Forensic Methodology

Just as a preface I spend almost all my time working financial cases with CPAs. One of the biggest complaints I run into is that there is no standard for forensic reports. Everyone does it differently.

For CPAs the FASB establishes financial accounting and reporting standards. That means that while everyone has slightly different company standards and methods, there are pretty straightforward guidelines as to what minimums need to be audited, what is reported, and how. That means if you read an audit the order of items is always in the same order and easy to follow and compare two auditors reports. It does not matter if you use software from CaseWare, Sage, Intuit or others the reports are always very similar.

I agree with your sentiment on methodology and metrics, "Is there anything like this for forensics ? Any reason why there isn't/shouldn't be ?"

Hullo All,

In the Information Security arena there is the OSSTMM (Open Source Security Testing Methodology Manual) which "is a peer-reviewed methodology for performing security tests and metrics." (http//www.isecom.org/osstmm/)

It is quite proscriptive in it's guidance, and is designed to ensure that the security examiner/pen tester covers all the bases and that nothing gets overlooked.

Is there anything like this for forensics ?
Any reason why there isn't/shouldn't be ?
Are there any current projects going this way ?
Anyone interested in starting one ?

( Anyone got a better name for such a thing than
"Forensic Examination Knowledge Open Formats Forum" - FEKOFF ? )

-P

I'm not aware of any such thing for CF…. it's something that in the UK should, in my opinion, be aggressively pushed by bodies such F3 or CRFP.

A suitable name would be one that would have a certain amount of gravitas and be taken seriously by those both within the profession and by the outside world. My suggestion for a name that fulfils this criteria would be Forensic Analysis; Reviewing of Techniques and Examinations Discussion - FARTED

Is there anything like this for forensics ?

I know there's some academic research justifying the need but none actually proposing a methodology.

Any reason why there isn't/shouldn't be ?

I think there's a pretty good case for it. Time consuming however.

Anyone interested in starting one ?

Well before comitting myself . . .

What would you have in mind? Who else is willing to help? How big a piece of which problem are people willing to bite off? It's too big for any group to do all of it short of a big government grant to pay folks full time for a while.

I know there's some academic research justifying the need but none actually proposing a methodology.

Interesting … Any suggestions as to where one might find such a study ?

Well before committing myself . . .

What would you have in mind? Who else is willing to help? How big a piece of which problem are people willing to bite off? It's too big for any group to do all of it short of a big government grant to pay folks full time for a while.

Glad that you are in - in principle at least !

What I have in mind is writing one …

Who else is willing to help ? Guys ? Come on ? Someone ?

I think that the rest is going to be dependent on the group. I disagree that it is too big for a group to create, looking at open source groups in general you have products like Linux, Apache, OpenOffice, Samba, The OSSTMM mentioned above, MySQL - all of which are massive undertakings by large groups with a small core of developers who co-ordinate the input of the others.

However one thing should be clear from the beginning - it is extremely unlikely that any money will be forthcoming to any contributor - fame & notoriety perhaps … Money - no.

I would suggest that perhaps such a work should be released under a creative commons license that prohibits the modification of the work, and requires correct attribution, but doesn't prohibit its use commercially. This would allow private firms to make use of it for examinations, but only with credit to the creators, and also, they would not be able to modify it to include in their own methodology publications …

With regard to the fact that it should possibly be pushed forward by F3 or another similar organisation … Possibly right … I for one wouldn't object to F3 being involved, but I would personally prefer if it was as independent as possible, drawing from as many professionals as possible internationally, not to be sponsored and administered by any one governing body.

Thoughts ?

—

Forensic Analysis Techniques; Collaborative Open Working Solution - FATCOWS ?

—

During my schooling for an AA in CF- methodology was stressed more than anything. We were never actually taught one but were required to develop 3 draft methodologies.

I would be interested in participating in anything that gets organized on this subject.

Just for reference … Pete Herzog, creator of the OSSTMM gave an interview the other day - a small section below

The problem was (and still is) that people kept their methodologies
private. They all claimed to have one but in reality they didn't … I know
because I worked and consulted for many of them. The whole exercise was a
test of how good their hackers were and said almost nothing about the
security of the targets. So I made the OSSTMM because I needed one, I
needed a way to show people what security really meant, and made it public
because it needed to be.

I know that a significant portion of examiners _do_ have a _good_ methodology. But there is also a significant portion who _don't_. As a community we could pool that knowledge and make it public, and I think that it would generally make life easier, both to create and verify results - in and out of court.

Azrael - I'd be interesting in helping… anything for open standards!

Chalk me down too, what ever use I can bring to the table.

I would think it will be impossible to create a general methodology that would cover most scenarios so maybe a single document that had different sections for each major part of the forensic investigation?

ronanmagee, good point. Each different tool too probably.