The End of Digital ...
 
Notifications
Clear all

The End of Digital Forensics?

38 Posts
22 Users
0 Likes
2,597 Views
Jamie
(@jamie)
Posts: 1288
Moderator
 

The End of Digital Forensics?

by Craig Ball

When Microsoft introduced its Encrypting File System (EFS) in Windows 2000, the Cassandras of computer forensics peppered the listserves with predictions that the days of digital forensics were numbered. Ten years on and hundreds of systems acquired, I’ve yet to handle a case stymied by encryption—and 90% of my acquisitions were corporate machines, many with TPMs and fingerprint readers. Voluntary encryption turned out to be no encryption at all.

The next sky falling threats to forensics were privacy tools and features. “Surely,” our Chicken Littles clucked, “everyone will run free tools that routinely wipe unallocated clusters and securely delete data!” Turns out, they only run the antiforensic tools right before the examiner arrives, and most such tools do a lousy job covering their tracks…

Read more

Please use this thread for discussion of Craig's latest column.

 
Posted : 28/03/2011 2:49 pm
(@miket065)
Posts: 187
Estimable Member
 

I find that through a combination of larger data sets and outdated equipment (due to current budget constraints), I spend a lot more time watching sands through the hour glass.

 
Posted : 28/03/2011 4:23 pm
(@pragmatopian)
Posts: 154
Estimable Member
 

I share Craig's pain at the ever-increasing storage capacity. I'll direct my comments to the end-user devices that we still encounter and physically acquire most frequently clearly somewhat different considerations apply to an enterprise's server-based or cloud-based storage.

In absolute terms acquisition speeds are much higher than they were in the 1990's (acquiring to CD-Rs from creaky old PATA disks isn't something I'd wish on my worst enemy!). However, typical transfer speeds have stagnated in the last few years whereas typical capacities have continued to increase substantially. Couple this with the fact that most of that additional capacity is unused and the net result is that acquisitions take more time for little to no appreciable increase in the volume or value of results obtained from the client's perspective.

As CF practitioners we have little influence over the storage devices and transfer interfaces that manufacturers provide, so we've got to do what we can with the stuff that is available. We've also got to accept that, in certain circumstances, full physical acquisitions simply aren't a practical or necessary solution in accomplishing the client's objectives in a case those who won't provide their clients with alternatives can expect to be sidelined by those who will.

 
Posted : 28/03/2011 5:25 pm
Hwallbanger
(@hwallbanger)
Posts: 32
Eminent Member
 

I understand the points made previously and I agree to their impact, BUT I believe that the coming changes in storage technology from Magnetic Hard drives to Solid State Drives will have more of an immediate impact upon this change and NEED for change. To quote a published article from the JDFSL titled "Solid State Drives The Beginning of the End for Current Practice in Digital Forensic Recovery?";

"Digital evidence is increasingly relied upon in computer forensic examinations and legal proceedings in the modern courtroom. … a paradigm shift has taken place in technology storage and complex, transistor-based devices for primary storage are now increasingly common. Most people are aware of the transition from portable magnetic floppy discs to portable USB transistor flash devices, yet the transition from magnetic hard drives to solid-state drives inside modern computers has so far attracted very little attention from the research community.

… potentially reckless to rely on existing evidence collection processes and procedures, and we demonstrate that conventional assumptions about the behaviour of storage media are no longer valid. In particular, we demonstrate that modern storage devices can operate under their own volition in the absence of computer instructions. Such operations are highly destructive of traditionally recoverable data. This can contaminate evidence; can obfuscate and make validation of digital evidence reports difficult; can complicate the process of live and dead analysis recovery; and can complicate and frustrate the post recovery forensic analysis. "

Here is the link to this article

http//www.jdfsl.org/subscriptions/JDFSL-V5N3-Bell.pdf

AND supportive article

https://www.infosecisland.com/blogview/12375-Solid-State-Disk-Behavior-Underlying-Digital-Forensics.html

I also believe that the research community either is denying or ignoring how these devices work (which this report proves otherwise ).

I have been told by a researcher that since these types of devices use similar controller techniques of the magnetic hard drives, that existing tools would work fine with these devices. I have found this report helpful in what my gut was saying NOT True.

I also believe that good evidence tools are just that to the investigator a tool, and that it is the investigator that makes sense from what he/she finds. It seems that there is pressure to rely on automation more and more due to the volumes that need to be searched.

Well, that is my addition to this discussion.

 
Posted : 28/03/2011 8:56 pm
pbobby
(@pbobby)
Posts: 239
Estimable Member
 

Pricing models for forensic consultants/shops/experts needs to change to something that relies less on storage capacity processed to a more results oriented or flat pricing model.

 
Posted : 29/03/2011 2:26 am
rjpear
(@rjpear)
Posts: 97
Trusted Member
 

I guess we said the same when the Megabyte drives jumpted to Gigabyte drives.. The Tools and techniques changed from such things as Parallel Port Acquisitions to SATA writeblocker or dedicated Drive imagers. And the software had gone from Disk Edit and manual recovery to EnCase/FTK et al.

I assume the tool manufacturers will adjust to what the community needs and come up with something to make the job "do able"..

I hope..

 
Posted : 29/03/2011 5:53 pm
(@gkelley)
Posts: 128
Estimable Member
 

Sure, data sizes have increased but so has processing capabilities with faster CPUs and faster hard drives. 64-bit is also become more and more popular.

I think that this article, though, is an extension of "the sky is falling" scenario that Craig mentioned at the beginning of the article. The industry continues to work smarter, not longer. Use the power of your examination computer to weed through all of the 0s and present the information, that from your previous experience, is relevant.

 
Posted : 29/03/2011 6:22 pm
(@armresl)
Posts: 1011
Noble Member
 

Two things to add

1) Esata
2) USB 3

Both are proving to greatly decrease the time in a location.

 
Posted : 29/03/2011 9:18 pm
Hwallbanger
(@hwallbanger)
Posts: 32
Eminent Member
 

It is apparent to me that "rjpear's" and "gkelley's" comments do not take-in consideration of the presented articles within the above message, and that these supportive articles present a technology shift with the use of Solid State Drives. I am trying to

add

to the scope of this discussion thread.

You are seeing these drive are being used wherever performance within a system is of great concern. They are being used to help speed-up Vista and Win 7 systems and also to help with Gaming systems performance. They have been used within Enterprise's SANs, too. We will probably see their usage grow with the advent of Cloud interests due to performance issue also.

Rjpear's says,

"I guess we said the same when the Megabyte drives jumpted to Gigabyte drives."

BUT

if you had read the quote from the message and also reviewed the supplied articles, you would see that he is truly guessing and Not commenting on the presented information. Megabyte drives are still using the same Hard Drive Technology. How is this the same as my added information about SSDs with NO Moving Parts and differing internal processes technology ? These drives are still NOT into Terabyte sizes, YET. This seems to be what he is NOT talking about.

gkelley's statement,

"that this article, though, is an extension of "the sky is falling" scenario …"

This statement should actual be directed to how this Threaded Discussion

started

.

I am presenting information on how the underlying technology of the storage technology industry is changing in which the same Forensic tools can NOT reliably be used (as presented in the included article's experimentation).

rjpear says,

" I assume the tool manufacturers will adjust to what the community needs and come up with something to make the job "do able"..

I hope.. "

If you read the included articles and then follow these changes you will see that standards will be needed to be applied to this technology's coming shift. I do not for see this immediate need happening in the near term.

The issues presented regarding the growth of storage size and inspection time to gather evidence will still be in play, but the largest difference that I see is the changing underlying technology that CF relies upon in investigating for evidence.

I hope that this helps to bring the presented information to the open and not just skipped over and ignored. I

thank

the readers for their patience in presenting this new research and information.

 
Posted : 29/03/2011 11:20 pm
(@gkelley)
Posts: 128
Estimable Member
 

It is apparent to me that "rjpear's" and "gkelley's" comments do not take-in consideration of the presented articles within the above message, and that these supportive articles present a technology shift with the use of Solid State Drives. I am trying to

add

to the scope of this discussion thread.
gkelley's statement,

"that this article, though, is an extension of "the sky is falling" scenario …"

This statement should actual be directed to how this Threaded Discussion

started

.

I didn't realize that the thread was hijacked into a discussion about solid state drives. I was commenting on Craig Ball's article which is the stated purpose of this thread according to the moderator.

 
Posted : 29/03/2011 11:29 pm
Page 1 / 4
Share: