Join Us!

Advanced forensics ...
 
Notifications
Clear all

Advanced forensics concepts  

Page 2 / 3
  RSS
moha19
(@moha19)
New Member

why you are angry? arrow

ReplyQuote
Posted : 26/10/2013 11:37 am
jhup
 jhup
(@jhup)
Community Legend

What do you consider "advanced forensics concepts" within the digital forensics realm?

(emphasis added)

I am aware that we will not come up with a perfect paragraph which will describe what is and is not considered "advanced forensics concepts". On the other hand we can come up with general principles that can help us identify as such.

I search for the framework for instructional purposes. I believe I have narrowed the construct down to a reasonable definition from input here, and elsewhere.

Critical thinking.

We consider "advanced forensics concepts" to be technical knowledge which is not readily available and requires validation and experimentation. “Advanced forensics” requires critical thinking to interpret, describe and convey relevance and meaning by itself and in relation to other evidence.

I do not believe there is a need to segregate "digital forensic science" into "digital" and "forensic science". In the same fashion, do we need to segregate "forensic" and "science"?

I did not expect to find a sharp delineation, but the result does give, at least to me a sufficiently defined selection criteria.

Is the activity

  1. not readily available technical knowledge, and
  2. needs experimentation & validation, and
  3. requires critical thinking to interpret results, and
  4. demands higher understanding to
    1. to be described, and
    2. conveyed, and
    3. shown relevance, and
    4. meaning by
      1. itself, and
      2. as it relates to other evidence?
      3. [/listo][/listo][/listo]

        I am sure we can quibble on further nuances, but I believe a topic that fits the above description would be described as "advanced forensics concept" by most forensic scientist or investigator.

        I will concede that what is today's advanced forensics concept, maybe run-of-the-mill tool monkey material of near-future.

        my 2 cents.

        jhup what's the goal of your original question? With your latest replies I get the idea you're heading into a maze of KM (http//en.wikipedia.org/wiki/Knowledge_management) with no other purpose then to define things just for the purpose of creating more definitions.

        http//en.wikipedia.org/wiki/Forensic_science
        "Forensic science (often known as forensics) is the scientific method of gathering and examining evidence."

        Since you're talking about "digital forensics" this implies at least 2 fields of knowledge, namely digital (which one could define as computer science) and forensic science.

        IMO the keywords here are
        * scientific methodology
        * gathering evidence
        * examining evidence

        If you want to talk about advance concepts in one of these areas talk about them individually, but you're wasting your time trying to come up with all encompassing definitions.

ReplyQuote
Posted : 28/10/2013 11:31 pm
jhup
 jhup
(@jhup)
Community Legend

I do not believe quantity of data comes into play - be it GB analyzed or bit-fiddling.

I think we did rabbit-hole into the issue of limited, or incomplete analysis - but I do not read anyone suggesting that analysis of 100TB is more advanced than analyzing 100GB, or that binary arithmetic is required for something to be advanced.

Come to think of it, the description could fit most forensic science, not just digital forensics.

Some of the posts in this thread seem to conflate "advanced forensics" with "full analysis". Is it more "advanced" to examine more data? Is the pinnacle of digital forensic examination therefore to review every byte of data in binary? )

I can't really share what I think "advanced" concepts are as they are normally just things I don't currently know. So some things I might regard as "advanced" could in reality be fairly simple, it's just that I haven't learned about them yet (or they could really be advanced!).

ReplyQuote
Posted : 28/10/2013 11:36 pm
pbobby
(@pbobby)
Active Member

I have shared with my peers at work that advanced forensics in our incident response and corporate investigations responsibilities involves any scenario that requires subjective analysis.

For example, a triage of employee activity for the past 30 days. Using all of the available evidence, artifacts, indicators, 'stuff', you create a palette of pigment from which to paint a picture of employee patterns (how about that for alliterative forensic prose).

The indicators or artifacts, may be the same from employee to employee - but the story they tell can be vastly different. This work product is highly subjective, certainly, however in my opinion, this capability represents advanced level thinking in the digital forensics world. This is macro level forensics.

ReplyQuote
Posted : 29/10/2013 4:52 am
joachimm
(@joachimm)
Active Member

I do not believe there is a need to segregate "digital forensic science" into "digital" and "forensic science". In the same fashion, do we need to segregate "forensic" and "science"?

I wouldn't see it as a segregation more as a separate facet to it. The "digital" makes digital forensics different from e.g. medical forensics.

We consider "advanced forensics concepts" to be technical knowledge which is not readily available and requires validation and experimentation. “Advanced forensics” requires critical thinking to interpret, describe and convey relevance and meaning by itself and in relation to other evidence.

On a whole I agree with your aspects of what forensic concepts should be, but I opt to drop the word advanced from that point of view. The whole idea of forensic science is to open up this knowledge and be able to represent it for the public (the forum). From http//en.wikipedia.org/wiki/Forensic_science
The word forensic comes from the Latin forēnsis, meaning "of or before the forum."

We consider "advanced forensics concepts" to be technical knowledge which is not readily available and requires validation and experimentation. “Advanced forensics” requires critical thinking to interpret, describe and convey relevance and meaning by itself and in relation to other evidence.

IMO anyone not doing this is not doing digital forensics in the first place.

Is the activity …

I still do not understand what's advanced about this process? To my understanding the process (or a rough equivalent) you're describing has been around to since the Greek/Roman period (maybe even before). A mindset I often use in cases are the 5-Ws (http//en.wikipedia.org/wiki/5_Ws). These have been around for quite a while.

IMO "advance digital forensics" is just a buzz word. If you want to talk about the aspects of the forensic process as you outline in "Is the activity …" I opt to talk about those.

* How do stimulate critical thinking?
* What would you propose as guidelines or criteria for interpreting results?
* What "experimentation & validation" do you use? Or should we be more open about this.
* how do you determine relevance of a fact (regarding the evidence?)

* What do you mean by not readily available technical knowledge?
I e.g. have documented several file formats over the year and written comparing parser implementation. This information is "readily available technical knowledge". And I still find people don't understanding more about the data out there. E.g. from time to time I see a similar post "my tool does not read this PST file" to find out that their PST file was filled with 0-byte values.

To me this shows a lack of basic understanding what a file format is nothing advanced I would say.

Is the pinnacle of digital forensic examination therefore to review every byte of data in binary?

Only the relevant ones (and zeros), but also data that is not there can be an interesting fact 😉

ReplyQuote
Posted : 29/10/2013 11:04 am
jhup
 jhup
(@jhup)
Community Legend

Let me approach it slightly differently.

We need to classify learning material, within digital forensic science.

Either we abandon the "advanced" and try to shove the whole elephant down the students' throat or we group the material into manageable bytes.

If there is no "expert", then why should there be "intermediate"? If there is no intermediate, then why not everyone be a forensics expert? But, we know this is not true. We classify people as experts; individuals with more knowledge than laymen on a subject. They are aware and understand "advanced concepts" laymen does not.

We could classify knowledge in various ways, but much of forensics builds on previously learned information.

It would mean nothing to a novice to talk about various nuances of data correlation from over-provisioning areas in pages of blocks, when they do not understand the basics of computers.

Put it in an other way - is it necessary for someone to understand basic addition, subtraction and multiplication first, before tackling ax^2 + bx + c = 0?

We can teach someone to regurgitate advanced material without foundational understanding.

IMO anyone not doing this is not doing digital forensics in the first place

Do you consider imaging a hard drive properly "digital forensics"? Such process does not fulfill the "advanced forensics" description we noted.

I still do not understand what's advanced about this process? To my understanding the process (or a rough equivalent) you're describing has been around to since the Greek/Roman period (maybe even before). A mindset I often use in cases are the 5-Ws (http//en.wikipedia.org/wiki/5_Ws). These have been around for quite a while.

I am not trying to come up with an earth-shattering new concept. What I am seeking is to get a general feel as to what one considers "advanced forensics concepts" in the industry.

It appears that you consider none as such. There are often outliers in most studies mrgreen

I disagree. I believe there are forensics investigators that have the knowledge in basic concepts, intermediate concepts, and advanced concepts.

This is how I sort of see it

https://drive.google.com/file/d/0B0JkL5jnd0q4VjRUOV9xbEd3dTQ/edit?usp=sharing

We all start in the center (black area), with little knowledge.

We expand our understanding further in various directions toward advanced concepts (words at outside edge of circle).

On the way to the edge of the circle, we learn various other concepts (yellow ovals), some are larger, some are smaller, some are overlapping.

As time goes on, most of us become advanced in a specific sub-areas of our field.

No one is an expert, and advanced in all areas of digital forensics.

Hope this bolsters my point.

ReplyQuote
Posted : 29/10/2013 5:19 pm
sgware
(@sgware)
Junior Member

I am hesitant to jump into this as i classify myself, based on this thread, as intermediate. I hope to be an expert at some point. I think time and experience with a variety of situations and challenges will be required for me to hit the "expert" mark.

I am not going to drop names, but there are a few experts, in my estimation, in this forum although they will say they aren't. That's fine as well. If we are learning from them and advancing our skill set based on their tutelage, then, I have no problem hanging that label on them.

But, isn't expert relative? A person just entering the field might consider me an expert because I managed to obtain a degree and a cert. Although I most certainly am not, imo.

This is how I would rank knowledge in terms of beginning, intermediate, and expert;

1. Beginner. Starting to understanding and learning the basics of digital forensics. This includes (not exhaustive) identification, preservation, acquisition, analysis and reporting. Also includes, in the US, knowledge about Federal Rules of Evidence, what is an expert witness, chain of custody, basic forensic science (Locards exchange principal), file system forensics, basic network forensics, knowledge of operating systems, and skills to analyze data such as binary math, hexadecimal math, and basics of how storage devices work as well as all the basic tools to needed to conduct the analysis. A good foundational knowledge of the criminal justice system.

2. Practicing the skills above while learning real life nuances and how to respond when the basics don't quite work the way they were taught in a classroom or cert program. This step requires a significant number of years in the field.

3. Expert. Self explanatory. To the beginners and intermediate examiners, you are a content expert. Some who teaches, sets examples, has been there and done that with difficult circumstances, network acquisitions/investigations, investigating across borders/jurisdictions.

Most importantly, there is no (imo) clear ranks of knowledge.. I think we are always in transition from one to the other depending on how much time we spend keeping caught up.

ReplyQuote
Posted : 29/10/2013 9:36 pm
jhup
 jhup
(@jhup)
Community Legend

I want to make it clear that I am not attempting to classify individual persons' qualification or expertise.

I am interested in what is and is not considered by a digital forensics practitioner as "advanced forensics concept" today.

ReplyQuote
Posted : 29/10/2013 11:00 pm
jaclaz
(@jaclaz)
Community Legend

I will risk 😯 to introduce the concept that while seniority is often (actually almost always) a requisite for experience, seniority in itself ONLY means seniority and not necessarily ALSO experience.

I mean that while it is obvious that someone dealing in the matter since a few months cannot event think of "competing" with someone that has worked in the field for years, the usual "been there and done that", but it is not so straightforward that "Listen, son, I have worked in this field since before you were born" actually means "experience" in the "better" sense I attribute to the word.

But to me at least the concept of experience is about having learned from experience and project these learnings (and adapt them) on new cases, findings etc.

Equations (VERY rough)
seniority+continuous will/drive to learn and experiment=expert
seniority=seniority
first job or recent job+continuous will/drive to learn and experiment=intermediate
first job or recent job="nothing" as below, possibly evolving into "trained monkey"
college+continuous will/drive to learn and experiment=beginner*
college=college (nothing but a lot of talk and a badge wink )

*in theory

But here we are not talking of expert vs. intermediate vs. beginner (as people), we are talking about the topics, we could draw a line saying that anything that is known, documented and taught in college is "basic", that anything that is fully documented and verified and part of an established procedure (or taught in the various post graduate or vendor courses) is "intermediate" and anything that is not obvious or a simple derivative of known approaches, procedures and documented (and verified) theories is "advanced".

Then maybe we could change the term from "advanced" to "innovative" or anyway use this latter as a synonym.

jaclaz

P.S. Ooops, cross-posting with Jhup

ReplyQuote
Posted : 29/10/2013 11:07 pm
sgware
(@sgware)
Junior Member

Isn't "advanced" or "intermediate" really dependent on the aptitude, drive, and experience required to master the topic? That is where I was going, albeit not clearly, in my post.

ReplyQuote
Posted : 30/10/2013 12:07 am
joachimm
(@joachimm)
Active Member

Hope this bolsters my point.

jhup thanks for the elaboration.

It appears that you consider none as such.

You're interpreting me incorrectly here, saying that there is no different levels of expertise in digital forensics.

If you ask me to sum up in a couple of sentences what the basic qualifications a digital forensic analyst should have (at every level) is

* an understanding of fundamental concepts of computer or digital systems
* understand the importance and aspects of data (facts)/evidence preservation
* understand the relevance of digital data (facts) in and outside their context
* understand the relevance experimentation & validation of methodology and tooling
* critical thinker to interpret results

What you dubbed as "advanced" I think are the core fundamentals of digital forensics.

Most of these are "thinking skills" nothing to do with the digital realm. I guess most of the other forensics sciences, at least the ones I know of, is getting a full degree in that science e.g. psychology with additional training in forensic science and thus acquiring these thinking skills.

I've learned most about the thinking skills from non-computer science fields and it is these skills what help me in complex cases. Not those from my computer science education. But applying them both in cases is what I think makes one a digital forensic expert or not.

We all start in the center (black area), with little knowledge.

So my point is not to teach people facts, about a certain technology, but teach them how to think for themselves. Think how to evaluate their findings, their hypothesis, their methods. IMO this is what is forensic science is about. Not the in-and-outs about a file format, if that is information readily available then we should teach them to find it and how to use it. If it is not, we should teach them how to obtain it. Don't get me wrong here the information about the file format is still very valuable but if I'm not working with e.g. PST why should I bother understanding the PST format in much detail. Now when I need to work with it, having this knowledge can be very useful.

https://drive.google.com/file/d/0B0JkL5jnd0q4VjRUOV9xbEd3dTQ/edit?usp=sharing

You only define factual knowledge here. I can search on the Internet for those and become sufficiently knowledgeable about the subject in a day; only because I have an understanding of their fundamentals. The only term here forensic related is "Anti forensics"

As time goes on, most of us become advanced in a specific sub-areas of our field.

So what? Does all this digital knowledge make me digital forensic analyst? If I'm a programmer, network admin, systems admin, I'm also getting involved in these areas. And I'll also get more "advanced", a better term is "experienced", over time. But this does not make me digital forensic analyst.

No one is an expert, and advanced in all areas of digital forensics.

True, so what we need to teach people is fundamentals and thinking skills. So that if they are not sufficiently expert in one area, that they can get sufficiently up to speed. IMO the fundamentals don't change that much.

I disagree. I believe there are forensics investigators that have the knowledge in basic concepts, intermediate concepts, and advanced concepts.

Let's start here What are the basic concepts in your opinion that makes someone a "digital" forensics investigator and not a system administrator for that matter?

ReplyQuote
Posted : 30/10/2013 1:38 am
joachimm
(@joachimm)
Active Member

I am interested in what is and is not considered by a digital forensics practitioner as "advanced forensics concept" today.

As the discussion and other people have pointed out this will be very subjective 😉

ReplyQuote
Posted : 30/10/2013 1:58 am
jhup
 jhup
(@jhup)
Community Legend

There is nothing wrong with subjective.

As we all know, with statistics, sufficient amount of subjective material becomes objective. mrgreen

I am interested in what is and is not considered by a digital forensics practitioner as "advanced forensics concept" today.

As the discussion and other people have pointed out this will be very subjective 😉

ReplyQuote
Posted : 30/10/2013 3:51 pm
jhup
 jhup
(@jhup)
Community Legend

You did not answer my questions. Not fair. o

If you ask me to sum up in a couple of sentences what the basic qualifications a digital forensic analyst should have (at every level) is

* an understanding of fundamental concepts of computer or digital systems
* understand the importance and aspects of data (facts)/evidence preservation
* understand the relevance of digital data (facts) in and outside their context
* understand the relevance experimentation & validation of methodology and tooling
* critical thinker to interpret results

What you dubbed as "advanced" I think are the core fundamentals of digital forensics.

Being at the edge of a knowledge circle (sphere) with expertise in several areas, your perspective as to what is advanced and what is fundamental is different than for someone who is just setting out on forensics.

Most of these are "thinking skills" nothing to do with the digital realm. I guess most of the other forensics sciences, at least the ones I know of, is getting a full degree in that science e.g. psychology with additional training in forensic science and thus acquiring these thinking skills.

And, that is where our field is heading, wouldn't you say? We did not have baccalaureate degrees 10 years ago in digital forensics. Today they are like mushrooms in a damp cellar. Tomorrow it will be a "requirement".

I've learned most about the thinking skills from non-computer science fields and it is these skills what help me in complex cases. Not those from my computer science education. But applying them both in cases is what I think makes one a digital forensic expert or not.

Yet there is no prohibition that the thinking skills cannot be learned while acquiring the "fundamental concepts" in digital forensics.

So my point is not to teach people facts, about a certain technology, but teach them how to think for themselves. Think how to evaluate their findings, their hypothesis, their methods. IMO this is what is forensic science is about. Not the in-and-outs about a file format, if that is information readily available then we should teach them to find it and how to use it. If it is not, we should teach them how to obtain it. Don't get me wrong here the information about the file format is still very valuable but if I'm not working with e.g. PST why should I bother understanding the PST format in much detail. Now when I need to work with it, having this knowledge can be very useful.

I am not sure there is any disagreement here. You just stated what advanced forensics requires.

You only define factual knowledge here. I can search on the Internet for those and become sufficiently knowledgeable about the subject in a day; only because I have an understanding of their fundamentals. The only term here forensic related is "Anti forensics"

My "advanced" word choices where not the best, as I stated before. On the other hand can we agree that each of those "factual knowledge" areas have very specific very defined and very advanced concepts that would not be privy or grasp without "fundamental concepts"?

So what? Does all this digital knowledge make me digital forensic analyst? If I'm a programmer, network admin, systems admin, I'm also getting involved in these areas. And I'll also get more "advanced", a better term is "experienced", over time. But this does not make me digital forensic analyst.

Different topic.

True, so what we need to teach people is fundamentals and thinking skills. So that if they are not sufficiently expert in one area, that they can get sufficiently up to speed. IMO the fundamentals don't change that much.

Thank you. I appreciate you stressing my point of view. Indeed there is a distinction between fundamental and advanced.

Let's start here What are the basic concepts in your opinion that makes someone a "digital" forensics investigator and not a system administrator for that matter?

By all means do so. I am content with my information as far what I, and already collected feedback indicates what is, and is not "basic concepts".

It very much sounds like you are saying there is no such thing as advanced forensics concepts, but then you turn around and state that we must start with basic concepts. The notion that there are basic concepts implies there are intermediate and advanced concepts.

From my original post, my interest goes back to what individual forensics practitioners consider advanced concepts.

ReplyQuote
Posted : 30/10/2013 6:02 pm
athulin
(@athulin)
Community Legend

We classify people as experts; individuals with more knowledge than laymen on a subject. They are aware and understand "advanced concepts" laymen does not.

That sounds almost like a feed-line from a straight man.

Google for 'Niels Bohr's definition of expert' – an attempt at definition that I find rather refreshing.

ReplyQuote
Posted : 30/10/2013 8:40 pm
Page 2 / 3
Share: