Join Us!

future challenges a...
 
Notifications
Clear all

future challenges and trends  

Page 1 / 2
  RSS
keen
 keen
(@keen)
New Member

i was wondering if people here could speak on or direct me to resources that discuss some challenges or trends that face computer forensics. i'm new but am interested in the field. thanks

Quote
Posted : 30/03/2006 3:25 am
gmarshall139
(@gmarshall139)
Active Member

One that really stands out is the size of storage media that we are faced with. Not only individual hard drives, but even home users are installing RAID's now. A 500 gig case is really not unusual. That takes a great deal of time and really taxes the hardware.

ReplyQuote
Posted : 30/03/2006 4:47 am
m7esec
(@m7esec)
Junior Member

Yes, I agree with Greg, this kind of stuff makes me cringe.

http//ogadget.com/after-magnetic-storage-its-turn-of-holographic-storage-devices-182.html

Hey Greg, new job? Congrats!

ReplyQuote
Posted : 30/03/2006 4:56 am
keydet89
(@keydet89)
Community Legend

I second what Greg said, and would like to throw in something else…the need for "live" forensics. There are many systems out there that need to be examined but cannot be taken down.

Also, the knowledge level of the investigator is something that needs to be addressed. Gone are the days of DOS, fellas. In addition, the age of "Nintendo" forensics has passed, as well. How many images are examined, and not enough evidence is found simply because the investigator has little knowledge of the Registry, or of the log files on a system. As anyone hanging around this forum has seen, simple text searches don't always work with the Registry…you've got to contend with Unicode, Rot-13, and applications that store ASCII information in binary format (yeah, that's you, Adobe).

Keyword searches are still useful, but useful in the way that a toolbox with just a Philips head screwdriver in it is "useful". Guys, don't expect EnCase to add "Find all evidence" and "Issue subpeonas" buttons to their GUI.

Just my $0.02…see me if you want change.

Harlan

ReplyQuote
Posted : 30/03/2006 7:09 am
arashiryu
(@arashiryu)
Active Member

Some of my thoughts.

*Native whole disk encryption, 3rd party whole disk encryption.
*Thin Client computing.
*Use of virtual machines.
*Anti Forensics tools.
http//www.metasploit.com/projects/antiforensics/
http//www.cyberforensics.purdue.edu/docs/Lockheed.ppt

ReplyQuote
Posted : 30/03/2006 8:16 am
keydet89
(@keydet89)
Community Legend

Did you happen to read the PPT?

From the third slide
"The volatility of DE and the reliance on tools makes cyber forensics very vulnerable to AF"

I do agree that anti-forensics tools are an issue, but

Also, whole disk encryption can be addressed with live acquisition. The producer of ProDiscover found this out…he acquired a system that had PGP Disk running.

Harlan

ReplyQuote
Posted : 30/03/2006 9:05 am
keydet89
(@keydet89)
Community Legend

I'd like to add "Physical memory analysis" to the list…

Harlan

ReplyQuote
Posted : 30/03/2006 6:42 pm
arashiryu
(@arashiryu)
Active Member

Harlan, thank you for pointing out the prodiscover tip. I was not aware of it.

ReplyQuote
Posted : 30/03/2006 8:22 pm
keydet89
(@keydet89)
Community Legend

arashiryu…

It's not so much a ProDiscover tip, as it is a "need for live acquisition" tip. ProDiscover has a proprietary means of acquiring an image, but can use dd format, as well.

ReplyQuote
Posted : 31/03/2006 2:32 am
ifindstuffucantfind
(@ifindstuffucantfind)
New Member

i feel that a challenge for the industry is first, the ever growing complexity of operating systems, and devices that are used to interact with the system.

many registry keys contain evidence that can tell you who was sitting at that machine when the illegal act happened, which is what everyone wants to know.

Second a standardization in the industry both in certifications and tools are a real issue. There are more certifications for computer forensics than i care to count and what makes one so much better from the other from the other.

Also tool use and validation. As we all know one tool doesnt do everything and each tool may interpret data differently. Especially in a court setting when you are trying to explain things and you say well, encase found this… uhh, ok how the h**l did encase get that data. tools arent perfect. the fbi knows this, as they have quality assurance teams that certify their tools before they are even allowed to use them, and that process can take up to a year just to certify a single tool.

i dont know how other people feel on these issues, but i think those are a few challenges we face as a community in the future.

ReplyQuote
Posted : 31/03/2006 3:33 am
armresl
(@armresl)
Community Legend

Could you please further explain this statement?

"many registry keys contain evidence that can tell you who was sitting at that machine when the illegal act happened, which is what everyone wants to know."

ReplyQuote
Posted : 31/03/2006 3:54 am
arashiryu
(@arashiryu)
Active Member

Harlan, gotcha. I'll test with dd and netcat. Thanks again.

ReplyQuote
Posted : 31/03/2006 3:56 am
keydet89
(@keydet89)
Community Legend

armresl,

I think ifindstuffucantfind (correct me if I'm wrong here) may be referring to the keys found in the NTUSER.DAT and SAM files.

"…they have quality assurance teams that certify their tools…"

Right. And ILook 7.x was certified, though it wasn't Unicode compliant. Objects with Cyrillic characters in their names didn't appear in that version of ILook (I got that from a CART guy). The "quality assurance" is only as good as the requirements.

Re the certifications. Yes, this is a big issue, but one that won't be solved easily. There are security professionals who believe that unless you understand assembly language on the x86 platform, you shouldn't be in security. Then there's the ISC^2 and the CISSP cert, which is management level.

ReplyQuote
Posted : 31/03/2006 4:29 am
darren_q
(@darren_q)
Junior Member

A big issue we are seeing is with mobile/cell phones and the varying proprietory formats they use. The rapid increase in storage on the latest phones results in a vast amount of information being carried around. Add to that the increased functionality of the devices and where the manufacturers are heading with future development. A sound forensic process which can image and analyse all of the phones available is something that is needed now and in the future.

ReplyQuote
Posted : 31/03/2006 5:40 am
neddy
(@neddy)
Active Member

"many registry keys contain evidence that can tell you who was sitting at that machine when the illegal act happened, which is what everyone wants to know."

Im not sure that is the case. It is not possible to prove someone was sitting at a computer logged into a specific user account at a specific point in time. It is however quite reasonable to state somebody was logged in to at a specific user account at a specific point in time. That somebody could be the suspects Grandmother but you cant prove it by registry keys alone.

A white paper on distributed computing another development to be considered with regard to the future of digital forensics.

http//www.dfrws.org/2004/bios/day2/Golden-Perfromance.pdf

ReplyQuote
Posted : 31/03/2006 3:43 pm
Page 1 / 2
Share: