I'm curious as to what everyone's procedure is for updating software (AV, OS, etc) on your examination machines? Do you pull the updates from another machine and then transport via USB/CD?
Tom
Well I did say that it was a little trickier than what I posted…Too many details to discuss, here, which is why I avoided mentioning it.
Absolutely understood and certainly not my intention to imply any lack of due care, I do want to make that clear for everyone.
In these cases, I'm not always able to rely on people back in the office to get me the answers that I need before cross examination the next day…When the office is 2000 miles away, there aren't many options…
Yes, this is the sort of scenario where you might envisage there's a sound argument for remote access and I'm sure there are others, including pre-trial. I also take the earlier point made about classification although I'm not swayed that remote access should ever be viewed as the "default option" for any case (nor am I suggesting that that was the point being made, before I get into trouble!)
Jamie
I'm curious as to what everyone's procedure is for updating software (AV, OS, etc) on your examination machines? Do you pull the updates from another machine and then transport via USB/CD?
Tom
A CD-ROM update supplied by our AV vendor via snail mail, is the basis for how our unit updates AV.
OS and App updates are downloaded and the un-reversable ones are tested before being made available to each analyst via our isolated internal network.
I love the idea of remote access and I am sure it can be done with great levels of security in relation to the data being intercepted or your workstation being hacked into.
I have observed a number of eminent practioners accessing their workstations remotely and was suprised that they did so as I would be most uncomfortable performing such a task unless I was absolutly sure that I myself was secure from attack or malice! Needless to say the subjects that I have observed doing this remote access were!
With that said, I'm not sold on the idea that remote access as a rule (rather than an exception) is good policy.
Jamie
Jamie, what are your reasons for being this not to being a good policy? If it's ok occasionally then surely it must be ok more than occasionally too? Playing devil's advocate here a bit. wink
Jamie, what are your reasons for being this not to being a good policy? If it's ok occasionally then surely it must be ok more than occasionally too? Playing devil's advocate here a bit. wink
No, I think it's a very fair question. Logically, if there's a case to be made for remote access on some occasions - and it can be implemented in practice to meet the necessary requirements of security etc. - why not allow it as a general rule?
I think my primary concern relates to motivation and how that affects implementation in the real world. If the motivation is primarily one of efficiency (both in terms of cost and time) I'm concerned that there's a chance that would be reflected in corners being cut as far as policies, procedures, physical security, etc. are concerned at the remote location (and for the sake of argument let's say this is a best case scenario with a single remote location you have complete control over).
You and I both know how much it costs to set up a properly managed facility and the same amount of care and attention has to go into managing a remote location if we want to maintain the highest standards. I fear that if cost-cutting is the primary factor in allowing remote access and we make it standard practice, rather than allowing access only in response to circumstances where it's the only practical option, then there's a good chance that we might lose something very valuable (outstanding data security and integrity) in return for just a small financial gain.
I do take your point though, and for anyone reading this I want to make it perfectly clear that Jonathan is someone who is absolutely committed to the highest professional standards (which, in a sense, makes it more difficult for me to make my point because I know that the dangers I'm flagging up are ones he's very much aware of and would address appropriately). I think that policy making is something with fuzzy edges though, it helps in some places and hinders in others (not infrequently holding back those with the best of intentions and skills because of concerns about those less trustworthy) - my feeling is that without greater knowledge of and support for quality standards in this area it's too high a price to pay at the moment.
Cheers,
Jamie
Good reply Jamie and good point about the possibility of laxer overall standards creeping up when regularly working remotely. Human nature and all that. My vision of remote forensic working would be from a fixed remote point (such as a branch office or a home office) where all you deal with are real time screen shots of your analysis machine. In such instances 'appropriate' logical security at the remote location and of the data in transit between the two locations is vital, but I don't believe that physical security would be of the same importance as at the forensic lab.
As evidenced by the variety of replies in this thread the lack of standards you refer to is cause for some confusion!
I think my primary concern relates to motivation and how that affects implementation in the real world. If the motivation is primarily one of efficiency (both in terms of cost and time) I'm concerned that there's a chance that would be reflected in corners being cut as far as policies, procedures, physical security, etc. are concerned at the remote location (and for the sake of argument let's say this is a best case scenario with a single remote location you have complete control over).
While I share this concern, I think that it somewhat overstates the potential problem. If lax standards have the potential to corrupt the evidence then there are means to challenge this evidence in court and have it excluded by the challenge. Of course, there is the risk (as we have seen in fake DNA testing), that the flaw may not be exposed for a time, but it is not like there isn't a mechanism by which we can assess whether a process led to data corruption. Don't both sides have access to the source data?
What I think is more important is that fora like these are not used to assert absolutes when there is not sufficient consensus on them since these opinions can be used as arguments in such things as Daubert challenges.
For example, in this and other fora, experienced investigators have stated in an unqualified manner that you must never attach a forensics computer to the Internet. First, such opinions are almost always dated as technology changes and what is impractical or unsafe, today, may not be so in the future. More importantly, however, these opinions are almost always based upon assumptions which remain unstated or incompletely stated which makes them difficult to challenge.
However, once statements like these become public, they can be used to challenge the credibility of other experts.
I was involved in a case, once, where the subject computer had an 80 Gbyte drive that was was about at 18% capacity. The majority of the unallocated space was filled with zeros. It was my assertion (which proved to be correct), that the zeros resulted from the factory configuration procedure and not any activity on the part of the user.
I posted to a forum a simple question as to whether anyone had seen this pattern in the same model computer. Ultimately, I was able to obtain some of the same systems in a factory configuration and confirm that the drive configurations were identical but I was hoping to save my client the expense of doing that.
A number of responses to my post contained variations of the question have you considered wiping? which was the theory put forth by the opposing expert. I had considered it, and I had not found evidence for it and it wasn't really my question but it was too late.
The other side obtained copies of my post and the responses and used those to bolster their argument that even my peers considered wiping as the most likely explanation.
My point is that fora like these have been recognized in US Courts as being valid reflections of the state of knowledge of our profession and even of individual professionals. There may be absolute reasons to do or not do something (though I have found very few absolutes in life), but when we assert these as professionals we are, whether we intend to or not, contributing to what may be interpreted as the standard operating practices or current state of knowledge of our profession.
While I share this concern, I think that it somewhat overstates the potential problem. If lax standards have the potential to corrupt the evidence then there are means to challenge this evidence in court and have it excluded by the challenge. Of course, there is the risk (as we have seen in fake DNA testing), that the flaw may not be exposed for a time, but it is not like there isn't a mechanism by which we can assess whether a process led to data corruption. Don't both sides have access to the source data?
I take the point, but if anything my concerns are as much related to data disclosure/leakage as they are to corruption.
What I think is more important is that fora like these are not used to assert absolutes when there is not sufficient consensus on them since these opinions can be used as arguments in such things as Daubert challenges…[snipped]…My point is that fora like these have been recognized in US Courts as being valid reflections of the state of knowledge of our profession and even of individual professionals. There may be absolute reasons to do or not do something (though I have found very few absolutes in life), but when we assert these as professionals we are, whether we intend to or not, contributing to what may be interpreted as the standard operating practices or current state of knowledge of our profession.
Well, again it's a balancing act between proper debate (which, presumably moves the profession forward) and potential downsides such as those you mention. Far be it from me to comment on the rights and wrongs of the judicial process in the US or anywhere else but I think you hit upon the answer to this conundrum - surely the only logical response is to have standard operating procedures which are…standard?
Jamie
I take the point, but if anything my concerns are as much related to data disclosure/leakage as they are to corruption.
Certainly this is a concern though not specific or unique to forensic computers. My point was more that from the perspective of forensics, there can be valid reasons to be attached to the Internet and there exist technologies to make this possible and safe, if used properly.
Far be it from me to comment on the rights and wrongs of the judicial process in the US or anywhere else but I think you hit upon the answer to this conundrum - surely the only logical response is to have standard operating procedures which are…standard?
I agree to a point. If we break the investigative process down into its components, some of these can clearly be standardized, such as practices regarding preservation of evidence, chain of custody, device seizure, the handling of live data.
But with developing and existing eDiscovery tools as well as things like the F-Response Field Kit, the landscape is changing with respect to the role of the Internet in computer forensics. Standard practices should always be subject to revision when new technologies and techniques become available and they shouldn't be used to stifle innovation.
The old texts used to say that "pulling the plug" was the first step in seizing a data device and that is clearly no longer the case. I think that "never connect a forensic machine to the Internet" may be analogous in this regard.
Certainly this is a concern though not specific or unique to forensic computers. My point was more that from the perspective of forensics, there can be valid reasons to be attached to the Internet and there exist technologies to make this possible and safe, if used properly.
I don't see anything to argue with there, other than to add (for the sake of clarity, not because I think you're unaware of it) that the issues extend beyond technology and need to take other factors, not least of all human factors, into account.
But with developing and existing eDiscovery tools as well as things like the F-Response Field Kit, the landscape is changing with respect to the role of the Internet in computer forensics. Standard practices should always be subject to revision when new technologies and techniques become available and they shouldn't be used to stifle innovation.
The old texts used to say that "pulling the plug" was the first step in seizing a data device and that is clearly no longer the case. I think that "never connect a forensic machine to the Internet" may be analogous in this regard.
I'm in full agreement. There has to be a more nuanced approach.
Jamie