Join Us!

The End of Digital ...
 
Notifications
Clear all

The End of Digital Forensics?  

Page 1 / 3
  RSS
Jamie
(@jamie)
Community Legend

The End of Digital Forensics?

by Craig Ball

When Microsoft introduced its Encrypting File System (EFS) in Windows 2000, the Cassandras of computer forensics peppered the listserves with predictions that the days of digital forensics were numbered. Ten years on and hundreds of systems acquired, I’ve yet to handle a case stymied by encryption—and 90% of my acquisitions were corporate machines, many with TPMs and fingerprint readers. Voluntary encryption turned out to be no encryption at all.

The next sky falling threats to forensics were privacy tools and features. “Surely,” our Chicken Littles clucked, “everyone will run free tools that routinely wipe unallocated clusters and securely delete data!” Turns out, they only run the antiforensic tools right before the examiner arrives, and most such tools do a lousy job covering their tracks…

Read more

Please use this thread for discussion of Craig's latest column.

Quote
Posted : 28/03/2011 3:49 pm
miket065
(@miket065)
Active Member

I find that through a combination of larger data sets and outdated equipment (due to current budget constraints), I spend a lot more time watching sands through the hour glass.

ReplyQuote
Posted : 28/03/2011 5:23 pm
pragmatopian
(@pragmatopian)
Active Member

I share Craig's pain at the ever-increasing storage capacity. I'll direct my comments to the end-user devices that we still encounter and physically acquire most frequently clearly somewhat different considerations apply to an enterprise's server-based or cloud-based storage.

In absolute terms acquisition speeds are much higher than they were in the 1990's (acquiring to CD-Rs from creaky old PATA disks isn't something I'd wish on my worst enemy!). However, typical transfer speeds have stagnated in the last few years whereas typical capacities have continued to increase substantially. Couple this with the fact that most of that additional capacity is unused and the net result is that acquisitions take more time for little to no appreciable increase in the volume or value of results obtained from the client's perspective.

As CF practitioners we have little influence over the storage devices and transfer interfaces that manufacturers provide, so we've got to do what we can with the stuff that is available. We've also got to accept that, in certain circumstances, full physical acquisitions simply aren't a practical or necessary solution in accomplishing the client's objectives in a case those who won't provide their clients with alternatives can expect to be sidelined by those who will.

ReplyQuote
Posted : 28/03/2011 6:25 pm
Hwallbanger
(@hwallbanger)
Junior Member

I understand the points made previously and I agree to their impact, BUT I believe that the coming changes in storage technology from Magnetic Hard drives to Solid State Drives will have more of an immediate impact upon this change and NEED for change. To quote a published article from the JDFSL titled "Solid State Drives The Beginning of the End for Current Practice in Digital Forensic Recovery?";

"Digital evidence is increasingly relied upon in computer forensic examinations and legal proceedings in the modern courtroom. … a paradigm shift has taken place in technology storage and complex, transistor-based devices for primary storage are now increasingly common. Most people are aware of the transition from portable magnetic floppy discs to portable USB transistor flash devices, yet the transition from magnetic hard drives to solid-state drives inside modern computers has so far attracted very little attention from the research community.

… potentially reckless to rely on existing evidence collection processes and procedures, and we demonstrate that conventional assumptions about the behaviour of storage media are no longer valid. In particular, we demonstrate that modern storage devices can operate under their own volition in the absence of computer instructions. Such operations are highly destructive of traditionally recoverable data. This can contaminate evidence; can obfuscate and make validation of digital evidence reports difficult; can complicate the process of live and dead analysis recovery; and can complicate and frustrate the post recovery forensic analysis. "

Here is the link to this article

http//www.jdfsl.org/subscriptions/JDFSL-V5N3-Bell.pdf

AND supportive article

https://www.infosecisland.com/blogview/12375-Solid-State-Disk-Behavior-Underlying-Digital-Forensics.html

I also believe that the research community either is denying or ignoring how these devices work (which this report proves otherwise ).

I have been told by a researcher that since these types of devices use similar controller techniques of the magnetic hard drives, that existing tools would work fine with these devices. I have found this report helpful in what my gut was saying NOT True.

I also believe that good evidence tools are just that to the investigator a tool, and that it is the investigator that makes sense from what he/she finds. It seems that there is pressure to rely on automation more and more due to the volumes that need to be searched.

