Saturday, July 25, 2009

Using Automated Computer Forensic Tools - Good, Bad or What?

K-9 the Robot DogImage by Extra Ketchup via Flickr

In the world of computer forensics software, each developer is consistently working to add value and features to their product to make it more attractive to the forensic investigation market.

The market leaders, Guidance Software and Access Data, both provide comprehensive forensic software packages, albeit with decidedly different approaches.  And for the purist, you can purchase X-Ways forensic software, which is a GUI for their Winhex product.

There are others out there as well, such as Paraben, and Pro-Discover and more.

Beyond the comprehensive tool developers, there are many specialty tools available as well:

Belkasoft makes tools for reading chat and internet history and email.

Drive Prophet is a data gathering tool that can parse out USB device connections, recently opened files, and many other items of interest to an investigator.

Then there is RegRipper, a tool for parsing Windows registry data.

The question is, are these tools helping or hurting the quality of forensic examinations?

My immediate response to that question would be a resounding, "Yes".

Depending on the circumstances, fully automated, limited scope collection tools can be of great benefit to an investigator or examiner.  If you are in a situation where you just need to look at a specific type of information, an automated tool that is built just for that purpose would be the most efficient way to go.

The problem is that the tools that are real specific don't do some things like checking for deleted files or looking inside compressed files as part of their automated routines.

While the big suites can do pretty much whatever you desire, you run into the simple, but real limitation of the time it takes to do searches in unallocated space or, heaven forbid, create an index for key word searches.

The single biggest issue I hear from the law enforcement examiners I interact with is that time is a real problem for them with the number of cases they have, or the fact that they are not dedicated to just computer forensics.

As a private consultant, waiting on machines to process data is a huge time waster since processing time is not billable.  Unless of course you are conducting an forensic examination on-site due to the Adam Walsh Act.  Then all the time is billable, and costs the client a considerable amount of money.  Since most of these cases are indigent, the taxpayers end up footing the bill.

While automated processes are critical to performing computer forensic examinations due to the fact that a purely manual process would be prohibitively expensive and time consuming, they must be used as they are intended and not become a substitute for an actual forensic exam.

If an examiner limits themselves to what the automated tools and routines can find, they will probably miss critical evidence.  From what I have seen over the last several years that I have been doing this kind of work, the  majority of cases I have worked contain evidence that gets missed by examiners, both by private consultants and law enforcement examiners.

The single biggest danger in depending solely on automated tools and processes is that an examiner may be in a situation that would cause them to accept the results as "good enough" due to time or budget constraints.

The other danger in tools becoming more automated is that in the hands of an untrained examiner, they simply may not know where to go next with the tool or the examination to make sure that a thorough examination has been done.

While automated tools and routines may be able to replace an examiner's need to know how to look for some piece of data or evidence, they cannot replace the need for an examiner to know where to look and what to look for.

Those skills are probably more critical than knowing how to get a piece of data.  To conduct the most efficient examination, there has to be a combination of knowing where to look first, second and so on, along with how to use a tool to extract what you need to find.

When using automated tools, an examiner must be prepared to answer the questions: 

1. If the automated tool does not find it, how do I find it using a different approach?
2. Where is the most likely place to find what I need, if the evidence is not where it is supposed to be?  (Automated tools can only look at where something is supposed to be.)
3. If I can only find a fragment of a piece of evidence, how do I find related evidence to collaborate the fragment?
4. If the original file I know was there is missing, how do I show that it was there at some point in the past?
5. Can I create some sort of user attribution for the evidence?
6. How do I find evidence that will help with creating a time line for the fragment?

Plus many more questions that an examiner must answer that automated tools simply cannot be created sophisticated enough to answer at this time.  Perhaps in the future, expert systems will be developed to take the place of examiners, but for now, it is the examiner's skills that make the case, not the tools,  no matter how good they are.

If there is anything that is needed in the field right now, it is more training, not more automation.




Reblog this post [with Zemanta]

3 comments:

  1. Ugh, posts like these drive me nuts. Encase is not an automated forensic tool. Regripper is not an automated forensic tool. Neither are any of the other tools out there.

    The analyst may use it in an automated fashion, following rote procedures, but that should not paint the entire product as hurting the business of forensic analysis.

    You mean to tell me that conducting forensic analysis today would be better off by using technology from 1995?

    Let's do everything with command line utilities... but wait if I use them over and over again, aren't I just running automatic procedures?

    How about we get the analyst to read the 1s and 0s from the hard drive before we declare him competent enough to be on the witness stand.

    Forensic tools make it easier for the analyst to become complacent - so is our defense now going to be "the devil made me do it?" (substitute for Devil your favorite forensic tool)

    ReplyDelete
  2. I am afraid you completely missed my point. I never said that Encase is an automated forensic tool, but that it has automated processes. RegRipper is an automatic tool, however, if you can't interpret the results, it does you no good.

    Forensic tools CAN make an analyst complacent. That is my point. You can never substitute skill and expertise for what a tool delivers on its own.

    Used properly all of these tools are excellent.

    ReplyDelete
  3. everything possible be done so easily

    ReplyDelete

I have moderated my comments due to spam.