People often OVERes...
 
Notifications
Clear all

People often OVERestimate forensic capabilities  

Page 1 / 2
  RSS
wotsits
(@wotsits)
Active Member

Something I have seen more the longer I spend around this industry, is non-forensics people (lawyers, police, armchair experts, etc.) continue to overestimate the capabilities and reach of computer forensics.

I often hear things along the lines of, 'they can get everything you've ever done on that device', 'anything that's been deleted can always be recovered', 'whatever it is they'll be able to break into it'.

Of course none of these statements can be applied broadly, and how much they are applicable varies greatly between cases from somewhat true to totally inapplicable.

Capabilities are, if anything, diminishing as operating systems develop, increased use of encryption, drives that use TRIM, improved security and technology advances that far outpace forensics.

Our job is only to report on what we find in a forensically sound way. Yet when the reality simply doesn't match with some people's misconceptions I feel like they think we are not doing it properly.

Quote
Posted : 26/07/2017 9:56 pm
tootypeg
(@tootypeg)
Active Member

Yes. I agree on a lot of these points. do u think we as a discipline are coming to an end though?

ReplyQuote
Posted : 26/07/2017 9:58 pm
wotsits
(@wotsits)
Active Member

I certainly think the capabilities are decreasing, for the reasons I mentioned above being just a few. A good example is a recent examination of a new MacBook yielded only what was surface level, meaning only files that a person had intended to leave there and recent browsing history. Deleted files, caches and the goldmine of evidence on Windows computers that is the registry file yielded almost nil. Clearly this requires less technical ability where you have what is effectively a storage device to sort through and less of a job of the technicalities of where and how to search.

But as I also said, our job is simply to report on what we find and carry things out in a forensically sound way. If it's not there it simply can't be reported. But there will still be cases where evidence is present.

ReplyQuote
Posted : 26/07/2017 10:45 pm
tootypeg
(@tootypeg)
Active Member

I think we are heading in a direction that without some legal intervention, privacy measures are eventually going to effectively put everything out of reach.

ReplyQuote
Posted : 26/07/2017 11:05 pm
jhup
 jhup
(@jhup)
Community Legend

At first glance, I thought this thread will be about how forensicators' heads got big and overconfident.

All industries have experts and paper experts; those who really know the subject and are able to deliver and those who will appear in TV shows, but really lack the fundamental understanding what happens behind the "button" when it is pushed".

ReplyQuote
Posted : 26/07/2017 11:52 pm
jaclaz
(@jaclaz)
Community Legend

Something I have seen more the longer I spend around this industry, is non-forensics people (lawyers, police, armchair experts, etc.) continue to overestimate the capabilities and reach of computer forensics.

I often hear things along the lines of, 'they can get everything you've ever done on that device', 'anything that's been deleted can always be recovered', 'whatever it is they'll be able to break into it'.

Sure, but the phenomenon is not actually "news", it is reknown (and more or less the same since more than ten years), it goes loosely under the name of "CSI effect"
https://en.wikipedia.org/wiki/CSI_effect
(not related only to digital forensics, but to forensic science in general).

The blame is not to be put "only" on TV shows, authorities worldwide (sometimes in good faith, i.e. tricked by snake oil sellers of this or that other nature) have used - often improperly - forensic science as a scarecrow or as a PR topic, and tribunals all over the world actually emitted sentences on the basis of - let's say at least debatable - miracles made possible by (supposed) advancements in forensic sciences.

jaclaz

ReplyQuote
Posted : 27/07/2017 12:42 am
RolfGutmann
(@rolfgutmann)
Community Legend

Its not about over estimation its more about another negative trend I hear and see more and more. With more and more digital devices like cars, smart home or any device getting shifted from analog to digital and IoT the domain is getting bigger and bigger and complexity explodes. Case related are more devices to be considered as evident and this for sure needs more resources in-lab and time consumption.

But - and this bothers me Official institutions do not understand a glance of what huge resources forensics needs. Its a loss of quality if more work but less time.

I really fear that nobody recognizes forensics misinterpretations and false evidence grows as there is the zenit of quality if nobody above.

Who controls the experts? Who is a real expert? Who is the expert over experts?

Its true they overestimate our work - but I would reformulate They completely do not understand it. Complex tech cannot be put into short generalization.

And personally To remain humble is my #1 rule in life. No getting bigger and proud. NO.

ReplyQuote
Posted : 27/07/2017 12:46 am
RolfGutmann
(@rolfgutmann)
Community Legend

@jaclaz - only for once I fully agree with you -)

The CSI effect is globally and omnipresent…

ReplyQuote
Posted : 27/07/2017 12:53 am
Randy_Randerson
(@randy_randerson)
New Member

Yes. I agree on a lot of these points. do u think we as a discipline are coming to an end though?

Absolutely not. The issue is people need to evolve with the technology. I've seen it in so many old timers who still talk about even the XP days on a 250GB IDE drive. Or when they had to analyze their first 1TB drive and they had to spend $2k on another one to make a forensic image of it. Businesses will never fully remove laptops from their environment. Even if they tried to do it, the overhead it would cost (and length of time that would be needed to do a full Cloud implementation) would be much more expensive than on-prem housing of their own data.

And people will still have laptops/PCs. Your average CP person isn't going to trust Google or Apple to house their stash so they can view it on their nifty iPad or Surface Tablet. They'll want that stuff somewhere near and dear to them.

But the biggest issue is people are not moving with the times outside the typical White Collar/CP type case. Counter/Domestic Terrorism, Intellience and other Criminal cases revolve around mobile devices. There are folks out there right now who are working these cases that cannot tell you the difference between an iCloud backup and a iTunes local backup of an iPhone. Why? Because Cellebrite won't go into detail in an owners manual and the training they got was 3+ years ago before even iOS 8 was out and the biggest phone was 64GB.

There are still dozens of artifacts on mobile devices and even computers that can be analyzed for artifacts. Even SANS has recognized that and are starting to incorporate that aspect into FOR500 (formally FOR408) that just because it isn't on a laptop doesn't mean it isn't on a phone or vice versa. The issue is people don't want to look anywhere other than where they are trained to look…which is typically what a vendor tool is telling them to look in a specific place only.

ReplyQuote
Posted : 27/07/2017 12:53 am
RolfGutmann
(@rolfgutmann)
Community Legend

Absolutely. Thats the reason to DIY and code and not only trust on vendorware!

ReplyQuote
Posted : 27/07/2017 1:05 am
tracedf
(@tracedf)
Active Member

Absolutely. Thats the reason to DIY and code and not only trust on vendorware!

I think it's impractical to DIY for everything but it's critical that you can when needed. One of my issues with several forensic products is that they don't say where artifacts came from. Many of them identify the app but not the actual location in the filesystem; I want to be able to explain exactly what we're looking at and, in some cases, to verify the results manually or export the correct file for analysis with a different tool.

-tracedf

ReplyQuote
Posted : 27/07/2017 2:19 am
RolfGutmann
(@rolfgutmann)
Community Legend

Without to train your DIY skills you will lose it. And to manually double-check is very crucial as we as investigators have the burden of responsability - nobody ever will blame the forensics suite.

But for folks way behind in tech forensics suites lure them into 'just connect and get the report'. Formerly the process of collecting was more time-consuming but also during this process the understanding of the case was growing. To master the tech but not understand the crime I refuse.

ReplyQuote
Posted : 27/07/2017 2:32 am
tracedf
(@tracedf)
Active Member

Digital forensics is going to be done by AI in 5 years. Time to find a new job.

How is that going to hold up in court?

ReplyQuote
Posted : 27/07/2017 4:10 am
RolfGutmann
(@rolfgutmann)
Community Legend

No problem. Today the trust is in the report, the investigators name and sign not from interest. Machines are more accurate then humans, but you have to limit their capabilities to interpret.

The question is Where is human better than machine in forensics?

ReplyQuote
Posted : 27/07/2017 4:29 am
tracedf
(@tracedf)
Active Member

No problem. Today the trust is in the report, the investigators name and sign not from interest. Machines are more accurate then humans, but you have to limit their capabilities to interpret.

The question is Where is human better than machine in forensics?

Do you have an AI-based forensics suite I don't know about?

In the U.S., an expert has to qualify in court based on his/her credentials. We don't have any established law that would explain how to qualify a program to "testify".

The role of a forensic examiner/expert is not just to find artifacts but to explain them to law enforcement, attorneys, and eventually a courtroom/jury. A whiz-bang AI/ML-based forensics suite isn't going to do that.

AI could be useful in some circumstances. For example, we could train a program to estimate the age of a person in a photograph using photographs of people whose ages are known then apply that to photos of suspected child pornography where the age of the victim is not known.

I'm not worried about being replaced by AI.

-tracedf

ReplyQuote
Posted : 27/07/2017 5:21 am
Page 1 / 2
Share: