People often OVERes...
 
Notifications
Clear all

People often OVERestimate forensic capabilities

24 Posts
11 Users
0 Likes
1,562 Views
tracedf
(@tracedf)
Posts: 169
Estimable Member
 

Absolutely. Thats the reason to DIY and code and not only trust on vendorware!

I think it's impractical to DIY for everything but it's critical that you can when needed. One of my issues with several forensic products is that they don't say where artifacts came from. Many of them identify the app but not the actual location in the filesystem; I want to be able to explain exactly what we're looking at and, in some cases, to verify the results manually or export the correct file for analysis with a different tool.

-tracedf

 
Posted : 27/07/2017 1:19 am
RolfGutmann
(@rolfgutmann)
Posts: 1185
Noble Member
 

Without to train your DIY skills you will lose it. And to manually double-check is very crucial as we as investigators have the burden of responsability - nobody ever will blame the forensics suite.

But for folks way behind in tech forensics suites lure them into 'just connect and get the report'. Formerly the process of collecting was more time-consuming but also during this process the understanding of the case was growing. To master the tech but not understand the crime I refuse.

 
Posted : 27/07/2017 1:32 am
tracedf
(@tracedf)
Posts: 169
Estimable Member
 

Digital forensics is going to be done by AI in 5 years. Time to find a new job.

How is that going to hold up in court?

 
Posted : 27/07/2017 3:10 am
RolfGutmann
(@rolfgutmann)
Posts: 1185
Noble Member
 

No problem. Today the trust is in the report, the investigators name and sign not from interest. Machines are more accurate then humans, but you have to limit their capabilities to interpret.

The question is Where is human better than machine in forensics?

 
Posted : 27/07/2017 3:29 am
tracedf
(@tracedf)
Posts: 169
Estimable Member
 

No problem. Today the trust is in the report, the investigators name and sign not from interest. Machines are more accurate then humans, but you have to limit their capabilities to interpret.

The question is Where is human better than machine in forensics?

Do you have an AI-based forensics suite I don't know about?

In the U.S., an expert has to qualify in court based on his/her credentials. We don't have any established law that would explain how to qualify a program to "testify".

The role of a forensic examiner/expert is not just to find artifacts but to explain them to law enforcement, attorneys, and eventually a courtroom/jury. A whiz-bang AI/ML-based forensics suite isn't going to do that.

AI could be useful in some circumstances. For example, we could train a program to estimate the age of a person in a photograph using photographs of people whose ages are known then apply that to photos of suspected child pornography where the age of the victim is not known.

I'm not worried about being replaced by AI.

-tracedf

 
Posted : 27/07/2017 4:21 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Digital forensics is going to be done by AI in 5 years. Time to find a new job.

How is that going to hold up in court?

The Judge will also be replaced by AI … wink

jaclaz

 
Posted : 27/07/2017 12:49 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Something I have seen more the longer I spend around this industry, is non-forensics people (lawyers, police, armchair experts, etc.) continue to overestimate the capabilities and reach of computer forensics.

I often hear things along the lines of, 'they can get everything you've ever done on that device', 'anything that's been deleted can always be recovered', 'whatever it is they'll be able to break into it'.

While I agree with the comments about the "CSI Effect", there is another phenomenon at play here. During Chris Pogue's interview with Douglas Brush (https://cybersecurityinterviews.com/001-chris-pogue-like-chihuahua-pork-chop/), Chris mentioned something that I see a great deal of with clients and sellers…that is, a very technical topic that isn't understood is reduced to an often-incorrect absolute.

Recovering contents of a deleted file once then becomes, "…forensics can recover everything, always…" because the conditions are too technical and difficult for most folks not actively involved in DFIR work to remember.

There's also an aspect that is faced more so in consulting, and that's the effect a seller has on client interpretation and understanding. For example, I once worked in a building that had showers available, and 3 days a week, I'd run a 7-mile course. A seller introduced me to a client, saying that I ran "30 miles a day". How's the client to know any different?

Capabilities are, if anything, diminishing as operating systems develop, increased use of encryption, drives that use TRIM, improved security and technology advances that far outpace forensics.

Capabilities of whom or what? I've found that as operating systems develop, more and more artifacts are automatically generated, to the point where your general DFIR analyst isn't able to keep up. Artifacts are misinterpreted, or simply missed ("uhm…did you think to look at X?"), in part because there are so many of them. As such, an over-reliance on automatic tools becomes the norm.

IMHO, what's happening is that our laziness is catching up with us. The vast majority of the DFIR community is completely passive, with their primary involvement being downloading tools and clicking "Like" or "retweet". If more folks documented and shared their findings, and got involved, the efforts of the community would keep pace with technology advances.

 
Posted : 27/07/2017 5:40 pm
(@tootypeg)
Posts: 173
Estimable Member
 

Something I have seen more the longer I spend around this industry, is non-forensics people (lawyers, police, armchair experts, etc.) continue to overestimate the capabilities and reach of computer forensics.

I often hear things along the lines of, 'they can get everything you've ever done on that device', 'anything that's been deleted can always be recovered', 'whatever it is they'll be able to break into it'.

While I agree with the comments about the "CSI Effect", there is another phenomenon at play here. During Chris Pogue's interview with Douglas Brush (https://cybersecurityinterviews.com/001-chris-pogue-like-chihuahua-pork-chop/), Chris mentioned something that I see a great deal of with clients and sellers…that is, a very technical topic that isn't understood is reduced to an often-incorrect absolute.

Recovering contents of a deleted file once then becomes, "…forensics can recover everything, always…" because the conditions are too technical and difficult for most folks not actively involved in DFIR work to remember.

There's also an aspect that is faced more so in consulting, and that's the effect a seller has on client interpretation and understanding. For example, I once worked in a building that had showers available, and 3 days a week, I'd run a 7-mile course. A seller introduced me to a client, saying that I ran "30 miles a day". How's the client to know any different?

Capabilities are, if anything, diminishing as operating systems develop, increased use of encryption, drives that use TRIM, improved security and technology advances that far outpace forensics.

Capabilities of whom or what? I've found that as operating systems develop, more and more artifacts are automatically generated, to the point where your general DFIR analyst isn't able to keep up. Artifacts are misinterpreted, or simply missed ("uhm…did you think to look at X?"), in part because there are so many of them. As such, an over-reliance on automatic tools becomes the norm.

IMHO, what's happening is that our laziness is catching up with us. The vast majority of the DFIR community is completely passive, with their primary involvement being downloading tools and clicking "Like" or "retweet". If more folks documented and shared their findings, and got involved, the efforts of the community would keep pace with technology advances.

Really interesting point regarding OS artifacts. Do you think there are any windows (for example) artifacts that we (DF) currently does not understand?

 
Posted : 27/07/2017 6:54 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Really interesting point regarding OS artifacts. Do you think there are any windows (for example) artifacts that we (DF) currently does not understand?

Most definitely. In fact, there are a great many artifacts that go misinterpreted pretty regularly. The sad part is that most of them are misinterpreted due to the fact that (a) they're not understood, and (b) they're very often viewed in isolation.

Too many times, DFIR analysts will look at artifacts in isolation from each other, even though they're from the same system. Viewing Windows Event Log records, for example, from one log file at a time does not constitute "system analysis" and very often leads to the bigger picture being missed.

AppCompatCache is still wildly misunderstood…I just had a discussion about that yesterday with someone. The time stamp associated with the data is the file system last modification time, derived from the $STANDARD_INFORMATION attribute within the MFT record. It is NOT the execution time of the application.

 
Posted : 28/07/2017 4:45 pm
MDCR
 MDCR
(@mdcr)
Posts: 376
Reputable Member
 

The "CSI effect" has been slightly combatted by the CSI authors themselves, in one episode they started working on something, mentioned that "well, this is gonna take a few hours but you don't see all that work on TV-forensic shows".

Sometimes it can be ones own fault when you do stumble onto something (i.e. careless user) that may make you look like you have "magical hands", you may want to mention that it was sheer luck (pun intended) so the recipient of the report do not expect it to be this easy in the future.

 
Posted : 29/07/2017 3:08 am
Page 2 / 3
Share: