Monday, June 8, 2009

Is Digital Forensics a Science?

I was reading a well thought out post by Michael Cloppert over at Sans, titled, "Is Digital Forensics a Science?”

Interestingly enough, Gary C. Kessler raised the same question and doubts during his presentation at Techno Security in Myrtle Beach last week.

I must respectfully disagree with both of them on several points.

Michael and Gary both asked the right underlying question, “Is computer science a science?” If computer science is not a science, then it seems that the question is moot. So there is little point in further debate on the subject.

However, forensic science does not, per se, need to meet the requirements of the classical sciences.

First of all let's deal with the domains of classical sciences. There are the meta-sciences such as mathematics and philosophy, and the natural sciences. Then there are the engineering disciplines.

The answer according to Juraj Homkovic, in his book “Theoretical Computer Science”, published by Springer, is that computer science is an independent science because it uses parts of the meta science, natural science and engineering domains.

His definition of computer science is; “Computer science is the science of algorithmic processing, representation, storage and transmission of information.”

The emphasis is on algorithmic processing and information.

While the meta sciences such as mathematics and philosophy study determinism, randomness, truth, knowledge and simulation, natural sciences investigate through observation and experimentation the
concrete processes and objects using hypothesized models to determine what is possible or not possible.

It is the boundary between what is possible to solve and impossible to solve that qualifies computer science as a science. Juraj asks the important question, “Are there well defined problems that cannot be solved automatically, (by a computer, regardless of the processing power of contemporary, or futuristic ones)?” According to Juraj, the answer to this question is yes.

Moving on to the definition of forensic science, here is how the American Academy of Forensic Sciences defines it:

What is Forensic Science?

The word forensic comes from the Latin word forensis: public; to the forum or public discussion; argumentative, rhetorical, belonging to debate or discussion. From there it is a small step to the modern definition of forensic as belonging to, used in or suitable to courts of judicature, or to public discussion or debate. Forensic science is science used in public, in a court or in the justice system. Any science, used for the purposes of the law, is a forensic science. “ American Academy of Forensic Sciences

With those two definitions in hand, it would seem to settle both questions; Computer science is a science and digital forensics is computer science used in public, in a court or justice system. I could easily end this here and be satisfied that I answered the original question to my satisfaction. But, where would the fun be in that?

Instead, I would like to address some of the very interesting questions raised by Michael Cloppert in his SANS post.

Before I do that, I wanted to make the point, for example, of the difference between a pathologist and a forensic pathologist. Pathology is a specialty within the greater body of medical science and involves determining natural causes of death and disease. Forensic pathology requires additional training in the determination of unnatural causes of death.

In my way of thinking, digital forensics works in much the same way; digital forensics requires additional training to recover and analyze physical data for the purpose of determining the presence or absence of evidence for use in a legal proceeding.

Michael raises the point of immutable natural laws as being defining when one considers if a field is a field of science. I have to point out that biology suffers greatly from the lack of such laws and is still considered a science.

When you look at computers, I would have to argue that we do have some immutable laws, that no matter how much we might want to change them, they are not mutable.

Since I am making up the list, I get to name them after me. So here we go with Daniel's Laws of Digital Forensics.

1.Any amount of data that is unmodified will always produce the same hash value independent of its source. (This assumes the hashing tool is accurate and that the source is not failing, etc..)
2.All data transfer is subject to Shannon's law.
3.No computing machine can act on its own without human intervention. (No piece of computational hardware works without input first from a human programmer, even if it is electromechanical.)

I thought Micheal's post was both entertaining and informative. But as one of the “reasonable nerds”, I do have to disagree.

I feel that I also need to point out that many of the accepted forensic sciences are not in fact real science because they do not pass the definition of any of the scientific domains. At the end of the day, many attorneys will tell you that forensic science is whatever the judge allows into evidence.

Here are some of the forensic sciences that, in my mind, do not pass the requirements to be real science: Tool marks, shoe prints, ear prints, lip prints, finger prints, handwriting analysis, lie detection, bite mark analysis, and many more.

To fully understand how the legal system views forensics, it is important to know that it depends on a legal definition of scientific evidence, not an academic definition.

The legal system in the USA uses the Daubert or Frye tests for admissibility of scientific evidence and that ruling is made by a judge in each case where such evidence is challenged.

Digital forensics or computer forensics has passed those tests on many occasions.

One of the quirks of our legal system is that bad science, once admitted as evidence, sets a legal precedence for more of the same bad science to be admitted in other cases. Thus creating a false empirical basis of legitimacy for pseudo-sciences in the legal system. Coupled with the resistance of prosecutors to re-open cases where people were convicted based on what is now recognized as pure foolishness, whether nor not computer forensics is a “real science” seems like a small question after all.

No comments:

Post a Comment

I have moderated my comments due to spam.