±Forensic Focus Partners

Become an advertising partner

±Your Account


Forgotten password/username?

Site Members:

New Today: 2 Overall: 35974
New Yesterday: 1 Visitors: 137

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

The End of Digital Forensics?

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2, 3, 4, 5, 6  Next 

Site Admin

The End of Digital Forensics?

Post Posted: Mar 28, 11 14:49

The End of Digital Forensics?

by Craig Ball

When Microsoft introduced its Encrypting File System (EFS) in Windows 2000, the Cassandras of computer forensics peppered the listserves with predictions that the days of digital forensics were numbered. Ten years on and hundreds of systems acquired, I’ve yet to handle a case stymied by encryption—and 90% of my acquisitions were corporate machines, many with TPMs and fingerprint readers. Voluntary encryption turned out to be no encryption at all.

The next sky falling threats to forensics were privacy tools and features. “Surely,” our Chicken Littles clucked, “everyone will run free tools that routinely wipe unallocated clusters and securely delete data!” Turns out, they only run the antiforensic tools right before the examiner arrives, and most such tools do a lousy job covering their tracks...

Read more

Please use this thread for discussion of Craig's latest column.
Jamie Morris
Forensic Focus
Web: www.forensicfocus.com
Twitter: twitter.com/ForensicFocus
Facebook: www.facebook.com/forensicfocus 

Senior Member

Re: The End of Digital Forensics?

Post Posted: Mar 28, 11 16:23

I find that through a combination of larger data sets and outdated equipment (due to current budget constraints), I spend a lot more time watching sands through the hour glass.
Some things you just can't "unsee". 

Senior Member

Re: The End of Digital Forensics?

Post Posted: Mar 28, 11 17:25

I share Craig's pain at the ever-increasing storage capacity. I'll direct my comments to the end-user devices that we still encounter and physically acquire most frequently: clearly somewhat different considerations apply to an enterprise's server-based or cloud-based storage.

In absolute terms acquisition speeds are much higher than they were in the 1990's (acquiring to CD-Rs from creaky old PATA disks isn't something I'd wish on my worst enemy!). However, typical transfer speeds have stagnated in the last few years whereas typical capacities have continued to increase substantially. Couple this with the fact that most of that additional capacity is unused and the net result is that acquisitions take more time for little to no appreciable increase in the volume or value of results obtained from the client's perspective.

As CF practitioners we have little influence over the storage devices and transfer interfaces that manufacturers provide, so we've got to do what we can with the stuff that is available. We've also got to accept that, in certain circumstances, full physical acquisitions simply aren't a practical or necessary solution in accomplishing the client's objectives in a case: those who won't provide their clients with alternatives can expect to be sidelined by those who will.  


Re: The End of Digital Forensics?

Post Posted: Mar 28, 11 20:56

I understand the points made previously and I agree to their impact, BUT I believe that the coming changes in storage technology from Magnetic Hard drives to Solid State Drives will have more of an immediate impact upon this change and NEED for change. To quote a published article from the JDFSL titled "Solid State Drives: The Beginning of the End for Current Practice in Digital Forensic Recovery?";

"Digital evidence is increasingly relied upon in computer forensic examinations and legal proceedings in the modern courtroom. ... a paradigm shift has taken place in technology storage and complex, transistor-based devices for primary storage are now increasingly common. Most people are aware of the transition from portable magnetic floppy discs to portable USB transistor flash devices, yet the transition from magnetic hard drives to solid-state drives inside modern computers has so far attracted very little attention from the research community.

... potentially reckless to rely on existing evidence collection processes and procedures, and we demonstrate that conventional assumptions about the behaviour of storage media are no longer valid. In particular, we demonstrate that modern storage devices can operate under their own volition in the absence of computer instructions. Such operations are highly destructive of traditionally recoverable data. This can contaminate evidence; can obfuscate and make validation of digital evidence reports difficult; can complicate the process of live and dead analysis recovery; and can complicate and frustrate the post recovery forensic analysis. "

Here is the link to this article :


AND supportive article :


I also believe that the research community either is denying or ignoring how these devices work (which this report proves otherwise ).

I have been told by a researcher that since these types of devices use similar controller techniques of the magnetic hard drives, that existing tools would work fine with these devices. I have found this report helpful in what my gut was saying NOT True.

I also believe that good evidence tools are just that to the investigator a tool, and that it is the investigator that makes sense from what he/she finds. It seems that there is pressure to rely on automation more and more due to the volumes that need to be searched.

Well, that is my addition to this discussion.  

Senior Member

Re: The End of Digital Forensics?

Post Posted: Mar 29, 11 02:26

Pricing models for forensic consultants/shops/experts needs to change to something that relies less on storage capacity processed to a more results oriented or flat pricing model.
Don't get baited. 

Senior Member

Re: The End of Digital Forensics?

Post Posted: Mar 29, 11 17:53

I guess we said the same when the Megabyte drives jumpted to Gigabyte drives.. The Tools and techniques changed from such things as Parallel Port Acquisitions to SATA writeblocker or dedicated Drive imagers. And the software had gone from Disk Edit and manual recovery to EnCase/FTK et al.

I assume the tool manufacturers will adjust to what the community needs and come up with something to make the job "do able"..

I hope..  

Senior Member

Re: The End of Digital Forensics?

Post Posted: Mar 29, 11 18:22

Sure, data sizes have increased but so has processing capabilities with faster CPUs and faster hard drives. 64-bit is also become more and more popular.

I think that this article, though, is an extension of "the sky is falling" scenario that Craig mentioned at the beginning of the article. The industry continues to work smarter, not longer. Use the power of your examination computer to weed through all of the 0s and present the information, that from your previous experience, is relevant.
Greg Kelley, EnCE, DFCP
Vestige, Ltd

Page 1 of 6
Page 1, 2, 3, 4, 5, 6  Next