±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36096
New Yesterday: 7 Visitors: 117

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Advanced forensics concepts

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3, 4, 5, 6  Next 
  

Chris_Ed
Senior Member
 

Re: Advanced forensics concepts

Post Posted: Oct 25, 13 12:52

Some of the posts in this thread seem to conflate "advanced forensics" with "full analysis". Is it more "advanced" to examine more data? Is the pinnacle of digital forensic examination therefore to review every byte of data in binary? Smile

I can't really share what I think "advanced" concepts are as they are normally just things I don't currently know. So some things I might regard as "advanced" could in reality be fairly simple, it's just that I haven't learned about them yet (or they could really be advanced!).  
 
  

moha19
Newbie
 

Re: Advanced forensics concepts

Post Posted: Oct 26, 13 10:37

why you are angry? Arrow  
 
  

jhup
Senior Member
 

Re: Advanced forensics concepts

Post Posted: Oct 29, 13 00:31

What do you consider "advanced forensics concepts" within the digital forensics realm?
(emphasis added)

I am aware that we will not come up with a perfect paragraph which will describe what is and is not considered "advanced forensics concepts". On the other hand we can come up with general principles that can help us identify as such.

I search for the framework for instructional purposes. I believe I have narrowed the construct down to a reasonable definition from input here, and elsewhere.

Critical thinking.

We consider "advanced forensics concepts" to be technical knowledge which is not readily available and requires validation and experimentation. “Advanced forensics” requires critical thinking to interpret, describe and convey relevance and meaning by itself and in relation to other evidence.

I do not believe there is a need to segregate "digital forensic science" into "digital" and "forensic science". In the same fashion, do we need to segregate "forensic" and "science"?

I did not expect to find a sharp delineation, but the result does give, at least to me a sufficiently defined selection criteria.

Is the activity
  1. not readily available technical knowledge, and
  2. needs experimentation & validation, and
  3. requires critical thinking to interpret results, and
  4. demands higher understanding to
    1. to be described, and
    2. conveyed, and
    3. shown relevance, and
    4. meaning by
      1. itself, and
      2. as it relates to other evidence?

I am sure we can quibble on further nuances, but I believe a topic that fits the above description would be described as "advanced forensics concept" by most forensic scientist or investigator.

I will concede that what is today's advanced forensics concept, maybe run-of-the-mill tool monkey material of near-future.

- joachimm
my 2 cents.

jhup what's the goal of your original question? With your latest replies I get the idea you're heading into a maze of KM (http://en.wikipedia.org/wiki/Knowledge_management) with no other purpose then to define things just for the purpose of creating more definitions.

en.wikipedia.org/wiki/...ic_science
"Forensic science (often known as forensics) is the scientific method of gathering and examining evidence."

Since you're talking about "digital forensics" this implies at least 2 fields of knowledge, namely digital (which one could define as computer science) and forensic science.

IMO the keywords here are:
* scientific methodology
* gathering evidence
* examining evidence

If you want to talk about advance concepts in one of these areas talk about them individually, but you're wasting your time trying to come up with all encompassing definitions.
 
 
  

jhup
Senior Member
 

Re: Advanced forensics concepts

Post Posted: Oct 29, 13 00:36

I do not believe quantity of data comes into play - be it GB analyzed or bit-fiddling.

I think we did rabbit-hole into the issue of limited, or incomplete analysis - but I do not read anyone suggesting that analysis of 100TB is more advanced than analyzing 100GB, or that binary arithmetic is required for something to be advanced.

Come to think of it, the description could fit most forensic science, not just digital forensics.

- Chris_Ed
Some of the posts in this thread seem to conflate "advanced forensics" with "full analysis". Is it more "advanced" to examine more data? Is the pinnacle of digital forensic examination therefore to review every byte of data in binary? Smile

I can't really share what I think "advanced" concepts are as they are normally just things I don't currently know. So some things I might regard as "advanced" could in reality be fairly simple, it's just that I haven't learned about them yet (or they could really be advanced!).
 
 
  

pbobby
Senior Member
 

Re: Advanced forensics concepts

Post Posted: Oct 29, 13 05:52

I have shared with my peers at work that advanced forensics in our incident response and corporate investigations responsibilities involves any scenario that requires subjective analysis.

For example, a triage of employee activity for the past 30 days. Using all of the available evidence, artifacts, indicators, 'stuff', you create a palette of pigment from which to paint a picture of employee patterns (how about that for alliterative forensic prose).

The indicators or artifacts, may be the same from employee to employee - but the story they tell can be vastly different. This work product is highly subjective, certainly, however in my opinion, this capability represents advanced level thinking in the digital forensics world. This is macro level forensics.
_________________
Don't get baited. 
 
  

joachimm
Senior Member
 

Re: Advanced forensics concepts

Post Posted: Oct 29, 13 12:04

- jhup
I do not believe there is a need to segregate "digital forensic science" into "digital" and "forensic science". In the same fashion, do we need to segregate "forensic" and "science"?


I wouldn't see it as a segregation more as a separate facet to it. The "digital" makes digital forensics different from e.g. medical forensics.

- jhup
We consider "advanced forensics concepts" to be technical knowledge which is not readily available and requires validation and experimentation. “Advanced forensics” requires critical thinking to interpret, describe and convey relevance and meaning by itself and in relation to other evidence.


On a whole I agree with your aspects of what forensic concepts should be, but I opt to drop the word advanced from that point of view. The whole idea of forensic science is to open up this knowledge and be able to represent it for the public (the forum). From: en.wikipedia.org/wiki/...ic_science
The word forensic comes from the Latin forēnsis, meaning "of or before the forum."

- jhup
We consider "advanced forensics concepts" to be technical knowledge which is not readily available and requires validation and experimentation. “Advanced forensics” requires critical thinking to interpret, describe and convey relevance and meaning by itself and in relation to other evidence.


IMO anyone not doing this is not doing digital forensics in the first place.

- jhup
Is the activity ...


I still do not understand what's advanced about this process? To my understanding the process (or a rough equivalent) you're describing has been around to since the Greek/Roman period (maybe even before). A mindset I often use in cases are the 5-Ws (http://en.wikipedia.org/wiki/5_Ws). These have been around for quite a while.

IMO "advance digital forensics" is just a buzz word. If you want to talk about the aspects of the forensic process as you outline in "Is the activity ..." I opt to talk about those.

* How do stimulate critical thinking?
* What would you propose as guidelines or criteria for interpreting results?
* What "experimentation & validation" do you use? Or should we be more open about this.
* how do you determine relevance of a fact (regarding the evidence?)

* What do you mean by not readily available technical knowledge?
I e.g. have documented several file formats over the year and written comparing parser implementation. This information is "readily available technical knowledge". And I still find people don't understanding more about the data out there. E.g. from time to time I see a similar post "my tool does not read this PST file" to find out that their PST file was filled with 0-byte values.

To me this shows a lack of basic understanding what a file format is nothing advanced I would say.

- Chris_Ed
Is the pinnacle of digital forensic examination therefore to review every byte of data in binary?

Only the relevant ones (and zeros), but also data that is not there can be an interesting fact Wink  
 
  

jhup
Senior Member
 

Re: Advanced forensics concepts

Post Posted: Oct 29, 13 18:19

Let me approach it slightly differently.

We need to classify learning material, within digital forensic science.

Either we abandon the "advanced" and try to shove the whole elephant down the students' throat or we group the material into manageable bytes.

If there is no "expert", then why should there be "intermediate"? If there is no intermediate, then why not everyone be a forensics expert? But, we know this is not true. We classify people as experts; individuals with more knowledge than laymen on a subject. They are aware and understand "advanced concepts" laymen does not.

We could classify knowledge in various ways, but much of forensics builds on previously learned information.

It would mean nothing to a novice to talk about various nuances of data correlation from over-provisioning areas in pages of blocks, when they do not understand the basics of computers.

Put it in an other way - is it necessary for someone to understand basic addition, subtraction and multiplication first, before tackling ax^2 + bx + c = 0?

We can teach someone to regurgitate advanced material without foundational understanding.

IMO anyone not doing this is not doing digital forensics in the first place


Do you consider imaging a hard drive properly "digital forensics"? Such process does not fulfill the "advanced forensics" description we noted.

I still do not understand what's advanced about this process? To my understanding the process (or a rough equivalent) you're describing has been around to since the Greek/Roman period (maybe even before). A mindset I often use in cases are the 5-Ws (http://en.wikipedia.org/wiki/5_Ws). These have been around for quite a while.


I am not trying to come up with an earth-shattering new concept. What I am seeking is to get a general feel as to what one considers "advanced forensics concepts" in the industry.

It appears that you consider none as such. There are often outliers in most studies Mr. Green

I disagree. I believe there are forensics investigators that have the knowledge in basic concepts, intermediate concepts, and advanced concepts.

This is how I sort of see it:

drive.google.com/file/...sp=sharing

We all start in the center (black area), with little knowledge.

We expand our understanding further in various directions toward advanced concepts (words at outside edge of circle).

On the way to the edge of the circle, we learn various other concepts (yellow ovals), some are larger, some are smaller, some are overlapping.

As time goes on, most of us become advanced in a specific sub-areas of our field.

No one is an expert, and advanced in all areas of digital forensics.

Hope this bolsters my point.  
 

Page 3 of 6
Page Previous  1, 2, 3, 4, 5, 6  Next