Sunday, September 27, 2009

All Computer Forensics Professionals Are Not Created Equal

All Forensic Investigators Are Not Created Equal is the title of a blog post over at Dark Reading by John Sawyer.

I have to say that I take issue with several of Mr. Sawyer's statements in the article. First of all, he displays a complete lack of knowledge about complex forensic investigations that are conducted by law enforcement and other investigators. I suppose that trying to link together evidence from dozens of cell phones and computers in a fraud, drug trafficking or child pornography ring don't count as being as "difficult" as doing an incident response investigation.

While I am not a law enforcement examiner nor have I ever been a member of law enforcement, statements like the one below show a complete disrespect for the people who do that job:
"There are forensic "experts" who have a narrow specialization in investigating individuals. Some examples off the top of my head are law enforcement forensic examiners looking at a computer to see if it was used to send threatening e-mails, search for information on making bombs, or view child pornography. The primary, and often only, source of evidence is the suspect's computer that is sometimes accompanied with some corroborating information from the suspect's ISP or a Web/mail hosting provider.
On the extreme opposite end of the spectrum, you have those who work on a much larger scale, taking into consideration many sources of information. I'm not sure there's a good term for them -- security investigator or enterprise incident responder or similar title -- but they go far beyond looking at just one system. Logs from routers, firewalls, and a numerous other types of systems all come into play in order for the investigator to crack the case."

Mr. Sawyer got his inspiration for writing this after reading another blog post:

"So why do I mention the distinction? It's something I've believed for a while but was reminded of it again while reading "The Black Art of Digital Forensics" over at infosecurity.com. The article makes several interesting statements. The one that stuck out is that forensic investigators can't rely only on GUI tools to perform task for them (which is usually only against one system or one type of system and not ALL systems), they must understand what's going on behind the scenes for the GUI. While that's true, I'm just not sure that's going on in the real world."
While I agree that forensic investigators cannot completely rely on GUI (Graphical User Interface) forensic tools, I think the statement needs some clarification.

GUI based forensic tools like Encase, FTK, and others are fine tools and extremely powerful in the hands of a well trained and experienced examiner. The problem is that they can give a false sense of completeness if all the examiner does is run the standard scripts and review the collected data.

The statement above from the Infosecurity article smacks of the recurring theme of, "I can run command line tools. That makes me smarter than you." Something that seems to be cropping up more and more.

Should the examiner know what the graphical tool is doing to get at the data? Absolutely. Should the examiner have a good foundational knowledge of how these tools work at a low level? Yes. Does it matter if he can explain what FAT 12 is to a jury? Probably not. But if he does and he does not do his homework prior to testifying, shame on him.

The article over at Infosecurity reads more like an advertisement for a couple of new software releases than much else.

It starts off good with some discussion of the problem with relying on the MAC times (Modified, Accessed and Created) that are recorded by a computer operating system.

However it drifts away from that topic without giving any detail as to how to deal with MAC times and goes on to discuss software and civil data collection.

Hopefully it is pretty common knowledge among examiners these days that you have to verify things like MAC times before you rely on them as evidence.

In civil cases it is acceptable in many cases to only collect data that is relevant to a case without doing a full forensic copy. However, in criminal cases, it would be problematic to not have a full forensic copy of a hard drive that is going to be used in a criminal trial as that would be a major point of attack for the defense:

"Would be fair to say Mr. Examiner that the court cannot know what data you decided not to collect?"

"Mr. Examiner, given that you decided what evidence this court would be allowed to see, how can you assure the court that you did not intentionally exclude data that would prove my client's innocence?"

There is a wide difference between requirements in civil and criminal investigations. What is allowable in a civil case relies on a very different standard than that of a criminal proceeding.

Lumping incident response in with computer forensics is a mistake. They are not the same disciplines, do not have the same focus and do not have similar requirements for the investigator in either training or expertise.

While having expertise in both is an asset, to say that having expertise in one automatically qualifies an investigator in the other is simply wrong.

Getting back to law enforcement forensic experts; Working in the criminal system is much more difficult than many people in our profession give credit. Law enforcement forensic examiners must not only know how to properly conduct a computer forensic examination, they also need to understand how to do it in such as way that it will stand in up criminal court. To get to the point where a computer can be examined requires taking careful steps through a legal minefield of probable cause affidavits, search warrants, investigative reports and fourth amendment protections.

Then their work may very well be scrutinized by an opposing expert who is going to pick apart every aspect of what they did through that entire process.

While I have great respect for the professionals in the incident response area and value the contributions of folks like Harlan Carvey, I think we would all be better served if we keep the distinction between computer forensics and incident response clear.

1 comment:

  1. Larry, if you keep computer forensics distinct from IR, doesn't that in some ways throw the baby out with the bathwater? There is really not all that much that forensic practitioners could learn from IR practitioners, compared to other "pure" forensic sources?

    ReplyDelete

I have moderated my comments due to spam.