

But I don't clearly see antiforensics is research stuff. It is useful as a way of demonstrating a problem -- agreed -- but that's a problem in rhetoric, and perhaps education (how to get the point across).

On the other hand ... perhaps digital forensics is in no state to carry serious research. I remember when you could get a Ph.D. just for writing a compiler. Any real value of that work was not in the compiler, but in in the evaluation. And much of that work paved the way for the compiler generators that came later.

Perhaps it's the same here -- it's just that a scientific foundation has to be found if the work will have any lasting value. Building a tool that allows you, say, to alter the L path table of a CD, and so hide any file structures placed in that half from a tool that looks only at the M half may be fun, instructive, etc ... but where is the science value?


Added: That is, digital forensics seems very much to be applied science, and the sciences are other scientific fields, but not digital forensics itself.  

- athulin

That is, antiforensic targets weaknesses in tools or analysts. That might also be a research fields: what or where are those weaknesses? But again, that's not really digital forensics, it's more an education or training problem.

But I don't clearly see antiforensics is research stuff. It is useful as a way of demonstrating a problem -- agreed -- but that's a problem in rhetoric, and perhaps education (how to get the point across).

I agree with a lot of what you are saying and I think yes, if research is based entirely around creating an anti-forensic tool, the contribution can only ever be infered by the community and it wont necessarily be lasting. Maybe I am considering it more as a contribution to practioners than purely academic.

Is a problem not a good basis for research ? If the research was to highlight areas and say "this area here A, that we rely on to get information can be oblitarated, manipulated, obfuscated by these anti-forensic processes but information can be recovered from these artefacts, locations, processes etc. B,C,D". To me, that is broadening and deepening knowledge in the field. In this way, basing research around anti-forensic techniques it is possible to make original contributions. Whether these contributions are purely academic or scientific in their own right perhaps not, but the research can be conducted and presented in an academic and scientific way and surely that in itself is useful and worthwhile ?

- athulin

On the other hand ... perhaps digital forensics is in no state to carry serious research.

That is, digital forensics seems very much to be applied science, and the sciences are other scientific fields, but not digital forensics itself

But surely this holds true for Medicine, the basis of it holds in other applied sciences and those from purer sciences. At whatever point research is carried out down that spectrum it has benefit and will inform the other areas. Practical research in Medicine has a very real tangible value.

Digital forensics is not mathematics, theoretical computer science or even software engineering but the research is surely tangible, can be innovative and has value in the same way as Medicine. It is entirely at the applied end of Theoretical/Applied spectrum.

My analogy only breaks down because Medicine has been around slightly longer But then maybe that in itself is the why questions like this are raised, Digital Forensics is not clearly defined yet, and maybe we have very different interpretations on what it should be as an academic discipline ?  

For me there is no doubt that digital forensics is a prime discipline for academic research.

It is rife with issues and challenges, particularly as new technologies emerge and established ones converge, much like forensic science was 100 years ago and remains so today.

Challenges should lead to research which hopefully leads to resolution (or at least pushes the matter to a new level of understanding), which may be in the form of creation, adaptation or validation of software, methodologies, best practices, guidelines, hardware, education, training, etc, etc.

And returning to my OP, research into anti-forensic methods et al can contribute greatly, in my humble opinion.  

- 96hz

Whether these contributions are purely academic or scientific in their own right perhaps not, but the research can be conducted and presented in an academic and scientific way and surely that in itself is useful and worthwhile ?

Ultimately, of course, the school and the thesis advisor/tutor must decide that. If the problem really required research, experimentation, etc, I would feel better about it. But as most of the problems in digital forensics are not to lack of knowledge, but lack of information (which is something very much different), I still doubt that it is research ... or at least academic research. And problems in antiforensics are definitely of that form: much more like intelligence than research, much more like identifying areas of unclear specification. Not good choices for MSc work.

But surely this holds true for Medicine, the basis of it holds in other applied sciences and those from purer sciences. At whatever point research is carried out down that spectrum it has benefit and will inform the other areas. Practical research in Medicine has a very real tangible value.

Can you give an example? I thought there weren't any such research anymore -- it had all specialized down into biochemistry, or microbiology or ... whatever. Those fields are where the researchers are educated, trained, and work -- there's where lab methods are devloped, where science protocols are followed. Medicine is the umbrella -- but what research is done there?

And I can't really imagine that there is any 'research' going on in the field of ... antimedicine? ... how to prevent a doctor from diagnosing a disease, or curing the patient, or even deciding cause of death? (Well, unless you happen to work in the assassination business, of course.)

The kind of research I can see in digital forensics is of the same kind as the 'specializations' in ordinary forensics: someone specializes in local earth chemistry, beer chemistry, dyes, and so on. And, those areas were already mentioned ih the original article. For the rest, I see software engineering with focus on forensics, etc: thesis work here belongs in another branch of academia.

But then maybe that in itself is the why questions like this are raised, Digital Forensics is not clearly defined yet, and maybe we have very different interpretations on what it should be as an academic discipline ?

Very probably. So it's more a question of ensuring that academical standards are upheld. But that is also the job of the school and the ... what's the term? thesis tutor?

And it strikes me that I could never accept 'library science' as a legitimate area of research and academic study. I still think it's something else. 'Digital forensics' has some similarities with that field, I think. Still, if it encourages more scientific rigour in the field, I won't complain.