I was wondering how close we really are to having something that can automatically investigate media for us. Do you think we will ever achieve it and if so how do you think it will come about?
Just for general banter really as it came up for discusion in our lab today but would be interested to hear some opinions
Some how I cnt see how we would achieve it other than teaching some 'program' everything we know.
As far as a "find evidence" button, one could argue that we already have something similar. Evidence refinement in FTK or refining the volume snapshot in X-Ways may find many items that turn out to be crucial evidence for a case.
As far as investigating the evidence, I don't see how that could happen anytime in the near future. Every case is different. What may be evidence in one case may be the result of normal user actions in another. We also can't forget about the absence of files as evidence - things like this will ultimately come down to the knowledge and experience of the examiner.
Forensic tools are continually making it easier for examiners and reducing the knowledge required about what's going on under the hood (which isn't always a good thing), but I don't see how the investigative part will ever be handed off to a CPU. At least I hope not - that sure would take the fun out of the job.
Greetings,
We may be closer to a "find evidence" button, but until we get a "present evidence in court" button examiners will still need to understand what is going on under the hood.
-David
I think it is like recursion If an 'investigator machine' can automatically investigate media, and decide what is good or bad for an investigation, someone will have to investigate the machine to understand if is taking the right choices.
Keywords are some kind of primitive approach of the A.I. futuristic idea. Based on that, the script can find all related to something like "crime", but how would the 'investigator machine' decide if an item is good or bad for the case. Even in the near future I think I would spend more time cleaning false positives.
I was wondering how close we really are to having something that can automatically investigate media for us. Do you think we will ever achieve it and if so how do you think it will come about?
Targeted searches – like 'find any evidence that user x accessed files in time period a-b' is probably possible, and can (equally probably) be written straight off.
The reason I think so is
Several years ago, there was a computer security tool for some old SunOS release (the tool was called 'Kuang Ice Breaker', IIRC, a reference to Neuromancer) that would look for fle system vulnerablities (poor access control lists, bad ownership, etc.). It was, I believe, originally written as a Cshell script, and later ported to perl, and I think it started out as student work in applying AI techniques to computer security.
The basic question it was asked was 'can an user X 'become' user Y'. Typically, user Y, the target, was the system administrator account, and X was another user account – typically, an unprivileged user.
To solve that problem, there were a number of rules that could be used to expand the basic question for example, 'user X can become user Y if X has write access to file /etc/password' (by altering user Y's password in it), and rules like 'user X can get write access to file Y, if X has write privileges of parent directory of Y, and read access to the relevant files in Y' (in which case X can replace the orignal …/Y with his own version), and many many more. Some rules depended on particular vulnerable programs, so they looked for SUID'd programs with particular MD5 hashes, or for insecure rlogin solutions where the .rhosts file could be written by user Y, etc, etc, etc. Around all this was a recursive rule matcher and expander that took the original question, expanded it with applicable rules, and repeated that process until all possibilities had been exhausted.
I often used this program for security reviews of this particular operating system, and it was surprising to find how a small error in access rights of a seemingly innocuous file could lead to complete take over of a system by a totally unprivileged user.
Not having thought about applying a similar process to computer forensics, I cannot be absolutely certain, but I suspect that a similar approach would be possible, provided, of course, that the rule set was reasonably comprehensive. It would need to be rules both for a particular file system as well as a particular operating system, and it would probably need a somewhat larger set of 'top' questions.
Chances are, though, that a large rule set could make run time impractically large.
But basically, yes, I think it may be possible, as long as the rule set can be created. Everything else would be optimizations.
(Apologies for misspellings my 'i' key seems to gve up now and then.)
(Added on the other side of the question is, of course, the question of credibility – can the results be trusted? or are there bugs in the program or in the rules?)
I think we are a long way off having just a single button.
What is feasible is better automation and a system that produces a short list of possible leads for a human to follow up on.
At the moment forensics software doesn't really have any concept of what crime is. It also doesn't have any real understanding of the data being processed. That is to say it doesn't understand what documents are about. Can't distinguish for example if documents about explosives are a pointer to a crime, or a normal innocent part of the coal mining executive's daily work.
Strong AI is required.
I would argue that rule sets for file permissions and detecting the presence of files, as suggested by Athulin, is light years away from the level of AI required.
I would further argue that once we get to the point of having strong AI, we'll all be redundant. Human programmers won't be needed to code forensic's software, Judges and lawyers would be replaced by faster and more reliable AI, etc….
See,
http//
Happily I think we are 30 to 80 years away from this -)
Now that you mention that, In our days there is a famous theory going around courts called "the weight formula" proposed by the German philosopher-lawyer "Robert Alexy". It is an algorithm for solving constitutional principles collision. The algorithm has been experimentally implemented in order to assist Court sentences.
If lawyers and judges will consider using these 'formulas', a strong A.I. implementation will be required in the next years. If someone is interested, check this paper
http//
In my organization I think everyone that comes into our office with electronic devices ( I would have said computers, but we get PDA's and phones in the office that were sitting in someones dresser drawer from1986 ) think we have a find evidence button.
They are actually naive to think that all we do is turn on the evidence computer and just look or browse through the files and copy and paste files out of the machine. Or they think we just run a program and it pulls everything out in into nice neat folders.
And if this isn't bad enough, Everyone thinks it takes 2 minutes to do an exam. The usual phone calls we get are "Hey I brought 4 computers in 2 days ago, I was wondering what you results you got."