Well, that is my addition to this discussion.

ReplyQuote
Posted : 28/03/2011 9:56 pm
pbobby
(@pbobby)
Active Member

Pricing models for forensic consultants/shops/experts needs to change to something that relies less on storage capacity processed to a more results oriented or flat pricing model.

ReplyQuote
Posted : 29/03/2011 3:26 am
rjpear
(@rjpear)
Member

I guess we said the same when the Megabyte drives jumpted to Gigabyte drives.. The Tools and techniques changed from such things as Parallel Port Acquisitions to SATA writeblocker or dedicated Drive imagers. And the software had gone from Disk Edit and manual recovery to EnCase/FTK et al.

I assume the tool manufacturers will adjust to what the community needs and come up with something to make the job "do able"..

I hope..

ReplyQuote
Posted : 29/03/2011 6:53 pm
gkelley
(@gkelley)
Active Member

Sure, data sizes have increased but so has processing capabilities with faster CPUs and faster hard drives. 64-bit is also become more and more popular.

I think that this article, though, is an extension of "the sky is falling" scenario that Craig mentioned at the beginning of the article. The industry continues to work smarter, not longer. Use the power of your examination computer to weed through all of the 0s and present the information, that from your previous experience, is relevant.

ReplyQuote
Posted : 29/03/2011 7:22 pm
armresl
(@armresl)
Senior Member

Two things to add

1) Esata
2) USB 3

Both are proving to greatly decrease the time in a location.

ReplyQuote
Posted : 29/03/2011 10:18 pm
Hwallbanger
(@hwallbanger)
Junior Member

It is apparent to me that "rjpear's" and "gkelley's" comments do not take-in consideration of the presented articles within the above message, and that these supportive articles present a technology shift with the use of Solid State Drives. I am trying to

add

to the scope of this discussion thread.

You are seeing these drive are being used wherever performance within a system is of great concern. They are being used to help speed-up Vista and Win 7 systems and also to help with Gaming systems performance. They have been used within Enterprise's SANs, too. We will probably see their usage grow with the advent of Cloud interests due to performance issue also.

Rjpear's says,

"I guess we said the same when the Megabyte drives jumpted to Gigabyte drives."

BUT

if you had read the quote from the message and also reviewed the supplied articles, you would see that he is truly guessing and Not commenting on the presented information. Megabyte drives are still using the same Hard Drive Technology. How is this the same as my added information about SSDs with NO Moving Parts and differing internal processes technology ? These drives are still NOT into Terabyte sizes, YET. This seems to be what he is NOT talking about.

gkelley's statement,

"that this article, though, is an extension of "the sky is falling" scenario …"

This statement should actual be directed to how this Threaded Discussion

started

.

I am presenting information on how the underlying technology of the storage technology industry is changing in which the same Forensic tools can NOT reliably be used (as presented in the included article's experimentation).

rjpear says,

" I assume the tool manufacturers will adjust to what the community needs and come up with something to make the job "do able"..

I hope.. "

If you read the included articles and then follow these changes you will see that standards will be needed to be applied to this technology's coming shift. I do not for see this immediate need happening in the near term.

The issues presented regarding the growth of storage size and inspection time to gather evidence will still be in play, but the largest difference that I see is the changing underlying technology that CF relies upon in investigating for evidence.

I hope that this helps to bring the presented information to the open and not just skipped over and ignored. I

thank

the readers for their patience in presenting this new research and information.

ReplyQuote
Posted : 30/03/2011 12:20 am
gkelley
(@gkelley)
Active Member

It is apparent to me that "rjpear's" and "gkelley's" comments do not take-in consideration of the presented articles within the above message, and that these supportive articles present a technology shift with the use of Solid State Drives. I am trying to

add

to the scope of this discussion thread.
gkelley's statement,

"that this article, though, is an extension of "the sky is falling" scenario …"

This statement should actual be directed to how this Threaded Discussion

started

.

I didn't realize that the thread was hijacked into a discussion about solid state drives. I was commenting on Craig Ball's article which is the stated purpose of this thread according to the moderator.

ReplyQuote
Posted : 30/03/2011 12:29 am
Hwallbanger
(@hwallbanger)
Junior Member

Mr. Kelley, I am

not

trying to hijack anything.

