Upon further thought, azrael alluded to the potential for appendices for specific methods on specific tools. At least, that's how I interpreted it. I really like that idea. How about a "Theory w/ Specific tool appendix" selection D
As I trust the methodology would be somewhat a living document, maybe there could be members of the community/board that update specific areas of the appendices if that method was chosen.
One question - a methodology by convention is fairly rigid , though the nature of forensics investigations is fairly dynamic; so would a 'framework of best practices' be more suited than a metholdogy?
Formal methodologies dont lend themselves very well to being 'living documents' - simply due to the fact that acceptance and review of such is such a painstaking and lengthy process. Specific tasks perhaps can be defined using specific task oriented methologies eg file carving, analysis of IE history, cookies, etc,
Also, am thinking of a scenario many years down the line, where the defense asks if the investigator followed the 'accepted metholdogy' of the day in his analysis - to which he reposnds no - as it did not fully address the requirements of the case - to which the defense moves to dicredit the evidence based on the grounds that it was gathered outside the scope of the accepted methodlogy , indsutry accepted metholdogy was not used, or applied to the letter, etc, etc, etc.
Just a thought…
One question - a methodology by convention is fairly rigid , though the nature of forensics investigations is fairly dynamic; so would a 'framework of best practices' be more suited than a metholdogy?
Sorry, about this - there are two general understandings of the word "methodology" - strictly, by dictionary definition it doesn't mean "method", although this is it's common and everyday useage and interpretation. I generally understand it to be more of a synonym for "framework". This isn't the first time that someone has said this to me or indeed on the forums, so perhaps if we consider a name change along the lines of "Best Practice Framework" it might avoid future confusion !
Formal methodologies dont lend themselves very well to being 'living documents' - simply due to the fact that acceptance and review of such is such a painstaking and lengthy process. Specific tasks perhaps can be defined using specific task oriented methologies eg file carving, analysis of IE history, cookies, etc.
If we assume that we are building a framework, then I would suggest that whilst the "methods" are likely to change relatively frequently as tools do, that the "principals" such as file carving, slack space analysis, keword searching & regular expressions, browser history etc. don't change _as_ often. I agree that potentially we face a situation where, when Microsoft changes the basis of their operating systems fundamentally that perhaps some of the base concepts would change, but there hasn't been a fundamental shift in (*buzzword alert*) computing paradigms for a very long time now …
Also, am thinking of a scenario many years down the line, where the defense asks if the investigator followed the 'accepted metholdogy' of the day in his analysis - to which he reposnds no - as it did not fully address the requirements of the case - to which the defense moves to dicredit the evidence based on the grounds that it was gathered outside the scope of the accepted methodlogy , indsutry accepted metholdogy was not used, or applied to the letter, etc, etc, etc.
Just a thought…
Interesting thought … You say this like it's a bad thing ? 😉
The methodology should not be prescriptive as in "You MUST …" rather "These items MAY exist, you should make a positive and concious decision NOT to investigate them".
If you look at it from a different point of view of a medical forensic examiner … I'm sure that he has books on his shelf describing the effects and detection of poisons ( and to be fair they probably all run a basic toxin check on blood anyway, at least for alcohol … ) but if the body on the table has been decapitated, his examination is unlikely to be questioned in court for not performing a poison scan …
As it is now, you will have to defend your methods in court … It is not obligitory now to, for example, use one tool or another, so long as you can prove that it was done in such a way with whichever tool, that the evidence is good. A good examiner, who carries out a good investigation, will allways be able to justify his results in court.
There are best practice guidelines in many, many other sectors, and they only ( as far as I am aware ) serve to improve the general quality of the work in those sectors. They should be a firm foundation for greater things, not a final resting place for a lazy examiner.
-)
Upon further thought, azrael alluded to the potential for appendices for specific methods on specific tools. At least, that's how I interpreted it. I really like that idea. How about a "Theory w/ Specific tool appendix" selection D
As I trust the methodology would be somewhat a living document, maybe there could be members of the community/board that update specific areas of the appendices if that method was chosen.
That is what I was trying to imply -) One hope that I do have in the long run is that if the methodology/framework/best practice becomes popular, that tools will be written to take the sections of it into account, and that the program manufacturers would write the Appendices as their own documentation.
So say I write a tool for File Carving, then I would throw together my technical documentation saying that this refers to Chapter 7 of the open forensic methodology/framework/best practice and in order to carry out the searches in 7.2, 7.3 and 7.4 you need to click here, press there and spin the wheel …
There is a project that links up the OSSTMM and Open Source Tools in a modular fashion called "Consensus" … This could also be worth taking a look at for some ideas …
-D
The document does need to be kept live, and the Appendices will have far more variation than the main body I expect. Good open source projects can release major updates every 6 months - ( I'm thinking OpenBSD here ) their cycle is ( I believe )
- 1 month fixing any problems from the last release in code.
- 1 month defining and starting new features.
- 2 months solid development.
- 1 month debug & completion.
- 1 month testing/documenting/bugfix till release.
I think that a major release every 6 months would be fair/feasable, but would suggest that if any errors are found - that patches/corrections/errata are released IMMEDIATELY.
-)
One question - a methodology by convention is fairly rigid , though the nature of forensics investigations is fairly dynamic; so would a 'framework of best practices' be more suited than a metholdogy?
Sorry, about this - there are two general understandings of the word "methodology" - strictly, by dictionary definition it doesn't mean "method", although this is it's common and everyday useage and interpretation. I generally understand it to be more of a synonym for "framework". This isn't the first time that someone has said this to me or indeed on the forums, so perhaps if we consider a name change along the lines of "Best Practice Framework" it might avoid future confusion !
Another suggestion for a name might be to actually say
"Open Forensic Standard" …
Like it.
As long as the scope is set, and we define the purpose in the beginning, we can call it "Aunt Mertha's Forensic Cookbook and Compendium" as far as I am concerned… lol
How about Digital Forensic Capture Framework (DFCC) or maybe Capture and Analysis Framework … DFCAF, drop the forensic and replace with evidence, Digital Evidence Capture Framework … DECAF!! 😉
Digital Evidence Capture and Analysis Framework … DECAF!! 😉
Ok ! That I love ! -P