Advanced forensics concepts

One point on CP cases that I have always disliked (among the obvious), is when a case is shortsighted with an admission or confession. I have been told by one examiner, "I just triage the hard drive and file the case when I find CP. So far, I have a 100% confession rate. Case closed."

The problem I've had with this type of analysis is that although that ONE case is solved, it is incomplete. Doing just a little more work with just a little more time might result in finding a victim that has not been identified. One clear example is the pedo suspect downloading CP who also happens to have illicit photos of the little kid down the street (more charges) and identifying a victim. Or maybe the source of CP might be identified (another case and charges). Or maybe the confession is tossed in trial and the entire case is at risk of being lost because no actual analysis was done. But I digress….

We had a case once where the investigator did triage on-site and then realised he was sitting on the couch in the photos. If we didn't find those particular photos, and just closed it out on a possession plea, a major injustice would have occurred.

Excellent points. This is better than I hoped.

Just to recap -

We consider 'advanced forensics' to be technical knowledge which is not readily available and requires validation and experimentation, and requires critical thinking to interpret, describe and convey relevance, meaning by itself and in relation to other evidence.

I think this captures most of what was written so far.

I think 'knowledge' in 'technical knowledge' specifically stresses the difference between data, information and knowledge. As some of you have stated, data and information does not provide knowledge.

'Easy-button monkeys' focus narrowly on the 'information', not comprehending 'data', and lacking the interconnection to map 'knowledge' out.

(Data being the material, information is the (result of) assessment or report (evaluation or estimation of the nature, quality, or ability) of the data, and knowledge is the interpretation, conveyance and relationship awareness of the previous two.)

Although this rest well over the 'Data-Information-Knowledge-Wisdom Pyramid', I am not sure what we would call advanced forensics wisdom.

We have defined 'advanced forensics data'.
We have defined 'advanced forensics information'.
We have defined 'advanced forensics knowledge'.

What is 'advanced forensics 'wisdom'? Do we have a definition for it? Or, do we even need to define it?

Love this (side chopped off, image is in the DIKW Pyramid article)

d data, i information, k knowledge, u understanding, w wisdom, t tacit knowledge, and e explicit knowledge

And,

[…] [d]oing just a little more work with just a little more time might result in finding […]

… the rest of the gang, facilitators, etc.

my 2 cents.

jhup what's the goal of your original question? With your latest replies I get the idea you're heading into a maze of KM (http//en.wikipedia.org/wiki/Knowledge_management) with no other purpose then to define things just for the purpose of creating more definitions.

http//en.wikipedia.org/wiki/Forensic_science
"Forensic science (often known as forensics) is the scientific method of gathering and examining evidence."

Since you're talking about "digital forensics" this implies at least 2 fields of knowledge, namely digital (which one could define as computer science) and forensic science.

IMO the keywords here are
* scientific methodology
* gathering evidence
* examining evidence

If you want to talk about advance concepts in one of these areas talk about them individually, but you're wasting your time trying to come up with all encompassing definitions.

Some of the posts in this thread seem to conflate "advanced forensics" with "full analysis". Is it more "advanced" to examine more data? Is the pinnacle of digital forensic examination therefore to review every byte of data in binary? )

I can't really share what I think "advanced" concepts are as they are normally just things I don't currently know. So some things I might regard as "advanced" could in reality be fairly simple, it's just that I haven't learned about them yet (or they could really be advanced!).

why you are angry? arrow

What do you consider "advanced forensics concepts" within the digital forensics realm?

(emphasis added)

I am aware that we will not come up with a perfect paragraph which will describe what is and is not considered "advanced forensics concepts". On the other hand we can come up with general principles that can help us identify as such.

I search for the framework for instructional purposes. I believe I have narrowed the construct down to a reasonable definition from input here, and elsewhere.

Critical thinking.

We consider "advanced forensics concepts" to be technical knowledge which is not readily available and requires validation and experimentation. “Advanced forensics” requires critical thinking to interpret, describe and convey relevance and meaning by itself and in relation to other evidence.

I do not believe there is a need to segregate "digital forensic science" into "digital" and "forensic science". In the same fashion, do we need to segregate "forensic" and "science"?

I did not expect to find a sharp delineation, but the result does give, at least to me a sufficiently defined selection criteria.

Is the activity

1. not readily available technical knowledge, and
2. needs experimentation & validation, and
3. requires critical thinking to interpret results, and
4. demands higher understanding to
1. to be described, and
2. conveyed, and
3. shown relevance, and
4. meaning by
1. itself, and
2. as it relates to other evidence?

[/listo][/listo][/listo]

I am sure we can quibble on further nuances, but I believe a topic that fits the above description would be described as "advanced forensics concept" by most forensic scientist or investigator.

I will concede that what is today's advanced forensics concept, maybe run-of-the-mill tool monkey material of near-future.

my 2 cents.

jhup what's the goal of your original question? With your latest replies I get the idea you're heading into a maze of KM (http//en.wikipedia.org/wiki/Knowledge_management) with no other purpose then to define things just for the purpose of creating more definitions.

http//en.wikipedia.org/wiki/Forensic_science
"Forensic science (often known as forensics) is the scientific method of gathering and examining evidence."

Since you're talking about "digital forensics" this implies at least 2 fields of knowledge, namely digital (which one could define as computer science) and forensic science.

IMO the keywords here are
* scientific methodology
* gathering evidence
* examining evidence

If you want to talk about advance concepts in one of these areas talk about them individually, but you're wasting your time trying to come up with all encompassing definitions.

I do not believe quantity of data comes into play - be it GB analyzed or bit-fiddling.

I think we did rabbit-hole into the issue of limited, or incomplete analysis - but I do not read anyone suggesting that analysis of 100TB is more advanced than analyzing 100GB, or that binary arithmetic is required for something to be advanced.

Come to think of it, the description could fit most forensic science, not just digital forensics.

Some of the posts in this thread seem to conflate "advanced forensics" with "full analysis". Is it more "advanced" to examine more data? Is the pinnacle of digital forensic examination therefore to review every byte of data in binary? )

I can't really share what I think "advanced" concepts are as they are normally just things I don't currently know. So some things I might regard as "advanced" could in reality be fairly simple, it's just that I haven't learned about them yet (or they could really be advanced!).

I have shared with my peers at work that advanced forensics in our incident response and corporate investigations responsibilities involves any scenario that requires subjective analysis.

For example, a triage of employee activity for the past 30 days. Using all of the available evidence, artifacts, indicators, 'stuff', you create a palette of pigment from which to paint a picture of employee patterns (how about that for alliterative forensic prose).

The indicators or artifacts, may be the same from employee to employee - but the story they tell can be vastly different. This work product is highly subjective, certainly, however in my opinion, this capability represents advanced level thinking in the digital forensics world. This is macro level forensics.

I do not believe there is a need to segregate "digital forensic science" into "digital" and "forensic science". In the same fashion, do we need to segregate "forensic" and "science"?

I wouldn't see it as a segregation more as a separate facet to it. The "digital" makes digital forensics different from e.g. medical forensics.

We consider "advanced forensics concepts" to be technical knowledge which is not readily available and requires validation and experimentation. “Advanced forensics” requires critical thinking to interpret, describe and convey relevance and meaning by itself and in relation to other evidence.

On a whole I agree with your aspects of what forensic concepts should be, but I opt to drop the word advanced from that point of view. The whole idea of forensic science is to open up this knowledge and be able to represent it for the public (the forum). From http//en.wikipedia.org/wiki/Forensic_science
The word forensic comes from the Latin forēnsis, meaning "of or before the forum."

We consider "advanced forensics concepts" to be technical knowledge which is not readily available and requires validation and experimentation. “Advanced forensics” requires critical thinking to interpret, describe and convey relevance and meaning by itself and in relation to other evidence.

IMO anyone not doing this is not doing digital forensics in the first place.

Is the activity …

I still do not understand what's advanced about this process? To my understanding the process (or a rough equivalent) you're describing has been around to since the Greek/Roman period (maybe even before). A mindset I often use in cases are the 5-Ws (http//en.wikipedia.org/wiki/5_Ws). These have been around for quite a while.

IMO "advance digital forensics" is just a buzz word. If you want to talk about the aspects of the forensic process as you outline in "Is the activity …" I opt to talk about those.

* How do stimulate critical thinking?
* What would you propose as guidelines or criteria for interpreting results?
* What "experimentation & validation" do you use? Or should we be more open about this.
* how do you determine relevance of a fact (regarding the evidence?)

* What do you mean by not readily available technical knowledge?
I e.g. have documented several file formats over the year and written comparing parser implementation. This information is "readily available technical knowledge". And I still find people don't understanding more about the data out there. E.g. from time to time I see a similar post "my tool does not read this PST file" to find out that their PST file was filled with 0-byte values.

To me this shows a lack of basic understanding what a file format is nothing advanced I would say.

Is the pinnacle of digital forensic examination therefore to review every byte of data in binary?

Only the relevant ones (and zeros), but also data that is not there can be an interesting fact 😉