It's about proving the intent in court Jaclaz.
I'm assuming you are just playing devil's advocate here. The expertise comes not so much in finding the pictures/videos because as you pointed out you need no degree to do that, rather it's in proving the intent and knowledge of possession.
It's about proving the intent in court Jaclaz.
I'm assuming you are just playing devil's advocate here. The expertise comes not so much in finding the pictures/videos because as you pointed out you need no degree to do that, rather it's in proving the intent and knowledge of possession.
Well, no.
That is a matter of the prosecution (or of the defense to disprove it) and of the judge/jury.
The forensic investigator should provide the data to make the prosecution (or defense) succeed in that, but proving is another thing.
We already talked about this
http//www.forensicfocus.com/Forums/viewtopic/t=9275/
But again, you are talking of expertise, which is NOT what you get (unfortunately) in a bachelor or master degree.
And yes, of course I am playing Devil's advocate ) .
jaclaz
Croos-linking to these News )
http//www.forensicfocus.com/Forums/viewtopic/t=11126/
ForGe – Computer Forensic Test Image Generator
Posted Fri Oct 18, 2013 150 pm
by Hannu VistiCreating test material for computer forensic teaching or tool testing purposes has been a known problem.
….
jaclaz
Croos-linking to these News )
http//www.forensicfocus.com/Forums/viewtopic/t=11126/ForGe – Computer Forensic Test Image Generator
Posted Fri Oct 18, 2013 150 pm
by Hannu VistiCreating test material for computer forensic teaching or tool testing purposes has been a known problem.
….jaclaz
I'm in the process of making several images to go along with the X-Ways Guide, but any tool will work to examine the images. A neat trick on creating Windows OS images you can distribute without violating a EULA is here http//
My personal take on practice images is that if the image is used for testing (personal, professional, or educational), the image should be made in a controlled environment. Creating a vm to image saves more time than using a physical disk. Having students create test images is not a controlled environment, nor is randomly creating test data without documentation.
Every mouse click, website, typed URL, deleted file, and any other action made (including the OS installation) should be documented as your soon-to-be-imaged OS environment is created. For tool testing or student testing, you have to know what really happened on a test image. Images created this way take time, like, lots of time, in real time. Trying to create an image and backdating files to shortcut the time it takes to make a test image only means you are creating a counter-forensics/anti-forensics image.
It's better to have an image created with an accompanying spreadsheet that lists all the user activity, by user/date/time/action to verify the results of any forensic analysis, because if you don't know what the data really is, how do you if the tool got it right or if the student got it right?
It's better to have an image created with an accompanying spreadsheet that lists all the user activity, by user/date/time/action to verify the results of any forensic analysis, because if you don't know what the data really is, how do you if the tool got it right or if the student got it right?
Allow me to disagree.
That is good in theory, but not in practice, as a matter of fact it is paradoxically convenient in practice but very far from theory. 😯
If the scope is to "teach" something specifically, you are perfectly correct ) .
If the idea is to "simulate" to a greater level of accuracy what may happen in real life, then it makes much less sense.
What happens in "real life"?
The forensic examiner is given a system (or hard disk or image of it) of which he knows nothing or very little.
The device or image contains traces of the activities of a perfect stranger over an unknown stretch of time.
The forensic examiner (let's assume the LE or prosecution) needs to re-build a timeline of these activities (that are to him completely unknown before and for all he/she know completely "random"), extract meaningful evidence in the form of files, artifacts, etc, etc, and provide a reasonable explanation on how and when those things were created.
Then another forensic examiner (the defense nominated one) analyzes the SAME data and comes to different conclusions.
None of the two know in advance what actually happened, BOTH try to rebuild a possible hypothesis of what happened from the traces left.
They may find exactly the same things and agree on exactly the same reconstruction of events, but they may also interpret the data in different manners or one (or the other) may plainly miss some evidence or produce a different explanation for it.
If you prefer, "real" data (and consequently contents on hard disk images), by definition are created in a NON-controlled environment.
There is also (as I see it) a limit in complexity of the image.
I mean, how long does it take you to manually "forge" a disk image that you give to your student?
Hours, I believe.
A "real" image is likely
- to have been built during several months if not years
- there is possibly one, two, three or more re-installs of the OS and/or of the main apps
- any number of failed and successful automatic or manual updates of the software
- been used by more than one person, some not particularly "tech savvy" that has done "random" things
- has been defragged a number of times
- a file has been "grown" on the filesystem through subsequent edits
- the machine suffered from a number of blackouts/batteries removed and data corruption and recovery
- etc.
- etc.
manually, and in a limited time, you can only rebuild form scratch a small part of the above, and there could be in any case some form of (unintentional) BIAS, i.e. if you are trying to prove (or show to the student) that a file copied from an archive had it's filesystem date modified manually, you will do the steps that you would use to modify that date (and not necessarily the one that a "real user" would have done), it would be only human that from the actual data you can reconstruct the date modifying command because you already know what it was, but maybe if another forensic expert would use a different approach you wouldn't be able to detect it (this is only a speculative example of course).
As I see it the advantage of an automated method is that nothing forbids you from putting back into service an old machine (or run a virtual machine) for a few days or weeks in a sort of "accelerated" time and be able to actually rebuild the kind of artifacts that are normally created in a filesystem over time through a daily use over a longer stretch of time.
As I see it, and provided that a suitable tool (not necessarily the mentioned new kid on the block) is developed, the idea of "random" disk image generation has a lot of usefulness, though I understand that it would imply (from a "teacher" viewpoint) some more (much more) work.
jaclaz
As I see it the advantage of an automated method is that nothing forbids you from putting back into service an old machine (or run a virtual machine) for a few days or weeks in a sort of "accelerated" time and be able to actually rebuild the kind of artifacts that are normally created in a filesystem over time through a daily use over a longer stretch of time.
As I see it, and provided that a suitable tool (not necessarily the mentioned new kid on the block) is developed, the idea of "random" disk image generation has a lot of usefulness, though I understand that it would imply (from a "teacher" viewpoint) some more (much more) work.
jaclaz
There is a tool, or project, in the academic community from a couple of years back. It is called Forensig2. It creates disk images in a virtual machine and allows the user to use scripting language to play with the virtual machine timeline and do whatever is needed in the scenario. If I remember it correctly, it even allows you to "crash" the running system. I got a virtual machine with a working installation from the author. He might give it to others as well.
To me it appears an oxymoron to wish for images that would be both documented and representatives of a true, live system, for reasons you already outlined. As a test image can't emulate an old PC/laptop hard drive, setting too strict requirements might be unproductive. In my opinion test images fall into three distinct categories
1) "Live" images. These can't be fully documented. When I needed such an image, I imaged my own PC. This way there is no legal or moral issues to be considered. I don't know what exactly was in there but nor does the forensic investigator.
2) Created images with exact, documented contents. My ForGe tool does exactly these. They are generally simple images but the upside is in the exact documentation. These can be used to verify tool accuracy.
3) Created images that try to emulate application behaviour. (=web browser). Forensig2 might be able to do this but most likely there is a gap here. Some of these may require a working or semi-working operating system installation (if the application emulated uses registry). I personally feel a bit doubtful whether these images can be simultaneously 100% accurate application behaviour representations and also 100% documented, but if someone sets forth to prove otherwise, I gladly revise my opinion.Most forensic research and education problems do not require live images or 100% documented images, at least if the task at hand has a realistic definition and scope.
Hannu
Hi, hannu, happy you joined the discussion.
You very clearly listed/defined the three types of images.
The issue here is that - for obvious reasons - a student cannot have a "real case image" (as initially discussed) that would be a "perfect" type #1) image.
On the other hand the type #2) images, have some limits, mainly their (no offence intended) "simplicity" or "narrowness" (just like the "hand made" ones bshavers mentioned).
The solution would be "well made" type #3) images, IMHO.
Let's take it into an altogether different field, for the sake of the example.
Commercial jet aircraft pilot training. 😯
type #1) would equate to have kids actually pilot real 747's (something that I doubt anyone would allow)
type #2) equates (IMHO) to playing a bit with a flight simulator on a PC + a few hours of flight (with an instructor aboard) on a Cessna or Piper (with no offence whatever intended for these smallish aircrafts)
type #3) would be a "real" flight simulator, like the ones that are actually used in training pilots before allowing them to fly the "real thing".
What the OP asked initially was an image of type #1) (unavailable) and what came out of the thread was that an image of type #3) does not exist, nor it exists a program/procedure to make one. (unless the Forensig2 tool you mentioned is actually capable of making one, which I doubt, judging from the whitepaper http//
Images of type #2), no matter if created "manually" or "programmatically" have of course their own relevance, and your newish tool can undoubtedly be of great help, but still we are far from the (BTW completely theoretical) generator of type #3) images I was wishing for.
jaclaz
There's more than one way to do it, that’s for sure.
I have spent a few hours a year creating test images, probably 30 minutes a week over a period of a summer in preparation for classes in the fall. By documenting everything, including using Process Monitor on the test OS, I have irrefutable documentation of everything that happened on the imaged OS.
Since an analysis by itself is still speculation without supporting information, using randomly created images is not a scientific or systematic method to prove or disprove what actually happened in the OS. For example, how can you prove a negative in an analysis if you don't know what actually occurred in the OS?
Creating test images this way may seem overboard, but for me..
-in a class, I know exactly what is on the image because I created the test evidence
-for validation of tools, I know exactly what the tool is supposed to find, because I put it there
-for theory testing of opposing expert’s claims, I can verify the claim is accurate or inaccurate
As with anything in this field, your mileage may vary.
There's more than one way to do it, that’s for sure.
Sure, and that is the good part (we can talk of different ways and hopefully even find new ways).
I am sure that your generated images are very useful (as type #2) images) and are invaluable in the teaching, but still you will have to agree that they are nowhere similar to what your student will have to deal with once he/she gets a job.
I see this as a possible "hole" in the education process, and it perfectly fits with the most recurring requirements on the job section, not only a bachelor or master, but additionally two or three years of experience.
As I see it, anything capable of filling - even partially - this "hole" is very welcome.
jaclaz
I am with Brett on this one.
I grasp how fantastically fun it would be to generate random data in "real flight simulators", some forensically valuable, some just misleading obfuscation, and some of no value; thereafter releasing students to find the meat…
I get flack now when the results take overnight for the whole class. Think about having to visit each and every image, to make sure that the stuff is indeed there as they describe it… Of course, scoring could be automated too. or maybe in the process of generating the "non-controlled" image, it also generates an answer sheet . . . which would put us back where we are now - just automagically doing it. mrgreen
In advanced classes I do not teach step actions. I do not teach "this is the location of important stuff; this is how you extract it". I teach concepts and notions how to learn to identify material that can be relevant to investigations.