±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 2 Overall: 36228
New Yesterday: 5 Visitors: 196

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Advanced forensics concepts

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3, 4, 5, 6  Next 
  

steve862
Senior Member
 

Re: Advanced forensics concepts

Post Posted: Oct 23, 13 18:51

Hi,

I'd agree with timeline analysis being advanced, not least because there are so many different sources to examine, which are coded differently and there are time zones to consider.

Something I recently had to do was establish the likelihood one thing happened rather than another in relation to some digital data on an item. The work was for a murder case which went through the UK courts earlier this year. This related to a number of deleted pictures found on a memory card which was found in a separate search from the camera. The suspect eventually pleaded guilty to this charge mid trial.

In essence there were deleted but recoverable pictures, deleted and partially or completely overwriten pictures and recoverable video frames on a memory card that had been used in a number of different devices, (amongst other artefacts).

The prosecution needed to determine the events surrounding the use of that card in the last few days before the murder and up to and including (probably) seconds before the murder took place.

There was a time analysis component because the camera did not show the correct date at the time of seizure and pictures might have been copied onto the memory card, some 'taken' onto the memory card, some downloaded onto the card using a phone etc, etc.

The other aspects of the analysis required me to examine how different devices were using the file system and why certain files were recoverable and others not.

I think something like this is advanced forensics because you are required to create test sets using, (possibly), the devices seized (following their analysis) and/or identical model devices and with identical make/model memory cards.

With these test sets part of the advanced bit is conceiving the types and extents of tests you will need to conduct in order to comfortably give an opinion. Or where to draw the line on very lengthy work which will not yield adequate results, even when the entire investigation team is (metaphorically) standing by your desk motionless and silent, waiting for you to speak.

Obviously you don't normally go to such extremes for even a murder case but in this instance the contents of that memory card were absolutely central to the whole case.

Hopefully I've kept the thread going after the 'plea' from Keydet89.

This is a good thread and there are lots of things we could include in this thread. From a training point of view I would be interested in what other people are examining.

Steve
_________________
Forensic Computer Examiner, London, UK 
 
  

bshavers
Senior Member
 

Re: Advanced forensics concepts

Post Posted: Oct 23, 13 22:26

I have a another perspective on what can be considered advanced. Technically, the actual analysis/forensics is basic, even when it is difficult. From the easy methods recovery of deleted files to the more difficult reverse engineering of malware, these are still basic (technical) forensics.

The advanced is giving meaning to the data in a manner that paints a picture of what happened on the storage device. It is not enough to say "the evidence is there, see for yourself". It takes critical thinking to interpret and not only describe the evidence, but also convey what the evidence means by itself and in relation to other evidence (both in and out of the analysis).

I can compare it with painting in that technically, a stroke of a brush can be perfected, but it takes an artistic mindset and skill to paint a picture that tells a story or stirs an emotion. That's the closest analogy I can give, in that being a 'Picasso of forensics' is an advanced skill and trait compared with being an 'assembly line worker of forensics'.

One point on CP cases that I have always disliked (among the obvious), is when a case is shortsighted with an admission or confession. I have been told by one examiner, "I just triage the hard drive and file the case when I find CP. So far, I have a 100% confession rate. Case closed."

The problem I've had with this type of analysis is that although that ONE case is solved, it is incomplete. Doing just a little more work with just a little more time might result in finding a victim that has not been identified. One clear example is the pedo suspect downloading CP who also happens to have illicit photos of the little kid down the street (more charges) and identifying a victim. Or maybe the source of CP might be identified (another case and charges). Or maybe the confession is tossed in trial and the entire case is at risk of being lost because no actual analysis was done. But I digress....  
 
  

keydet89
Senior Member
 

Re: Advanced forensics concepts

Post Posted: Oct 23, 13 22:36

bshavers,

I have to agree with you...something that's difficult doesn't necessarily make it advanced.

Though I have never done a full CP exam...I've been involved in such exams to the point where I've been given specific data and asked to answer specific questions...I can see your point about victim identification.

Another issue I see with this is a lack of understanding of data structures, particular due to the fact that popular training courses push tools that miss certain data structures that can mean the difference between CP possession and production.  
 
  

Patrick4n6
Senior Member
 

Re: Advanced forensics concepts

Post Posted: Oct 24, 13 04:09

- bshavers
One point on CP cases that I have always disliked (among the obvious), is when a case is shortsighted with an admission or confession. I have been told by one examiner, "I just triage the hard drive and file the case when I find CP. So far, I have a 100% confession rate. Case closed."

The problem I've had with this type of analysis is that although that ONE case is solved, it is incomplete. Doing just a little more work with just a little more time might result in finding a victim that has not been identified. One clear example is the pedo suspect downloading CP who also happens to have illicit photos of the little kid down the street (more charges) and identifying a victim. Or maybe the source of CP might be identified (another case and charges). Or maybe the confession is tossed in trial and the entire case is at risk of being lost because no actual analysis was done. But I digress....


We had a case once where the investigator did triage on-site and then realised he was sitting on the couch in the photos. If we didn't find those particular photos, and just closed it out on a possession plea, a major injustice would have occurred.
_________________
Tony Patrick, B. Inf Tech, CFCE
www.patrickcomputerfor...s.com/blog
www.twitter.com/Patrick4n6 
 
  

jhup
Senior Member
 

Re: Advanced forensics concepts

Post Posted: Oct 24, 13 18:32

Excellent points. This is better than I hoped.

Just to recap -

We consider 'advanced forensics' to be technical knowledge which is not readily available and requires validation and experimentation, and requires critical thinking to interpret, describe and convey relevance, meaning by itself and in relation to other evidence.

I think this captures most of what was written so far.

I think 'knowledge' in 'technical knowledge' specifically stresses the difference between data, information and knowledge. As some of you have stated, data and information does not provide knowledge.

'Easy-button monkeys' focus narrowly on the 'information', not comprehending 'data', and lacking the interconnection to map 'knowledge' out.

(Data being the material, information is the (result of) assessment or report (evaluation or estimation of the nature, quality, or ability) of the data, and knowledge is the interpretation, conveyance and relationship awareness of the previous two.)


Although this rest well over the 'Data-Information-Knowledge-Wisdom Pyramid', I am not sure what we would call advanced forensics wisdom.

We have defined 'advanced forensics data'.
We have defined 'advanced forensics information'.
We have defined 'advanced forensics knowledge'.

What is 'advanced forensics 'wisdom'? Do we have a definition for it? Or, do we even need to define it?

Love this (side chopped off, image is in the DIKW Pyramid article) :

d : data, i : information, k : knowledge, u : understanding, w : wisdom, t : tacit knowledge, and e : explicit knowledge  

Last edited by jhup on Oct 24, 13 18:44; edited 2 times in total
 
  

jhup
Senior Member
 

Re: Advanced forensics concepts

Post Posted: Oct 24, 13 18:35

And,
- bshavers
[...] [d]oing just a little more work with just a little more time might result in finding [...]


... the rest of the gang, facilitators, etc.  
 
  

joachimm
Senior Member
 

Re: Advanced forensics concepts

Post Posted: Oct 24, 13 22:59

my 2 cents.

jhup what's the goal of your original question? With your latest replies I get the idea you're heading into a maze of KM (http://en.wikipedia.org/wiki/Knowledge_management) with no other purpose then to define things just for the purpose of creating more definitions.

en.wikipedia.org/wiki/...ic_science
"Forensic science (often known as forensics) is the scientific method of gathering and examining evidence."

Since you're talking about "digital forensics" this implies at least 2 fields of knowledge, namely digital (which one could define as computer science) and forensic science.

IMO the keywords here are:
* scientific methodology
* gathering evidence
* examining evidence

If you want to talk about advance concepts in one of these areas talk about them individually, but you're wasting your time trying to come up with all encompassing definitions.  
 

Page 2 of 6
Page Previous  1, 2, 3, 4, 5, 6  Next