Like on any other board or listserve on the Net, I am trying to add to the discussion about the END Of Digital Forensics. This is the topic title. If this information is not considered as part of the same discussion and within the known rules. Then it is MY BAD and I respectful request the members understanding and apologies. I was unaware.

ReplyQuote
Posted : 30/03/2011 12:49 am
armresl
(@armresl)
Senior Member

Did Craig's original article feature different font colors and sizes?

BTW, the various colors and making your words bigger for emphasis is not really professional. Go through most all other posts and look for someone else posting things like that, you wont find it.

It is apparent to me that "rjpear's" and "gkelley's" comments do not take-in consideration of the presented articles within the above message, and that these supportive articles present a technology shift with the use of Solid State Drives. I am trying to

add

to the scope of this discussion thread.

You are seeing these drive are being used wherever performance within a system is of great concern. They are being used to help speed-up Vista and Win 7 systems and also to help with Gaming systems performance. They have been used within Enterprise's SANs, too. We will probably see their usage grow with the advent of Cloud interests due to performance issue also.

Rjpear's says,

"I guess we said the same when the Megabyte drives jumpted to Gigabyte drives."

BUT

if you had read the quote from the message and also reviewed the supplied articles, you would see that he is truly guessing and Not commenting on the presented information. Megabyte drives are still using the same Hard Drive Technology. How is this the same as my added information about SSDs with NO Moving Parts and differing internal processes technology ? These drives are still NOT into Terabyte sizes, YET. This seems to be what he is NOT talking about.

gkelley's statement,

"that this article, though, is an extension of "the sky is falling" scenario …"

This statement should actual be directed to how this Threaded Discussion

started

.

I am presenting information on how the underlying technology of the storage technology industry is changing in which the same Forensic tools can NOT reliably be used (as presented in the included article's experimentation).

rjpear says,

" I assume the tool manufacturers will adjust to what the community needs and come up with something to make the job "do able"..

I hope.. "

If you read the included articles and then follow these changes you will see that standards will be needed to be applied to this technology's coming shift. I do not for see this immediate need happening in the near term.

The issues presented regarding the growth of storage size and inspection time to gather evidence will still be in play, but the largest difference that I see is the changing underlying technology that CF relies upon in investigating for evidence.

I hope that this helps to bring the presented information to the open and not just skipped over and ignored. I

thank

the readers for their patience in presenting this new research and information.

ReplyQuote
Posted : 30/03/2011 1:26 am
redcat
(@redcat)
Active Member

Dragging the discussion back to the article just for a moment if I may…

the now-struggling e-discovery service providers who were profitable only while gouging customers

Nail, meet head. This last paragraph particularly resonates with my experiences…

ReplyQuote
Posted : 30/03/2011 3:24 pm
jhup
 jhup
(@jhup)
Community Legend

Hmm… as others have implied, forensics is not just imaging. Collection, cull, deduplication, reviews, correlation, and even lack of information still requires forensics.

It is disheartening to hear an attorney suggesting that e-discovery (the collection of visible, and readily available data) is the future of forensics, when there is ample evidence to the contrary.

Yes, many will give up at e-D. (It is the fattest cow and everyone wants a steak!) I venture to say the ones that hop on FF and ask "how do I…", when the answer is readily available will be the ones who become e-D wizards, sages and gurus - often touted by the industry vendors.

I also think that the speed issue is a canard. Just as size of drives increase, so does speed of systems, and 'quantity of systems' increase, in my opinion. Does anyone remember how long it took to image a Seagate ST-225?

The rest of us, who do not jump to eD permanently, will find a niche in reviewing surface mount memory chips, correlate logs, recognize artifacts (despite self destruction) plot relationship charts, track missing data and so on . . .

ReplyQuote
Posted : 30/03/2011 8:31 pm
BattleSpeed
(@battlespeed)
Junior Member

Not sure how much comfort we can take in the increasing use of hand-held and other small form-factor devices (with the implication of storage limitations).

The 64-GB iPhone is already a reality, and I think we can all guess where it's going from there. In a few years, you'll have a TB of storage in some format that will be the size of a grain of rice, requiring a nanowatt of power.

http//www.9to5mac.com/54940/that-64gb-iphone-is-real-and-could-be-a-sign-of-whats-to-come/

ReplyQuote
Posted : 31/03/2011 2:10 pm
Page 1 / 3
Share: