Advanced forensics ...
 
Notifications
Clear all

Advanced forensics concepts

37 Posts
13 Users
0 Likes
2,316 Views
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
Topic starter
 

What do you consider "advanced forensics concepts" within the digital forensics realm?

Why do you think the topic specified advanced?

 
Posted : 07/10/2013 10:03 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

What do you consider "advanced forensics concepts" within the digital forensics realm?

Why do you think the topic specified advanced?

There are a couple of concepts I consider "advanced"…

Timeline construction and analysis - I consider this 'advanced' in part because I don't believe that it's being done correctly. I'm not talking about the format (i.e., log2timeline vs TLN output); it's more about the data that's being included in timelines, and how that data is understood by the analyst. My concern is that when someone asks questions about the timeline they've created, they then cannot answer questions regarding which data sources were included in the timeline.

Understanding data structures - this goes hand-in-hand with timeline construction and analysis; too many times, analysts will run tools, and then make assumptions about what the displayed data means, inferring context…and many times, they're incorrect in that assumption/inference. This is largely due to the fact that they don't clearly understand the nature of the data structure that the tool is parsing, how the structure was populated, what the displayed data means…the context of the data is generally not understood.

I would also suggest that engaging with other analysts to develop and advance/increase individual skills is "advanced", largely because many analysts do not seem to participate in this activity.

 
Posted : 08/10/2013 12:32 am
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
Topic starter
 

Thanks!

Indeed, I have seen timelines presented where the results are pretty, but the source is not understood. Worse, is when combined with your next comment of not understanding data structures the date & times are not normalized.

Sort of like "push button" mentality? Not suggesting that the forensic examiner could not grasp the data structure, but just . . . become indolent to gain the knowledge about the structures?

I am not sure how you see your last observation implemented. Are you saying collaboration on cases, or just in general chit-chat, conferences, events, etc?

I think there are legal and security concerns, justified or not, in general discussing technology or methodology sometimes.

Anyone else with any other thoughts as to what are "advanced forensics concepts", or did we relegate our lives to "push button"?

 
Posted : 08/10/2013 6:29 pm
(@flacop)
Posts: 2
New Member
 

As was said, more than a push button "find all evidence" examination. Advanced topics require the examiner to actually understand the process of data storage and deposition on a piece of media; why is it where it is? Can you parse out a link file or an $I30? What devices were connected to this computer and what did this computer connect to during it's life.
Some of the most advanced concepts are really the most interesting to prowl around discovering. Did the user burn a DVD? Was someone copying files from the computer or did they use a mapped drive as storage? Did a third party log in via the 'net or sneak in?

 
Posted : 09/10/2013 3:49 am
(@athulin)
Posts: 1156
Noble Member
 

What do you consider "advanced forensics concepts" within the digital forensics realm?

That sounds like a trick question – whatever's 'advanced' is probably not someting that sits comfortably *within* 'the digital forensics realm', but something that straddles the borderline, or even goes beyond it.

'Basic forensic concepts' I would call anything that is … well, close to 'applied forensics'. I read in source A that artifact B is a timestamp that tells me C. And in my next job, I look for B and claims it demonstrates C. And source X tells me that if take device Y, root it by following instruction Z, I'll get at those B artifacts. Or a paper that tells me all about Linux printer driver forensics, to take a recent example.

Nothing wrong with it. It's 'bread and butter' forensics. But it doesn't fit the term 'advanced'.

One 'advanced concept' is, I think, to go that extra distance that takes a single observation (or even the absence of one) and gives it legs. What platforms are involved (and what differences there are between them), what timing restrictions, what exceptions, and what actual tests to verify that B => C, even on platforms that were not included in the first test. In the US, this would be what provides an error rate for Daubert standard, as well as the foundation for peer review. This lays the foundation for applied computer forensics, and may possibly even be what justifies the term 'science' to be used in immediate conjunction with the words 'computer' and 'forensic'.

But it's clearly a moving target. 'advanced' is never the current state of the … general practice (I refuse to say art). It's specialist work. So 'advanced' would also be the exploration of what may become 'basic' next year, the design of the theories, processes and tools that applied forensics may use in the future.

It suddenly strikes me that the recent intelligence collecting mess (the Snowdon leaks) would fit very comfortably together with that description.

Why do you think the topic specified advanced?

Perhaps you stumbled on an on-line computer course for 'advanced forensic concepts', found that it would give the student expert knowledge about Windows 8 artifacts, and wondered if there wasn't more to life than that … -)

Jokes aside, no, I can't think.

 
Posted : 09/10/2013 8:13 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Indeed, I have seen timelines presented where the results are pretty, but the source is not understood. Worse, is when combined with your next comment of not understanding data structures the date & times are not normalized.

Sort of like "push button" mentality? Not suggesting that the forensic examiner could not grasp the data structure, but just . . . become indolent to gain the knowledge about the structures?

I tend to believe that analysts *could* grasp data structures, if they desired to do so, or were required to do so. They're really not that hard.

However, I also realize that not everyone needs to have this depth of understanding for what they do. If their job is to gather illicit images, and (as is the case for some LE) once confronted the suspect confesses, the job's done.

I am not sure how you see your last observation implemented. Are you saying collaboration on cases, or just in general chit-chat, conferences, events, etc?

I think there are legal and security concerns, justified or not, in general discussing technology or methodology sometimes.

I hear analysts talk about not being able to share information from cases all the time, and whether I believe that their reasons are valid or not is irrelevant…as long as they believe that they are, there won't be any sharing at all.

I also know that when many analysts hear "sharing", they think about things like the pictures, etc. The fact is that like most analysts, I have no interest at all in seeing contraband images.

What I am referring to when I talk about sharing is process. This information can be shared via blogs, conference presentations, etc…even a G+ post. However, most analysts aren't going to share this sort of information…if you look at just those who are on social media and include references to "forensics" and "DFIR" in their profiles, you can clearly see what they're involved in, and that they have little time left (and likely, interest) in writing something up and sharing with their peers. Blog posts with extremely relevant and valuable information (such as those from Corey Harrell) simply get RT'd on Twitter, and there's no discussion on the topics…it's as if they're just accepted, or ignored.

In WFA 2/e, I included an entire chapter of "case studies". This passed summer, I posted a number of "HowTo" blog posts, most of which were RT'd but went without comment or discussion. For the few with comments, it's clear that many of the comments are headed off-topic. I'm doing the same thing for WFA 4/e, but I have no allusions about how that will be taken by those who purchase the book.

To be clear, I'm neither lamenting nor complaining about the lack of comments…I'm making an observation regarding the desire of the members of the DFIR community to engage in discussions and exchanges regarding analysis processes. I've openly talked about findings in cases, such as finding malware that 'closed the door behind itself' after infecting a system. In doing so, I never exposed any case details…I don't do that…but I did provide information about the process used to discover this, as well as what the finding meant, so that others can hopefully learn from it and expand on it.

 
Posted : 09/10/2013 8:53 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

It's too bad that this thread did not continue…such a good start…

 
Posted : 22/10/2013 5:45 pm
steve862
(@steve862)
Posts: 194
Estimable Member
 

Hi,

I'd agree with timeline analysis being advanced, not least because there are so many different sources to examine, which are coded differently and there are time zones to consider.

Something I recently had to do was establish the likelihood one thing happened rather than another in relation to some digital data on an item. The work was for a murder case which went through the UK courts earlier this year. This related to a number of deleted pictures found on a memory card which was found in a separate search from the camera. The suspect eventually pleaded guilty to this charge mid trial.

In essence there were deleted but recoverable pictures, deleted and partially or completely overwriten pictures and recoverable video frames on a memory card that had been used in a number of different devices, (amongst other artefacts).

The prosecution needed to determine the events surrounding the use of that card in the last few days before the murder and up to and including (probably) seconds before the murder took place.

There was a time analysis component because the camera did not show the correct date at the time of seizure and pictures might have been copied onto the memory card, some 'taken' onto the memory card, some downloaded onto the card using a phone etc, etc.

The other aspects of the analysis required me to examine how different devices were using the file system and why certain files were recoverable and others not.

I think something like this is advanced forensics because you are required to create test sets using, (possibly), the devices seized (following their analysis) and/or identical model devices and with identical make/model memory cards.

With these test sets part of the advanced bit is conceiving the types and extents of tests you will need to conduct in order to comfortably give an opinion. Or where to draw the line on very lengthy work which will not yield adequate results, even when the entire investigation team is (metaphorically) standing by your desk motionless and silent, waiting for you to speak.

Obviously you don't normally go to such extremes for even a murder case but in this instance the contents of that memory card were absolutely central to the whole case.

Hopefully I've kept the thread going after the 'plea' from Keydet89.

This is a good thread and there are lots of things we could include in this thread. From a training point of view I would be interested in what other people are examining.

Steve

 
Posted : 23/10/2013 6:51 pm
bshavers
(@bshavers)
Posts: 210
Estimable Member
 

I have a another perspective on what can be considered advanced. Technically, the actual analysis/forensics is basic, even when it is difficult. From the easy methods recovery of deleted files to the more difficult reverse engineering of malware, these are still basic (technical) forensics.

The advanced is giving meaning to the data in a manner that paints a picture of what happened on the storage device. It is not enough to say "the evidence is there, see for yourself". It takes critical thinking to interpret and not only describe the evidence, but also convey what the evidence means by itself and in relation to other evidence (both in and out of the analysis).

I can compare it with painting in that technically, a stroke of a brush can be perfected, but it takes an artistic mindset and skill to paint a picture that tells a story or stirs an emotion. That's the closest analogy I can give, in that being a 'Picasso of forensics' is an advanced skill and trait compared with being an 'assembly line worker of forensics'.

One point on CP cases that I have always disliked (among the obvious), is when a case is shortsighted with an admission or confession. I have been told by one examiner, "I just triage the hard drive and file the case when I find CP. So far, I have a 100% confession rate. Case closed."

The problem I've had with this type of analysis is that although that ONE case is solved, it is incomplete. Doing just a little more work with just a little more time might result in finding a victim that has not been identified. One clear example is the pedo suspect downloading CP who also happens to have illicit photos of the little kid down the street (more charges) and identifying a victim. Or maybe the source of CP might be identified (another case and charges). Or maybe the confession is tossed in trial and the entire case is at risk of being lost because no actual analysis was done. But I digress….

 
Posted : 23/10/2013 10:26 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

bshavers,

I have to agree with you…something that's difficult doesn't necessarily make it advanced.

Though I have never done a full CP exam…I've been involved in such exams to the point where I've been given specific data and asked to answer specific questions…I can see your point about victim identification.

Another issue I see with this is a lack of understanding of data structures, particular due to the fact that popular training courses push tools that miss certain data structures that can mean the difference between CP possession and production.

 
Posted : 23/10/2013 10:36 pm
Page 1 / 4
Share: