Advanced forensics ...
 
Notifications
Clear all

Advanced forensics concepts

37 Posts
13 Users
0 Likes
2,343 Views
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
Topic starter
 

Let me approach it slightly differently.

We need to classify learning material, within digital forensic science.

Either we abandon the "advanced" and try to shove the whole elephant down the students' throat or we group the material into manageable bytes.

If there is no "expert", then why should there be "intermediate"? If there is no intermediate, then why not everyone be a forensics expert? But, we know this is not true. We classify people as experts; individuals with more knowledge than laymen on a subject. They are aware and understand "advanced concepts" laymen does not.

We could classify knowledge in various ways, but much of forensics builds on previously learned information.

It would mean nothing to a novice to talk about various nuances of data correlation from over-provisioning areas in pages of blocks, when they do not understand the basics of computers.

Put it in an other way - is it necessary for someone to understand basic addition, subtraction and multiplication first, before tackling ax^2 + bx + c = 0?

We can teach someone to regurgitate advanced material without foundational understanding.

IMO anyone not doing this is not doing digital forensics in the first place

Do you consider imaging a hard drive properly "digital forensics"? Such process does not fulfill the "advanced forensics" description we noted.

I still do not understand what's advanced about this process? To my understanding the process (or a rough equivalent) you're describing has been around to since the Greek/Roman period (maybe even before). A mindset I often use in cases are the 5-Ws (http//en.wikipedia.org/wiki/5_Ws). These have been around for quite a while.

I am not trying to come up with an earth-shattering new concept. What I am seeking is to get a general feel as to what one considers "advanced forensics concepts" in the industry.

It appears that you consider none as such. There are often outliers in most studies mrgreen

I disagree. I believe there are forensics investigators that have the knowledge in basic concepts, intermediate concepts, and advanced concepts.

This is how I sort of see it

https://drive.google.com/file/d/0B0JkL5jnd0q4VjRUOV9xbEd3dTQ/edit?usp=sharing

We all start in the center (black area), with little knowledge.

We expand our understanding further in various directions toward advanced concepts (words at outside edge of circle).

On the way to the edge of the circle, we learn various other concepts (yellow ovals), some are larger, some are smaller, some are overlapping.

As time goes on, most of us become advanced in a specific sub-areas of our field.

No one is an expert, and advanced in all areas of digital forensics.

Hope this bolsters my point.

 
Posted : 29/10/2013 5:19 pm
(@sgware)
Posts: 42
Eminent Member
 

I am hesitant to jump into this as i classify myself, based on this thread, as intermediate. I hope to be an expert at some point. I think time and experience with a variety of situations and challenges will be required for me to hit the "expert" mark.

I am not going to drop names, but there are a few experts, in my estimation, in this forum although they will say they aren't. That's fine as well. If we are learning from them and advancing our skill set based on their tutelage, then, I have no problem hanging that label on them.

But, isn't expert relative? A person just entering the field might consider me an expert because I managed to obtain a degree and a cert. Although I most certainly am not, imo.

This is how I would rank knowledge in terms of beginning, intermediate, and expert;

1. Beginner. Starting to understanding and learning the basics of digital forensics. This includes (not exhaustive) identification, preservation, acquisition, analysis and reporting. Also includes, in the US, knowledge about Federal Rules of Evidence, what is an expert witness, chain of custody, basic forensic science (Locards exchange principal), file system forensics, basic network forensics, knowledge of operating systems, and skills to analyze data such as binary math, hexadecimal math, and basics of how storage devices work as well as all the basic tools to needed to conduct the analysis. A good foundational knowledge of the criminal justice system.

2. Practicing the skills above while learning real life nuances and how to respond when the basics don't quite work the way they were taught in a classroom or cert program. This step requires a significant number of years in the field.

3. Expert. Self explanatory. To the beginners and intermediate examiners, you are a content expert. Some who teaches, sets examples, has been there and done that with difficult circumstances, network acquisitions/investigations, investigating across borders/jurisdictions.

Most importantly, there is no (imo) clear ranks of knowledge.. I think we are always in transition from one to the other depending on how much time we spend keeping caught up.

 
Posted : 29/10/2013 9:36 pm
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
Topic starter
 

I want to make it clear that I am not attempting to classify individual persons' qualification or expertise.

I am interested in what is and is not considered by a digital forensics practitioner as "advanced forensics concept" today.

 
Posted : 29/10/2013 11:00 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I will risk 😯 to introduce the concept that while seniority is often (actually almost always) a requisite for experience, seniority in itself ONLY means seniority and not necessarily ALSO experience.

I mean that while it is obvious that someone dealing in the matter since a few months cannot event think of "competing" with someone that has worked in the field for years, the usual "been there and done that", but it is not so straightforward that "Listen, son, I have worked in this field since before you were born" actually means "experience" in the "better" sense I attribute to the word.

But to me at least the concept of experience is about having learned from experience and project these learnings (and adapt them) on new cases, findings etc.

Equations (VERY rough)
seniority+continuous will/drive to learn and experiment=expert
seniority=seniority
first job or recent job+continuous will/drive to learn and experiment=intermediate
first job or recent job="nothing" as below, possibly evolving into "trained monkey"
college+continuous will/drive to learn and experiment=beginner*
college=college (nothing but a lot of talk and a badge wink )

*in theory

But here we are not talking of expert vs. intermediate vs. beginner (as people), we are talking about the topics, we could draw a line saying that anything that is known, documented and taught in college is "basic", that anything that is fully documented and verified and part of an established procedure (or taught in the various post graduate or vendor courses) is "intermediate" and anything that is not obvious or a simple derivative of known approaches, procedures and documented (and verified) theories is "advanced".

Then maybe we could change the term from "advanced" to "innovative" or anyway use this latter as a synonym.

jaclaz

P.S. Ooops, cross-posting with Jhup

 
Posted : 29/10/2013 11:07 pm
(@sgware)
Posts: 42
Eminent Member
 

Isn't "advanced" or "intermediate" really dependent on the aptitude, drive, and experience required to master the topic? That is where I was going, albeit not clearly, in my post.

 
Posted : 30/10/2013 12:07 am
(@joachimm)
Posts: 181
Estimable Member
 

Hope this bolsters my point.

jhup thanks for the elaboration.

It appears that you consider none as such.

You're interpreting me incorrectly here, saying that there is no different levels of expertise in digital forensics.

If you ask me to sum up in a couple of sentences what the basic qualifications a digital forensic analyst should have (at every level) is

* an understanding of fundamental concepts of computer or digital systems
* understand the importance and aspects of data (facts)/evidence preservation
* understand the relevance of digital data (facts) in and outside their context
* understand the relevance experimentation & validation of methodology and tooling
* critical thinker to interpret results

What you dubbed as "advanced" I think are the core fundamentals of digital forensics.

Most of these are "thinking skills" nothing to do with the digital realm. I guess most of the other forensics sciences, at least the ones I know of, is getting a full degree in that science e.g. psychology with additional training in forensic science and thus acquiring these thinking skills.

I've learned most about the thinking skills from non-computer science fields and it is these skills what help me in complex cases. Not those from my computer science education. But applying them both in cases is what I think makes one a digital forensic expert or not.

We all start in the center (black area), with little knowledge.

So my point is not to teach people facts, about a certain technology, but teach them how to think for themselves. Think how to evaluate their findings, their hypothesis, their methods. IMO this is what is forensic science is about. Not the in-and-outs about a file format, if that is information readily available then we should teach them to find it and how to use it. If it is not, we should teach them how to obtain it. Don't get me wrong here the information about the file format is still very valuable but if I'm not working with e.g. PST why should I bother understanding the PST format in much detail. Now when I need to work with it, having this knowledge can be very useful.

https://drive.google.com/file/d/0B0JkL5jnd0q4VjRUOV9xbEd3dTQ/edit?usp=sharing

You only define factual knowledge here. I can search on the Internet for those and become sufficiently knowledgeable about the subject in a day; only because I have an understanding of their fundamentals. The only term here forensic related is "Anti forensics"

As time goes on, most of us become advanced in a specific sub-areas of our field.

So what? Does all this digital knowledge make me digital forensic analyst? If I'm a programmer, network admin, systems admin, I'm also getting involved in these areas. And I'll also get more "advanced", a better term is "experienced", over time. But this does not make me digital forensic analyst.

No one is an expert, and advanced in all areas of digital forensics.

True, so what we need to teach people is fundamentals and thinking skills. So that if they are not sufficiently expert in one area, that they can get sufficiently up to speed. IMO the fundamentals don't change that much.

I disagree. I believe there are forensics investigators that have the knowledge in basic concepts, intermediate concepts, and advanced concepts.

Let's start here What are the basic concepts in your opinion that makes someone a "digital" forensics investigator and not a system administrator for that matter?

 
Posted : 30/10/2013 1:38 am
(@joachimm)
Posts: 181
Estimable Member
 

I am interested in what is and is not considered by a digital forensics practitioner as "advanced forensics concept" today.

As the discussion and other people have pointed out this will be very subjective 😉

 
Posted : 30/10/2013 1:58 am
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
Topic starter
 

There is nothing wrong with subjective.

As we all know, with statistics, sufficient amount of subjective material becomes objective. mrgreen

I am interested in what is and is not considered by a digital forensics practitioner as "advanced forensics concept" today.

As the discussion and other people have pointed out this will be very subjective 😉

 
Posted : 30/10/2013 3:51 pm
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
Topic starter
 

You did not answer my questions. Not fair. o

If you ask me to sum up in a couple of sentences what the basic qualifications a digital forensic analyst should have (at every level) is

* an understanding of fundamental concepts of computer or digital systems
* understand the importance and aspects of data (facts)/evidence preservation
* understand the relevance of digital data (facts) in and outside their context
* understand the relevance experimentation & validation of methodology and tooling
* critical thinker to interpret results

What you dubbed as "advanced" I think are the core fundamentals of digital forensics.

Being at the edge of a knowledge circle (sphere) with expertise in several areas, your perspective as to what is advanced and what is fundamental is different than for someone who is just setting out on forensics.

Most of these are "thinking skills" nothing to do with the digital realm. I guess most of the other forensics sciences, at least the ones I know of, is getting a full degree in that science e.g. psychology with additional training in forensic science and thus acquiring these thinking skills.

And, that is where our field is heading, wouldn't you say? We did not have baccalaureate degrees 10 years ago in digital forensics. Today they are like mushrooms in a damp cellar. Tomorrow it will be a "requirement".

I've learned most about the thinking skills from non-computer science fields and it is these skills what help me in complex cases. Not those from my computer science education. But applying them both in cases is what I think makes one a digital forensic expert or not.

Yet there is no prohibition that the thinking skills cannot be learned while acquiring the "fundamental concepts" in digital forensics.

So my point is not to teach people facts, about a certain technology, but teach them how to think for themselves. Think how to evaluate their findings, their hypothesis, their methods. IMO this is what is forensic science is about. Not the in-and-outs about a file format, if that is information readily available then we should teach them to find it and how to use it. If it is not, we should teach them how to obtain it. Don't get me wrong here the information about the file format is still very valuable but if I'm not working with e.g. PST why should I bother understanding the PST format in much detail. Now when I need to work with it, having this knowledge can be very useful.

I am not sure there is any disagreement here. You just stated what advanced forensics requires.

You only define factual knowledge here. I can search on the Internet for those and become sufficiently knowledgeable about the subject in a day; only because I have an understanding of their fundamentals. The only term here forensic related is "Anti forensics"

My "advanced" word choices where not the best, as I stated before. On the other hand can we agree that each of those "factual knowledge" areas have very specific very defined and very advanced concepts that would not be privy or grasp without "fundamental concepts"?

So what? Does all this digital knowledge make me digital forensic analyst? If I'm a programmer, network admin, systems admin, I'm also getting involved in these areas. And I'll also get more "advanced", a better term is "experienced", over time. But this does not make me digital forensic analyst.

Different topic.

True, so what we need to teach people is fundamentals and thinking skills. So that if they are not sufficiently expert in one area, that they can get sufficiently up to speed. IMO the fundamentals don't change that much.

Thank you. I appreciate you stressing my point of view. Indeed there is a distinction between fundamental and advanced.

Let's start here What are the basic concepts in your opinion that makes someone a "digital" forensics investigator and not a system administrator for that matter?

By all means do so. I am content with my information as far what I, and already collected feedback indicates what is, and is not "basic concepts".

It very much sounds like you are saying there is no such thing as advanced forensics concepts, but then you turn around and state that we must start with basic concepts. The notion that there are basic concepts implies there are intermediate and advanced concepts.

From my original post, my interest goes back to what individual forensics practitioners consider advanced concepts.

 
Posted : 30/10/2013 6:02 pm
(@athulin)
Posts: 1156
Noble Member
 

We classify people as experts; individuals with more knowledge than laymen on a subject. They are aware and understand "advanced concepts" laymen does not.

That sounds almost like a feed-line from a straight man.

Google for 'Niels Bohr's definition of expert' – an attempt at definition that I find rather refreshing.

 
Posted : 30/10/2013 8:40 pm
Page 3 / 4
Share: