I'm working with a professor on a general computer forensics text. It will have an overview of the field, and how-to's for many tools. It will not have the actual tools.
We will be including some actual case studies, and a few humorous takes on some of those case studies.
My question to the group is What should we include that one doesn't normally find in texts of this type?
All suggestions are welcomed and appreciated.
If the analysis was part of a trial, I would be interested in seeing how the analysis fared all the way through cross-examination, and what, if anything did prosecution/defense focus on.
Steven, you mentioned "humorous" in your comments.
I have read quite a number of books on computer forensics and some postulate a theory regarding the evolution of computer forensics. For instance there are a series of C|HFI books and one is entitled Computer Forensics Evidence Collection and Preservation. The book sets out
Evolution of Computer Forensics
• 1888 Francis Galton made the first-ever recorded study of fingerprints to catch potential criminals in crimes such as murders.
• 1893 Hans Gross was the first person to apply science to a criminal investigation.
• 1910 Albert Osborn became the first person to develop the essential features of documenting evidence during the examination process.
• 1915 Leone Lattes was the first person to use blood groupings to connect criminals to a crime.
• 1925 Calvin Goddard became the first person to make use of firearms and bullet comparisons for solving many pending court cases.
• 1932 The Federal Bureau of Investigation (FBI) set up a laboratory to provide forensic services to all field agents and other law authorities.
• 1984 The Computer Analysis and Response Team (CART) was developed to provide support to FBI field offices searching for computer evidence.
• 1993 The first international conference on computer evidence was held in the United States.
I am not criticising this book's content merely pointing out an observation, particularly when dealing with sharp-minded students. Do you think Evolution of Computer Forensics is in the wrong place? How does fingerprints from another forensic science evolve into computer forensics? Was there a need for the fingerprint specialist to use an Abacus, perhaps? You could have a bit of fun with this one particularly during cross-examination.
Trew,
I does seem a little funny to start with fingerprints! Extra funny because the logo on my business card incorporates a kind of stylized fingerprint (although not everyone sees it). Also, I have a chapter in another text on forensics where my computer forensics chapter is between chapters that show, for instance, far more about bullet wounds and gunpowder residue on skin than I ever wanted to know (or see pictures of!).
It also gets me just a little how many computer forensics books start with C/PM, DOS & floppy diskettes (although I do run into these still, but super-rarely). I actually had a floppy drive repair business about 35 years ago, but it's not entirely relevant these days. Still, when I had a bright computer science major / intern looking over my shoulder as I typed in EDLIN commands to add a SCSI driver to a config.sys file, she was dumbfounded, and I forgot what I had internalized way back when - and what they don't teach now.
The bit of humor to which I refer is from a series of stories about real cases that are told in my attempt at a "forensic-noir" pulp-gumshoe style.
Cheers,
Steve
I does seem a little funny to start with fingerprints! Extra funny because the logo on my business card incorporates a kind of stylized fingerprint (although not everyone sees it). Also, I have a chapter in another text on forensics where my computer forensics chapter is between chapters that show, for instance, far more about bullet wounds and gunpowder residue on skin than I ever wanted to know (or see pictures of!).
I have to include myself in having done something similar in the past which did go wrong when I used fingerprints placed on an enlarged mobile phone for a full colour cover of a training course manual. When the cover came back from the printers (oh crikey) much to my embarrassment viewing the image on the cover it gave the impression somehow a small panda with small feet had walked across a giant mobile phone…Opps!
It also gets me just a little how many computer forensics books start with C/PM, DOS & floppy diskettes (although I do run into these still, but super-rarely). I actually had a floppy drive repair business about 35 years ago, but it's not entirely relevant these days. Still, when I had a bright computer science major / intern looking over my shoulder as I typed in EDLIN commands to add a SCSI driver to a config.sys file, she was dumbfounded, and I forgot what I had internalized way back when - and what they don't teach now.
Even the brightest spark in a forensic christendom cannot replace your long-term, wider-experience skillsets that you have, aside from your expertise, of course, Steve.
The bit of humor to which I refer is from a series of stories about real cases that are told in my attempt at a "forensic-noir" pulp-gumshoe style.
Look forward to reading your book when it is published.
Kind regards
Greg
We will be including some actual case studies, and a few humorous takes on some of those case studies.
That sounds ominous humour tends to be short-lived. The tenth time you read the passage it's just annoying. It depends very much on the audience and planned use, though.
My question to the group is What should we include that one doesn't normally find in texts of this type?
You should ask someone in the legal word – the people who usually are rely on the work performed by computer forensic investigators what do they find lacking?
My very personal opinion
* A comparison with other forensic practitioners what does it take to become a forensic pathologist, for example?
Especially, I think, the extreme fluidity of the arena. While forensic pathology probably has their share of overturned truths, they don't need to cope with 'human XP' or 'human 7, 8 and 10'. Computer forensics really need to cope with truths or research results being true only for well-identified software releases, not necessarily for anything else.
* Difficulty of communication, especially with non-technical people, such as lawyers/attorneys/barristers/what-have-you. At a CF tool course, I heard the teacher comment on a case involving time stamps that he felt was misunderstood, and thus led to the wrong outcome. As luck had it, opposing computer forensic expert happened to be in the class, and he agreed the evidence was misunderstood or misinterpreted or both.
* Bad computer forensics, and in particular bad scientific base for any conclusions or statements. This may seem to depend partly on jurisdiction Daubert, for example, mentions error estimate, but it seems few practitioners have a clue about those. But I think error estimate are relevant even elsewhere, as it's part of that science base.
(I'd love to see a 'Forensic Science for Dummies', by the way.)
This is also an area that will become important today there's a fallout from poor science in identification based on hair examination and bite marks, for example. It would hardly be unexpected if some 'accepted truth' of current computer forensics was questioned in the same way. (Even some things that shows basic assumptions not being warranted like those 30-odd cases around Germany showing the same DNA. They were probably contaminated by someone involved with the manufacture of the tops/swabs used to collect samples for analysis, and the tops/swabs had not been DNA-sterilized anyway.)
Another way to say that always expect to be challenged on the scientific base of the work. We can't do as an old FBI fingerprint examinator suggested in a textbook of forensic fingerprinting, that answers to an expert witness on the reliability of fingerprint identification should be replied to that it was God's will that they were unique. That handbook, incidentally, destroyed much of my belief in the scientific basis of forensic fingerprint identification.
Spilsbury's Disease – I'm thinking of Sir Bernard Spilsbury – might be worth mentioning being more confident in conclusions than is warranted.
* I wonder if the various innocence or wrongful conviction projects around the world – or perhaps in area where prospective readers of this text book live – have anything related to computer forensics evidence, preferably one that indicates a systemic/systematic error.
*That* would something I don't think I've seen in any CF text book.
Use open source tools like xxd, grep, and dd to show students basic partition analysis and file system analysis….maybe do something simple like fat12 or ISSO9660 for FS and MBR for Parts.
Also, discuss the differences between mechanical disks (HDD) vs integrated circuits based disks (SSD) from a media analysis perspective.
Bonus Network and/or Memory analysis…for network analysis you could do a file carving example from http + structure of TCP/IP or memory show executive structure and its value…key would be to use really small samples like 128MB….
In my opinion this would allow the students enough of a foundation to go explore on their own after the class. I do not think you have to go deep to give a good basis for each of the areas mentioned above.
The reason I recommended that a challenge I face as a student was we used commercial tools that were expensive and we didn't really learn data structure we learned tools. I personally think this is a backwards way to bring young students into our career field.
Great suggestions, all. Forensics for Dummies is a great idea!
Please keep them coming. These are all welcome suggestions.