Can everything in D...
 
Notifications
Clear all

Can everything in DF be factually established?

7 Posts
6 Users
0 Likes
577 Views
(@tootypeg)
Posts: 173
Estimable Member
Topic starter
 

Stemming from a curious discussion, our field surely has very little if no elements of randomisation in it in comparison to other forensic disciplines? This got me thinking, is there anything in terms of computer functionality that has an element of uncertainty / randomness or can everything be defined and factually proven, albeit with varying levels of testing?

I hear lots of discussion along the lines of "it might be due to this and that etc etc" - but surely that doesn't apply to us? Computers dont function randomly, so we can technically prove everything cant we - even if it means disproving something? 😯

 
Posted : 25/01/2018 7:41 am
(@c-r-s)
Posts: 170
Estimable Member
 

An absence of randomness leads to the opposite The element of poof is remarkably weak in DF.
Forensics in general is not about proof in a logical sense, but giving a plausible explanation beyond reasonable doubt for an observation, or the "most plausible" explanation.

This is a differentiation problem. And the natural environment is full of random difference DNA, fingerprints, human physiology, psychology, materials, chemical properties etc. To replicate evidence that results from randomness requires great efforts. It is also quite unlikely that secondary chains of causation, formed by accident, lead to exactly the same composition of randomness. Natural evidence can thus be considered "unique" on a broad scale and often relates to the (physical, biochemical…) "uniqueness" of the perpetrator.

DF has got nothing of the above, just numbers which are not attributable by themselves and easy to replicate. If you look closely, you can see in every single case how this is overcome By assumptions about the physical environment. It was his computer, wasn't it? Assumptions, because - in delusion about what DF can do - these links to the natural environment sometimes aren't even forensically secured. This is a massive degradation in quality of evidence, like from "His DNA is on the knife" to "He bought the same type of knife".

I am not saying that there must not be a practical, somewhat pragmatic approach to this problem. When I see certain modi operandi of IT intrusion, I am actually confident to attribute them in many cases based on far less than a court examiner has in his hands. But the intelligence world is not the court room. My concern is, that participants in the legal process - mostly laymen in IT - do not actually acknowledge, how limited DF capabilities are, and therefore do not draw any conclusions from that in regards of their (judicial) persuasion.

 
Posted : 25/01/2018 9:48 am
RolfGutmann
(@rolfgutmann)
Posts: 1185
Noble Member
 

C.R.S - excellent post. Great talent in bringing it to the point!

 
Posted : 25/01/2018 10:05 am
(@tootypeg)
Posts: 173
Estimable Member
Topic starter
 

I see what you say. In the context of "it was his computer" - that is a question of ownership - not a truly digital forensic question; other evidence elements may come into play. If the question were 'has this PC been used to view the web' - we could give a factual account, with limited (if any?) room for assumption?

say for example, "that site was browser on this PC" - can be factually established etc or the limitations of not being able to do so can be identified (no history data etc). We cant over-extend our reach, therefore intent and subjectiveness is difficult to infer from digital evidence. BUT what I mean is that in terms of digital functionality, we can factually established the working of it.

I guess we could say everything about how a web browser has or is functioning. We cant use this information to infer the subjective thought process of the user.

 
Posted : 25/01/2018 10:42 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

@Tootypeg
Check these threads which are good examples on how the same observed fact can be explained in different ways
https://www.forensicfocus.com/Forums/viewtopic/t=13018/
https://www.forensicfocus.com/Forums/viewtopic/t=9329/

The observed fact is that a given folder on a NTFS volume (let's say on a Windows XP where "DisableLastAccess" is 0 by default) has a Last Accessed Time of January 25, 2018 1442.15 UTC.

That is a fact, and it is undeniable and not up for debate.

Linking this fact to a supposed behaviour of the user or of a given program is not so straightforward and can well be debated.

A number of other findings (including a complete timeline) may (or may not) link the observed fact to this or that cause.

jaclaz

 
Posted : 25/01/2018 1:48 pm
(@merriora)
Posts: 44
Eminent Member
 

I hear lots of discussion along the lines of "it might be due to this and that etc etc" - but surely that doesn't apply to us? Computers dont function randomly, so we can technically prove everything cant we - even if it means disproving something? 😯

The observed fact is that a given folder on a NTFS volume (let's say on a Windows XP where "DisableLastAccess" is 0 by default) has a Last Accessed Time of January 25, 2018 1442.15 UTC.

That is a fact, and it is undeniable and not up for debate.

Linking this fact to a supposed behaviour of the user or of a given program is not so straightforward and can well be debated.
jaclaz

As Jaclaz points out, actually proving something occurred versus showing that it likely occurred can be difficult.

If you have infinite time and resources, you can test, re-test and analyze all data to get your closer to 100% proof of something occurring, but the reality is that we don't have vast amounts of time for every exhibit.

To further emphasize the complexity of proving, consider the fact that a lot of programs are proprietary and therefore no source code is available. Programs have bugs, so even though a method returns the same value 1,000 times in a row, on the next execution of that code, it 'could' return a different value due to some unknown variable changing (system clock, user action, etc.).

This makes proving more difficult especially when discussing what exactly a user did or did not do.

 
Posted : 25/01/2018 2:56 pm
(@athulin)
Posts: 1156
Noble Member
 

…our field surely has very little if no elements of randomisation in it in comparison to other forensic disciplines?

That sounds optimistic. I'd be more inclined to suspect that if 'random' aspects of evidence have been observed, it's more likely due to more effort and more critical examination.

Expressed slightly differently, if any forensic analyst claims that the confidence of a particular result is 100%, no buts or ifs about it, he's probably doing junk forensic science.

… is there anything in terms of computer functionality that has an element of uncertainty / randomness or can everything be defined and factually proven, albeit with varying levels of testing?

Anything relying on external factors. Visit web site X. Again. And again. Is there a change in what you see? If there's a load-balancing system present, there may be you get directed to a different server instance, and thus the technical possibility of different content exists.

Or … if the DNS server you rely on for the IP address lookup is not one but multiple (and so may have slightly different contents), you may get directed to different load-balancing pools.

And if the suspected perp looked up a page that a single DNS server directed him to the 'closest' server, a forensic analyst trying the same lookup from another locality may get referred to a different server, and may examine different content.

Not necessarily random. But unless you know what factors make it deterministic (time of day, current load of server park, physical locality … perhaps even phase of the moon), it might as well be random.

I hear lots of discussion along the lines of "it might be due to this and that etc etc" - but surely that doesn't apply to us?

I assume you're being ironic or facetious.

An investigator should be able to come up with ideas for this, and that and the other.

At that point, the pons asinorum of computer forensic science is located are you able to formulate criteria for evaluating each of those hypotheses for possibility and perhaps also probability, then proceed to perform that evaluation, and be able to say it must be this or that, but it can't be the other because … whatever. Or do you toss a mental coin, decide that 'the other' seems likely, and state that that is what happened.

On the hither side there is junk science and you can find any number of 100%-confidence statements (or statements that hide the lack of confidence, as in 'this observation is consistent with X'). Unscientific certainty or perhaps unscientific uncertainty.

On the further side, there is scientific uncertainty they who work there know what the don't know what studies have been made, what they show and how far they can be trusted.

Well, in theory.

Computers dont function randomly, so we can technically prove everything cant we - even if it means disproving something?

I think you may mean 'theoretically'rather than 'tehnically'. Technically, we have what amounts to back doors to almost every Intel processor sold since 2008 or so, and backdoors that give its users an surprising amount of latitude as to what they can do. (Intel Management Engine, in case you're interested.) Do we know if a particular system has this particular access method enabled or not? (I've seen the statement that it cannot be disabled on consumer systems …) Do we know if it was used between time X and time Y? Can we say for certain that it was not used during some particular time epriod? Or do we cross our fingers and say that our observations are consistent with IME not being used?

Me, I don't know. But it seems to allow for the possibility of an additional actor on most systems out there, and it would be interesting to have some solid IME forensic research to refer to. Until we do, we have an apparently non-deterministic source of activity. Not random, true. But it doesn't seem easy to analyze it in the way you seem to hope for.

(Anyone know any published research on IME, please post a cite.)

 
Posted : 25/01/2018 4:08 pm
Share: