Sunday, June 27, 2010

Computer Forensics – The Next Ten Years

The Crystal BallImage via Wikipedia

Normally I leave it to the pundits over at PC World and other consumer type computer magazines to do their predictions of what will happen to the industry over the next ten years.  But what the heck, I can guess as good as anyone. So, after consulting my Magic Eight Ball, here we go.

1. Encryption will become the norm rather than the exception, driving live memory forensics

As computer users we need encryption to protect our personal data.  Although it is a fairly simple task to encrypt computer hard drives, USB drives and other media, very few people actually do it.  Mainly, because it is an extra step they must perform themselves to do the encryption. And it is a drive performance killer. The average computer user, who by the way, is the one that needs this the most, is the least likely to even know that their operating system includes this feature.

I think that in the next few years, we will start to see user data areas encrypted by default on new computers. Even if the operating system makers don’t really care about security of data for end users, it will be a marketing advantage to differentiate one brand from the others.  And as processors become more powerful and encryption algorithms get more efficient, it will be less of a performance hit.
What this means to us is that live memory forensics will become more important in order for us to be able to crack encryption to examine this data.

2. My phone will be my primary computer and mobile forensics will become king.

Personally, I am looking forward to the day when my phone becomes the brain of my computer.  I would still carry it around like I do now, make phone calls on it and answer the occasional short email. But when I need to work on something larger, I just slip it into a slot on a pad computer for a larger screen to surf the web, answer email, write this blog post or do my office work.  I use my laptop 98% of the time to read email, surf the web or write documents.  Not exactly heavy lifting for a computer.  It sure would be nice to just plug the phone into a slot on a nice pad computer and use that instead of dragging the laptop around.  Why bother since I carry both anyway?  Well, the phone could provide connectivity for the pad via 4G or Wi-Fi. Then there wouldn’t be a need for the pad to have those features.  So I predict the day will come when you buy a pad/phone combo where the two work together for computing power, (Think distributed processing) and connectivity.  If the iPad didn’t prove that pad computing hardware and software is truly ready for primetime, I think that the consumer market is clearly sending a message that computing in a lightweight package is what they want to buy.

But how would you use the phone if it is docked, you ask? Bluetooth device of course.

I am also predicting that this will drive the industry toward fewer mobile operating systems as phones and mobile devices become more application driven, finally making it possible to have mobile forensic tools that can address a wider variety of phones and giving access to physical data storage.

3. In the year 2020, we will still be examining Windows 7

This is a cheat really since it is 2010 and we are still examining computers running Windows XP (Released in 2001), Windows 2000 (Released in 1999) and even some Windows 98 computers.

4. The world will see more cloud computing forensics

There are quite a few definitions of cloud computing.  But the bottom line is that cloud computing represents software and data storage as a service, using the Internet as the network so people can access their stuff from anywhere.  Whether it is widely adopted by business is one thing, but the consumer market has already dived into the deep end.  One of the things I think will continue to become ever more common is always on, always connected people.  However you think of it, Facebook, Twitter, Google Apps, Windows Live Office, Hosted Exchange, Yahoo Mail and so forth are all basically software as a service where everything is stored in the “cloud”.   As forensic examiners, the collection of artifacts from local devices will become ever more important, especially from mobile devices such as phones and pad computers.

5. Forensics will get harder, not easier.

One of the primary things that makes computer (digital) forensics different from forensic sciences like DNA analysis and fingerprint analysis is the simple fact that in those disciplines, the type of evidence doesn’t change.  DNA has had the same structure for millions of years.  Only the methods to analyze it change over time as our technology gets better.  In the case of digital forensics, not only do the methods change, but the basic structure of the evidence changes with the introduction of each new file systems, encryption methods, data storage formats and new devices.
Yes, computer forensic tools will continue to get more powerful, but they will continue to chase the technology as it changes.  It will still be up to examiners to pursue constant learning to stay up with the changes in technology if they are not to be left behind.

6. The computer forensics industry will continue to grow.

It can only logically follow that as the technology becomes more prevalent and integrated into everyday life, evidence left behind by that technology will become more common.  In developed countries, the use of technology will continue to become a necessary and normal part of everyday life, so much so, that we will stop thinking about it.  In other words, we don’t have to think about natural processes like talking.  We just do it.  I see a day in the very near future that we will be the same about the personal technology we use.

As devices record more, the possibility of evidence being present in all types of legal scenarios becomes ever more likely.  To the point where one of the first questions asked in any legal procedure will be, “Did you get the data?

Check back in ten years and see how close I got.

Enhanced by Zemanta


  1. Nice predictions!
    Besides those ones, I see that we are going to have an increase on the amount of valuable cyber forensic analysts, but the vast majority of the so called "experts" will be nothing but people who doesn't have any idea what they are doing. This is going to be even worse with the growth of the industry (your item 6), the fact that it will become worse (your item 5), and the fact that there will be plenty of automated forensic software easily available.

  2. I like your article, thanks!


I have moderated my comments due to spam.