±Partners and Sponsors

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 6
New Yesterday: 2
Overall: 26983
Visitors: 79

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

Advanced forensics concepts

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2, 3, 4, 5, 6  Next 
  

Advanced forensics concepts

Post Posted: Mon Oct 07, 2013 11:03 am

What do you consider "advanced forensics concepts" within the digital forensics realm?

Why do you think the topic specified advanced?  

jhup
Senior Member
 
 
  

Re: Advanced forensics concepts

Post Posted: Mon Oct 07, 2013 1:32 pm

- jhup
What do you consider "advanced forensics concepts" within the digital forensics realm?

Why do you think the topic specified advanced?


There are a couple of concepts I consider "advanced"...

Timeline construction and analysis - I consider this 'advanced' in part because I don't believe that it's being done correctly. I'm not talking about the format (i.e., log2timeline vs TLN output); it's more about the data that's being included in timelines, and how that data is understood by the analyst. My concern is that when someone asks questions about the timeline they've created, they then cannot answer questions regarding which data sources were included in the timeline.

Understanding data structures - this goes hand-in-hand with timeline construction and analysis; too many times, analysts will run tools, and then make assumptions about what the displayed data means, inferring context...and many times, they're incorrect in that assumption/inference. This is largely due to the fact that they don't clearly understand the nature of the data structure that the tool is parsing, how the structure was populated, what the displayed data means...the context of the data is generally not understood.

I would also suggest that engaging with other analysts to develop and advance/increase individual skills is "advanced", largely because many analysts do not seem to participate in this activity.  

keydet89
Senior Member
 
 
  

Re: Advanced forensics concepts

Post Posted: Tue Oct 08, 2013 7:29 am

Thanks!

Indeed, I have seen timelines presented where the results are pretty, but the source is not understood. Worse, is when combined with your next comment of not understanding data structures the date & times are not normalized.

Sort of like "push button" mentality? Not suggesting that the forensic examiner could not grasp the data structure, but just . . . become indolent to gain the knowledge about the structures?

I am not sure how you see your last observation implemented. Are you saying collaboration on cases, or just in general chit-chat, conferences, events, etc?

I think there are legal and security concerns, justified or not, in general discussing technology or methodology sometimes.

Anyone else with any other thoughts as to what are "advanced forensics concepts", or did we relegate our lives to "push button"?  

jhup
Senior Member
 
 
  

Re: Advanced forensics concepts

Post Posted: Tue Oct 08, 2013 4:49 pm

As was said, more than a push button "find all evidence" examination. Advanced topics require the examiner to actually understand the process of data storage and deposition on a piece of media; why is it where it is? Can you parse out a link file or an $I30? What devices were connected to this computer and what did this computer connect to during it's life.
Some of the most advanced concepts are really the most interesting to prowl around discovering. Did the user burn a DVD? Was someone copying files from the computer or did they use a mapped drive as storage? Did a third party log in via the 'net or sneak in?  

FlaCop
Newbie
 
 
  

Re: Advanced forensics concepts

Post Posted: Wed Oct 09, 2013 9:13 am

- jhup
What do you consider "advanced forensics concepts" within the digital forensics realm?


That sounds like a trick question -- whatever's 'advanced' is probably not someting that sits comfortably *within* 'the digital forensics realm', but something that straddles the borderline, or even goes beyond it.

'Basic forensic concepts' I would call anything that is ... well, close to 'applied forensics'. I read in source A that artifact B is a timestamp that tells me C. And in my next job, I look for B and claims it demonstrates C. And source X tells me that if take device Y, root it by following instruction Z, I'll get at those B artifacts. Or a paper that tells me all about Linux printer driver forensics, to take a recent example.

Nothing wrong with it. It's 'bread and butter' forensics. But it doesn't fit the term 'advanced'.

One 'advanced concept' is, I think, to go that extra distance that takes a single observation (or even the absence of one) and gives it legs. What platforms are involved (and what differences there are between them), what timing restrictions, what exceptions, and what actual tests to verify that B => C, even on platforms that were not included in the first test. In the US, this would be what provides an error rate for Daubert standard, as well as the foundation for peer review. This lays the foundation for applied computer forensics, and may possibly even be what justifies the term 'science' to be used in immediate conjunction with the words 'computer' and 'forensic'.

But it's clearly a moving target. 'advanced' is never the current state of the ... general practice (I refuse to say art). It's specialist work. So 'advanced' would also be the exploration of what may become 'basic' next year, the design of the theories, processes and tools that applied forensics may use in the future.

It suddenly strikes me that the recent intelligence collecting mess (the Snowdon leaks) would fit very comfortably together with that description.

Why do you think the topic specified advanced?


Perhaps you stumbled on an on-line computer course for 'advanced forensic concepts', found that it would give the student expert knowledge about Windows 8 artifacts, and wondered if there wasn't more to life than that ... Smile

Jokes aside, no, I can't think.  

Last edited by athulin on Wed Oct 09, 2013 1:01 pm; edited 1 time in total

athulin
Senior Member
 
 
  

Re: Advanced forensics concepts

Post Posted: Wed Oct 09, 2013 9:53 am

- jhup

Indeed, I have seen timelines presented where the results are pretty, but the source is not understood. Worse, is when combined with your next comment of not understanding data structures the date & times are not normalized.

Sort of like "push button" mentality? Not suggesting that the forensic examiner could not grasp the data structure, but just . . . become indolent to gain the knowledge about the structures?


I tend to believe that analysts *could* grasp data structures, if they desired to do so, or were required to do so. They're really not that hard.

However, I also realize that not everyone needs to have this depth of understanding for what they do. If their job is to gather illicit images, and (as is the case for some LE) once confronted the suspect confesses, the job's done.

- jhup

I am not sure how you see your last observation implemented. Are you saying collaboration on cases, or just in general chit-chat, conferences, events, etc?

I think there are legal and security concerns, justified or not, in general discussing technology or methodology sometimes.


I hear analysts talk about not being able to share information from cases all the time, and whether I believe that their reasons are valid or not is irrelevant...as long as they believe that they are, there won't be any sharing at all.

I also know that when many analysts hear "sharing", they think about things like the pictures, etc. The fact is that like most analysts, I have no interest at all in seeing contraband images.

What I am referring to when I talk about sharing is process. This information can be shared via blogs, conference presentations, etc...even a G+ post. However, most analysts aren't going to share this sort of information...if you look at just those who are on social media and include references to "forensics" and "DFIR" in their profiles, you can clearly see what they're involved in, and that they have little time left (and likely, interest) in writing something up and sharing with their peers. Blog posts with extremely relevant and valuable information (such as those from Corey Harrell) simply get RT'd on Twitter, and there's no discussion on the topics...it's as if they're just accepted, or ignored.

In WFA 2/e, I included an entire chapter of "case studies". This passed summer, I posted a number of "HowTo" blog posts, most of which were RT'd but went without comment or discussion. For the few with comments, it's clear that many of the comments are headed off-topic. I'm doing the same thing for WFA 4/e, but I have no allusions about how that will be taken by those who purchase the book.

To be clear, I'm neither lamenting nor complaining about the lack of comments...I'm making an observation regarding the desire of the members of the DFIR community to engage in discussions and exchanges regarding analysis processes. I've openly talked about findings in cases, such as finding malware that 'closed the door behind itself' after infecting a system. In doing so, I never exposed any case details...I don't do that...but I did provide information about the process used to discover this, as well as what the finding meant, so that others can hopefully learn from it and expand on it.  

keydet89
Senior Member
 
 
  

Re: Advanced forensics concepts

Post Posted: Tue Oct 22, 2013 6:45 am

It's too bad that this thread did not continue...such a good start...  

keydet89
Senior Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 6
Go to page 1, 2, 3, 4, 5, 6  Next