±Partners and Sponsors

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 2
New Yesterday: 3
Overall: 26238
Visitors: 62

±Forensics Europe Expo


±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

Pitfalls of Interpreting Forensic Artifacts in the Registry

Discussions related to Forensic Focus webinars. Please use the appropriate topic for each webinar.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page Previous  1, 2, 3, 4, 5, 6, 7, 8  Next 
  

Re: Pitfalls of Interpreting Forensic Artifacts in the Regis

Post Posted: Sat Nov 03, 2012 4:54 pm

Hi Anders,

I think that you are rising a very interesting question. It had been dealt with - to some extent - in the philosophy of science. Karl Popper, for example, argued that scientific theories cannot be proved conclusively and can only be falsified through experiments.

The complexity of real world digital systems is such that forensic experiments in most cases are incomplete. I think that forensic experimentation is essentially an attempt to approximate how something works based on incomplete set of observations. The success of it seems to depend on choosing the right model. In electrical and mechanical engineering, for example, linear system models are able to adequately describe great many real world phenomena - to the extent that we can use them to build machines, bridges, etc. I think we are missing something like that in digital forensics.

Another thought is that - although digital systems are designed to be deterministic - the way a particular digital system works is not exactly a law of nature. System specific glitches may result in spurious behaviors that would undermine our interpretation despite most rigorous experimentation.

All in all, a very interesting and important open research question.  

pavel_gladyshev
Newbie
 
 
  

Re: Pitfalls of Interpreting Forensic Artifacts in the Regis

Post Posted: Sun Nov 04, 2012 6:31 am

- pavel_gladyshev

Another thought is that - although digital systems are designed to be deterministic - the way a particular digital system works is not exactly a law of nature. System specific glitches may result in spurious behaviors that would undermine our interpretation despite most rigorous experimentation.

Well, luckily enough Very Happy skynet has not (yet) gained self-awareness, and when you dd a 00 from source you normally get a 00 on the target.

A little "lighter" than Karl Popper:
- Ray Bradbury
Anything you dream is fiction, and anything you accomplish is science, the whole history of mankind is nothing but science fiction.


...and of course, beware of the Devil.... Shocked



jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Pitfalls of Interpreting Forensic Artifacts in the Regis

Post Posted: Sun Nov 04, 2012 6:49 am

- pavel_gladyshev
Karl Popper, for example, argued that scientific theories cannot be proved conclusively and can only be falsified through experiments.


It was not my intention to go quite that far. Only that I have an impression that we don't do enough with what we have.

For example, I believe we should be capable of identifying what registry traces can be correlated with, say, USB insertion or removal to a fairly high degree of confidence. We don't need to be able to interpret the traces, or even put them into any kind of sequence, but we should be able to list them.

Of course, I'm not implying that Ms. Fox should have done this -- her thesis deals with a larger area, and is related to synthesis of information, rather than analysis. But the inconsistencies reported in her thesis suggest that the basic science work in this area is not quite where it needs to be -- at least if we hope to go for anything approaching Daubert criteria.

That is a bit irritating.  

athulin
Senior Member
 
 
  

Re: Pitfalls of Interpreting Forensic Artifacts in the Regis

Post Posted: Sun Nov 04, 2012 7:56 am

Hi jaclaz,

Before I specialized in digital forensics, I worked as an embedded systems engineer and have seen seen some very odd behaviors caused by ICs overheating, but you are right - these are normally rare events. Nevertheless, if we want to claim digital forensics as a science, I believe that we need to understand all sides of it - even those that are rare.

An engineer, an economist, a physicist, and a philosopher are hiking through the hills of Scotland. On the top of a hill they see a black sheep.
"What do you know," the engineer remarks. "The sheep in Scotland are black."
"No, no", protests the economist. "At least one of the sheep in Scotland is black."
The physicist considers this a moment. "That's not quite right. The truth is that there's at least one sheep which is black from one side."
"Well, that's not quite right either," interjects the philosopher. "There appears to be something describable as a 'sheep' that seems to be black from one side..."
--http://www.geocities.ws/russellian_society/jokes.html

Very Happy  

Last edited by pavel_gladyshev on Sun Nov 04, 2012 11:52 am; edited 3 times in total

pavel_gladyshev
Newbie
 
 
  

Re: Pitfalls of Interpreting Forensic Artifacts in the Regis

Post Posted: Sun Nov 04, 2012 8:01 am

Hi Anders,

Totally agree with you on that. We - as a community - can and should do better job at designing and executing experiments and generally producing better science of it.  

pavel_gladyshev
Newbie
 
 
  

Re: Pitfalls of Interpreting Forensic Artifacts in the Regis

Post Posted: Sun Nov 04, 2012 11:34 am

Hi Anders,

With the regard to the apparent inconsistencies that I observed, it goes without saying that the data was always there. I think they just became easier for me to identify by automating the correlation of the data sets and observing them over time.

Jacky  

JackyFox
Member
 
 
  

Re: Pitfalls of Interpreting Forensic Artifacts in the Regis

Post Posted: Sun Nov 04, 2012 3:14 pm

- pavel_gladyshev

Before I specialized in digital forensics, I worked as an embedded systems engineer and have seen seen some very odd behaviors caused by ICs overheating, but you are right - these are normally rare events. Nevertheless, if we want to claim digital forensics as a science, I believe that we need to understand all sides of it - even those that are rare.

Sure, the issue is all around the definition of "normally".

- pavel_gladyshev
We - as a community - can and should do better job at designing and executing experiments and generally producing better science of it.


right Smile

JFYI, and OT Shocked :
An academic job is available in a scientific department, besides publications, an interview is held.
First candidate is a mathematician, the commission says, "very good curriculum, lots of interesting publications, we will ask you a simple question, just as a formality: how much is 2+2" to which the mathematician answers quickly: "4".
The commission comments "good answer, though maybe a bit too short, without providing any background theory."
Second candidate is an engineer, the commission says, "very good curriculum, lots of interesting publications, we will ask you a simple question, just as a formality: how much is 2+2" to which the engineers answers quickly: "Well, it should be 4, but it could be a little less than that for extremely low values of 2 or a little bit more for extremely large values of 2, but the average tends to be 4".
The commission comments "good answer, he gave both the canonical answer and an alternate one with a solid background."
Third candidate is a geologist, the the commission says, "very good curriculum, lots of interesting publications, we will ask you a simple question, just as a formality: how much is 2+2" to which the geologist quickly looks around him, then in a low voice "How much should I make it result?"
Very Happy

For NO apparent reason Wink :
gailsmcmillan.cmswiki...._Jokes.jpg

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 4 of 8
Go to page Previous  1, 2, 3, 4, 5, 6, 7, 8  Next