future challenges a...
 
Notifications
Clear all

future challenges and trends

23 Posts
13 Users
0 Likes
1,778 Views
 keen
(@keen)
Posts: 8
Active Member
Topic starter
 

i was wondering if people here could speak on or direct me to resources that discuss some challenges or trends that face computer forensics. i'm new but am interested in the field. thanks

 
Posted : 30/03/2006 2:25 am
(@gmarshall139)
Posts: 378
Reputable Member
 

One that really stands out is the size of storage media that we are faced with. Not only individual hard drives, but even home users are installing RAID's now. A 500 gig case is really not unusual. That takes a great deal of time and really taxes the hardware.

 
Posted : 30/03/2006 3:47 am
m7esec
(@m7esec)
Posts: 45
Eminent Member
 

Yes, I agree with Greg, this kind of stuff makes me cringe.

http//ogadget.com/after-magnetic-storage-its-turn-of-holographic-storage-devices-182.html

Hey Greg, new job? Congrats!

 
Posted : 30/03/2006 3:56 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I second what Greg said, and would like to throw in something else…the need for "live" forensics. There are many systems out there that need to be examined but cannot be taken down.

Also, the knowledge level of the investigator is something that needs to be addressed. Gone are the days of DOS, fellas. In addition, the age of "Nintendo" forensics has passed, as well. How many images are examined, and not enough evidence is found simply because the investigator has little knowledge of the Registry, or of the log files on a system. As anyone hanging around this forum has seen, simple text searches don't always work with the Registry…you've got to contend with Unicode, Rot-13, and applications that store ASCII information in binary format (yeah, that's you, Adobe).

Keyword searches are still useful, but useful in the way that a toolbox with just a Philips head screwdriver in it is "useful". Guys, don't expect EnCase to add "Find all evidence" and "Issue subpeonas" buttons to their GUI.

Just my $0.02…see me if you want change.

Harlan

 
Posted : 30/03/2006 6:09 am
arashiryu
(@arashiryu)
Posts: 122
Estimable Member
 

Some of my thoughts.

*Native whole disk encryption, 3rd party whole disk encryption.
*Thin Client computing.
*Use of virtual machines.
*Anti Forensics tools.
http//www.metasploit.com/projects/antiforensics/
http//www.cyberforensics.purdue.edu/docs/Lockheed.ppt

 
Posted : 30/03/2006 7:16 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Did you happen to read the PPT?

From the third slide
"The volatility of DE and the reliance on tools makes cyber forensics very vulnerable to AF"

I do agree that anti-forensics tools are an issue, but

Also, whole disk encryption can be addressed with live acquisition. The producer of ProDiscover found this out…he acquired a system that had PGP Disk running.

Harlan

 
Posted : 30/03/2006 8:05 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I'd like to add "Physical memory analysis" to the list…

Harlan

 
Posted : 30/03/2006 5:42 pm
arashiryu
(@arashiryu)
Posts: 122
Estimable Member
 

Harlan, thank you for pointing out the prodiscover tip. I was not aware of it.

 
Posted : 30/03/2006 7:22 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

arashiryu…

It's not so much a ProDiscover tip, as it is a "need for live acquisition" tip. ProDiscover has a proprietary means of acquiring an image, but can use dd format, as well.

 
Posted : 31/03/2006 1:32 am
(@ifindstuffucantfind)
Posts: 3
New Member
 

i feel that a challenge for the industry is first, the ever growing complexity of operating systems, and devices that are used to interact with the system.

many registry keys contain evidence that can tell you who was sitting at that machine when the illegal act happened, which is what everyone wants to know.

Second a standardization in the industry both in certifications and tools are a real issue. There are more certifications for computer forensics than i care to count and what makes one so much better from the other from the other.

Also tool use and validation. As we all know one tool doesnt do everything and each tool may interpret data differently. Especially in a court setting when you are trying to explain things and you say well, encase found this… uhh, ok how the hell did encase get that data. tools arent perfect. the fbi knows this, as they have quality assurance teams that certify their tools before they are even allowed to use them, and that process can take up to a year just to certify a single tool.

i dont know how other people feel on these issues, but i think those are a few challenges we face as a community in the future.

 
Posted : 31/03/2006 2:33 am
Page 1 / 3
Share: