I admit that after some time when I did not follow this subject, I did not read this entire forum closely. But it is clear from the topics that the forum has begun to take completely different direction than the original intention was. So the initial idea is dead?
Probably yes. But why? Why was not able to standardize the reports or to create a general methodology for forensic examination?
It seems that the only default document is still ACPO Guide or similar ones, which are able to define only the basic 3 (or 4?) principles. Is it not possible to create something better (as was to the intended project DECAF)?
I think the basic problem of why such initiatives have failed is the lack of basic definitions of what we want to describe, to standardize. If there is only a very general definition of the term "digital forensic" (here I do not want to argue the accuracy of various definitions), we cannot towards anything other than the very general principles (like ACPO's).
I think it would be appropriate to go into the theory one step upper and try to first understand what actually "digital forensic" IS. Until then we can discuss HOW.
The need of revocate of the "old" definition of digital forensic appears for some time (just as an example http//
Just to illustrate what I mean, I am presenting here often quoted definition (DFRWS)
"The use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations."
I am no theorist, but this definition seems to be a very general definition of general forensic science, only the object is defined as “the digital evidence derived from digital sources”. I am convinced that this basis is correct, but by far insufficient for such tasks, which were initially raised this forum (i.e., standardization of reports and examining the methodology).
"Digital forensic" perhaps already surpassed their "children's disease” and it is time to reflect on what a forensic science it actually is.
What do you say?
Important note I do not speak English well and do not use the right UK dictionary, so sorry…
So glad you posed the question. As I am developing a new forensic consulting agency my business partner have reviewed everything as far as hardware, software and such but the most important thing that will be at the core of our business will be the methodology. The process is the product.
I find there are many best practice guides and methods posted for difference law enforcement agencies, etc. but not a single agreed upon guide on the methods of forensics as it relates to digital evidence. (I guess another question is - should there be?)
My plan over the next year or two will be to try to develop a method that will be as air tight as possible. I want to try to keep it as base and not to make it to personal on my methods but allowing personalization where necessary. First step I am taking is just going back to the books and guides and start taking hardcore notes to come up with common themes and ideas to develop the academic approach. Then get out there and field test the method and to tweak it out for an "alpha" release (end of summer?) and will post it for peer review then keep tweaking and hammering it down to be the best product I can make that will work for most examiners.
Looking forward to everyone's input over time as I feel this is really a community effort.
> The process is the product.
I put this forth in previous discussions, and this would probably account for why the discussion really never went much further.
If the process/methodology truly IS the product, why would a business share that?
> …but not a single agreed upon guide on the methods of forensics as it
> relates to digital evidence…
What would this be, exactly?
"If the process/methodology truly IS the product, why would a business share that?"
I would because I feel it should be challenged in the open. Many books have been written on the subject of some of the best business models and product lines in the past hundred years Ford and McDonalds. Both very process oriented (yes I am generalizing to a great degree) and people have taking those models and personalized it and tried to improve. I think in a certain respect the process should be developed in an open source community format then tested and validated over and over again.
The process will never be static; it will require constant changes to make it and ourselves better.
"What would this be, exactly?"
Something that is developed as a scientific method for digital forensic investigations that would be peer recognized as a "must read". I still am not a 100% sold that something like that would or should even exist - I am wrestling with the concept and putting it out there for discussion…
In my experience in forensics, examination processes are very fluid. A long time ago I had a check list of things to do in an examination. At some point a few years back, I stopped using the check lists. The reason? My notes were discoverable by the defence, and frankly, I didn't want to have to explain why I hadn't done something on the list because it wasn't relevant to the case.
I'm all in favour of having certain principles set in stone, such as chain of custody, reproducibility of results, testing of tools, and document of specific processes such has how to image X using Y tool. Documenting the complete process however is like trying to clean the Augean Stables.
Mr. Patrick - very good points. Every investigation can have techniques that apply only to that situation. To try to overly solidify a published method that one would proclaim as the "best" or "must be done" would certainly leave an opposing side in testimony a chance to muddle a clear opinion with a line of questioning that has no bearing on the situation.
I have have all the reports from CERT, SANS, DoJ, etc. here and missed the obvious that they are labeled as "best practice guides". It really is a more a situation of observing ethics and general principals of forensic evidence preservation. After that, the methodology is very personal.
douglasbrush,
I'm very much in agreement with you and hope we can take things forward this year. There are a number of factors which have delayed this effort in recent months at Forensic Focus but I'm optimistic they can be overcome.
Whether or not certain commercial entities decide to contribute to such an effort is entirely up to them, I certainly don't believe it's a showstopper if they don't (I think I made my position clear on this point in a previous thread so I won't beat that particular drum again).
I see nothing wrong in principle with trying to define a useful framework which practitioners of all ilks can use as a tool rather than a roadmap, after all that's pretty much exactly what we're trying to do just by debating these issues in various forums and discussion lists. Trying to distill some of that wisdom while leaving enough raggedy edges and absolute flexibility in implemention seems to me a very sensible thing to do.
Jamie
Douglasbrush,
> I would because I feel it should be challenged in the open.
Okay, great. I look forward to seeing your process/methodology publicly posted so that others may review and challenge it.
Patrick4n6,
>…I didn't want to have to explain why I hadn't done something on the
> list because it wasn't relevant to the case.
Discoverable or not, isn't that a good enough reason? I will very often document in my case notes that I did not do something and the reason why, just as I document the things I do that do not return relevant results. For example, I will document that a keyword search returned no results, along with the keyword list, as this goes to reproducibility. However, if a customer is unable to define a data structure or keyword list, then I will document that as a reason for not doing the search.
> Documenting the complete process however is like trying to clean the Augean Stables.
I guess I just don't see it the same way. Looking at my case notes, which flow directly into my report, I don't see this as a Herculean effort.
Okay, great. I look forward to seeing your process/methodology publicly posted so that others may review and challenge it.
I don't see that discussion of methodology necessarily means that everyone has to put all, or indeed any, of their own cards on the table. It's really no different from what we do here and on every other CF forum/list.
I guess I just don't see it the same way. Looking at my case notes, which flow directly into my report, I don't see this as a Herculean effort.
Yep, I agree with this. I think an open-ended, non-proscriptive framework is very feasible.
Jamie
Patrick4n6,
>…I didn't want to have to explain why I hadn't done something on the
> list because it wasn't relevant to the case.Discoverable or not, isn't that a good enough reason? I will very often document in my case notes that I did not do something and the reason why, just as I document the things I do that do not return relevant results. For example, I will document that a keyword search returned no results, along with the keyword list, as this goes to reproducibility. However, if a customer is unable to define a data structure or keyword list, then I will document that as a reason for not doing the search.
> Documenting the complete process however is like trying to clean the Augean Stables.
I guess I just don't see it the same way. Looking at my case notes, which flow directly into my report, I don't see this as a Herculean effort.
Allow me to clarify since you appear to have taken my comment in the wrong context. I document everything that I do in a case. What I'm saying is that trying to create a work process document in a vacuum that documents everything you could possibly ever do in a case is a Herculean effort, and the document would date very quickly. That's why you should solidify principles, but allow room for variation of the implementation.