Thanks to all so far who have voted and kindly spent time raising observations. Appreciated.
I do have some observations to make, but would like to make them a little later on. You see I am on the trail on something that may assist in making forensically sound possible in certain instances, that I think that should such an opportunity arise we would be wrong to look a gift horse in the mouth. Moreover, questions may be raised as to what our real motivations are in using the term 'forensic' and 'evidence' and not seeking to substantially improve the current status quo. I do also have some observations that could bring a current range of tools up to a certification level.
My opinion is only one of many that need to be heard on these issues but it is pointless at this stage that I input side issues like the matters above (as I have yet to finalise my conclusions), which could detract from the primary Poll Questions.
I have some questions from reading this thread…please let me know if these should really be placed in another thread…
What constitutes "forensically sound"? I see that term used a lot, but from the context of the use, I don't see any sort of consistency. On another forum, I saw where someone had made the statement that Robocopy was more "forensically sound" than the copy command on Windows. When asked why, the OP responded that Robocopy preserved the file system metadata for the file(s) being copied. Yet, the OP also said that documenting the MAC times for the file and then using the copy command is also "forensically sound".
What makes an application "Certified/Validated"?
Thanks!
What constitutes "forensically sound"?
Funny you should ask…
http//
And, of course, there has been some scientific treatment of the term, as well
http//
What makes an application "Certified/Validated"?
Certified, of course, requires some sort of certifying authority, e.g., NIST. Certification would result from meeting the requirements of that authority.
Validation, in science, means that two independent investigators following the same method would get the same results. This is, perhaps, the most appropriate definition of the term as it might apply to digital forensics.
In engineering, validation means that the product meets the customers needs or requirements, as opposed to verification which means that you follow the established methods for designing or building the product.
I have some questions from reading this thread…please let me know if these should really be placed in another thread…
What constitutes "forensically sound"? I see that term used a lot, but from the context of the use, I don't see any sort of consistency. On another forum, I saw where someone had made the statement that Robocopy was more "forensically sound" than the copy command on Windows. When asked why, the OP responded that Robocopy preserved the file system metadata for the file(s) being copied. Yet, the OP also said that documenting the MAC times for the file and then using the copy command is also "forensically sound".
What makes an application "Certified/Validated"?
Thanks!
Harlan as always you make insightful comment. These are points needing to be addressed.
"Examiners have a duty to ensure that the tools they use work as anticipated, and verify the results they obtain. If they fail to do this the system of justice in the UK has plenty of experience in uncovering any deficiencies."
I personally think that this hits the nail on the head, all tools, weither they be commercial expensive EnCase type things or 5-line shell scripts should be "validated" - and this is where I feel that there is an issue with "Certification" - its fine for EnCase to certify, however, whatever the process is, and it need not be an expensive one, it rus the risk of restricting the ability of an examiner to submit evidence that he has obtained "verifiably" through an "uncertified" piece of software. i.e. something that he/she/it has written specifically for obtaining the evidence because nothing "certified" exists to do it.
We attach ( as Harlan has stated above ) the label of "Forensically Sound" as a standard that we must attain - it is this that is our "certification standard" - and as this is a moving target ( live forensics, results from contaminated sources etc. ) and is one that decided each and every time things are placed infront of a legal system - certification to it is a little complex !
Incidentally, I spend quite a lot of time breaking "certified" security products - often the label is a misleading comfort blanket that quickly overtakes correct use, and makes assumptions that the operating environment is identical to the sterile test lab. Like my car, which is certified to some standards ( although sometimes I have my doubts ), if I drive it recklessly or fail to maintain it properly - those certifications are meaningless.
Interesting views and views that I appreciate, as I impartially see them, as having been expressed honestly, without ulterior motive and genuine belief that mobile phones tools cannot be made forensically sound. Interestingly, I note no comments from mobile telephone examiners
- Do you even believe what has been stated thus far?
- Should you just give up in the face of alleged 'impossibility'?
- Who really has the experience to know?
- Have you looked closely at this one-stop-shop approach that because a few mobile phones have the capability to change everything should be tarnished with the same brush?
- We now learn that computer forensics are different from mobile phone forensics as seen by some in the computer forensics industry.
PS changed above as I accidently included a quote from Azrael when I didn't mean to.
I personally think that this hits the nail on the head, all tools, weither they be commercial expensive EnCase type things or 5-line shell scripts should be "validated" - and this is where I feel that there is an issue with "Certification" - its fine for EnCase to certify, however, whatever the process is,
To be clear, EnCase "certification" by NIST is limited to imaging and restore functions. That is one of the "problems" with certification of a multipurpose tool such as EnCase, namely, what are you certifying?
and it need not be an expensive one,
True. As I noted, the only thing that is necessary to validate a tool is to establish that N number of people following the exact same procedure on the same "evidence" will get the same result (not, necessarily draw the same conclusions, but then that is what expert opinions are about).
We attach ( as Harlan has stated above ) the label of "Forensically Sound" as a standard that we must attain - it is this that is our "certification standard" - and as this is a moving target
The argument has been made, convincingly, I might add, that "forensically sound" means that the method can be validated (see above) and verified (meaning that the results are true). The issue, then, in something like live forensics or PDA forensics is the latter, i.e., can we establish that the method, itself, was either neutral or insignificant in terms of altering the evidence. This is less stringent that saying that it had no effect on the source media, rather, that the effects were not sufficient to question the veracity of the results.
Incidentally, I spend quite a lot of time breaking "certified" security products - often the label is a misleading comfort blanket that quickly overtakes correct use, and makes assumptions that the operating environment is identical to the sterile test lab.
True. Certification is often more about indemnification than it is about actual performance (as PCI compliance has demonstrated).
I personally think that this hits the nail on the head, all tools, weither they be commercial expensive EnCase type things or 5-line shell scripts should be "validated" - and this is where I feel that there is an issue with "Certification" - its fine for EnCase to certify, however, whatever the process is,
To be clear, EnCase "certification" by NIST is limited to imaging and restore functions. That is one of the "problems" with certification of a multipurpose tool such as EnCase, namely, what are you certifying?
Is it the case also that the certification is only relevant to one version of an early edition and subsequently even from the original imager the product has moved so that today's imager is not the same as the one certified?
We attach ( as Harlan has stated above ) the label of "Forensically Sound" as a standard that we must attain - it is this that is our "certification standard" - and as this is a moving target
How is a SIM Card a moving target?
We attach ( as Harlan has stated above ) the label of "Forensically Sound" as a standard that we must attain - it is this that is our "certification standard" - and as this is a moving target
How is a SIM Card a moving target?
Occasionally I get to demonstrate that my ignorance knows no bounds 😉
I would have thought, although I have no knowledge or evidence of the fact, that SIM cards have evolved over time ? I'm certainly aware that my "old" sim cards ( 5+ years ) held less information than my current one ( not that I actually use my current one to hold information ).
When I made the statement though, I was actually thinking of phone hardware & software - most specifically my own phone, an iPhone, which I, in the last 13 months, had two different physical versions of ( a 3g and a 3gs ) and several versions of OS ( currently sitting at 3.1.2, but I remember conciously upgrading to 3.0 with the enhnaced functionality of cut and paste -) much overdue ! ) I imagine that, as phones such as the iPhone, the Palm/Symbian range and Google's Android become more prevalent, this sort of range of, and relatively quick, patch/update cycle will make the art of mobile phone forensics more of the "moving target" that I imagine it to be.
Again, with the iPhone, ( and again a chance to demonstrate my ignorance ! ) doesn't forensic examination involve "jailbreaking" the phone in some way to allow access - thus essentially being equivalent to a "live" forensic examination ?
Is it the case also that the certification is only relevant to one version of an early edition and subsequently even from the original imager the product has moved so that today's imager is not the same as the one certified?
Agreed. A story has it that NASA used a lot of older (rather than cutting edge) technologies in their spacecraft because they were more interested in reliability and familiarity with how the technology functioned.
We attach ( as Harlan has stated above ) the label of "Forensically Sound" as a standard that we must attain - it is this that is our "certification standard" - and as this is a moving target
How is a SIM Card a moving target?
I can't speak for him, but one interpretation of the "moving target" comment is the shear number of different cellphones/PDAs and the differences in whether they can be logically imaged, physically imaged, partially imaged, completely imaged, etc., not to mention the role that the network plays. As you are well aware, the SIM card is only a piece of a bigger puzzle.