Image via Wikipedia
I just read a great post over at Eric J. Huber’s blog, A Fistful of Dongles: The Future of Digital Forensic Tools
I would agree with everything Eric said. However I would like to take it a bit further. Eric stopped his post at the third generation. I have been thinking for quite some time about the Fourth Generation of digital forensics tools.
When you have completed a lot of cases, you begin to see just how repetitive and similar many cases are. At least at the front end of the examination. Every examination begins with the same steps, independent of the type of case it is. I use Encase, so this will reflect the methods for that software program.
- Set up the case folders.
- Add the evidence and let it verify.
- Run recover folders to find any folders that have been deleted.
- Run file signature analysis.
- Compute / Re-compute hash values to make sure you get a hash value for every file.
From there you may do a lot of other things in some order depending on the case type or what you are looking for in particular.
However, certain types of cases tend to have clusters of items of interest you want to review. For instance, email is an ever popular item of interest in domestic cases. As are internet history and chat logs.
While Encase has a search feature built-in that grabs Internet history, and even rebuilds web pages as part of the process, it does not go after HTML pages in unallocated space. And that is a good thing, since you may not need to take that next, laborious step.
Having dabbled in expert systems over the years, including some programming in Prolog, etc. I believe the next major evolution in digital forensic software is going to be the application of knowledge based expert systems. I know we in the field kid about the “Find Evidence” button, but that is not so far from reality if you think about what we do from a knowledge base perspective.
After all, there is a finite amount of evidence types to be recovered in a case. And depending on the case type, that sub-set is reduced even further.
Automating this data recovery has been and will continue to be a large part of the evolution of digital forensic tools. Let’s face it, once you have the format of the underlying data in hand, automating the process to extract that data is just a matter of programmer time.
However, the recovery of data is only the beginning of the process; The real work comes in sifting through the massive amount of data that can be recovered to see if it is relevant and applicable. We try to reduce that part by performing triage in a lot of cases. There is, after all, a limit to both available human resources and financial resources in every case. Not to mention the time factor. The less time you have, the less you can accomplish, simply because of the time it takes to perform both recovery and analysis tasks.
An examination can be made more efficient if the examiner has a good idea of exactly what must be found, develops a plan for the case to find that with the least amount of processing and human review, and has powerful enough forensic software to assist.
Getting back to expert systems; One of the premises of languages like Prolog is that unlike a traditional programming language where you tell the program how to do something, expert system development is based on you telling the program what you want to do, not how to do it.
The idea of a knowledge based expert system is to capture the best knowledge available from human experts and put that into a system that can use that “expertise” in an automated way. That has worked well in other industries where expert systems assist with diagnosis, troubleshooting and other tasks where expert knowledge is required, but not always quickly available. Or to just simply automate repetitive tasks in those realms to free up expert resources for problems too difficult for an expert systems to handle.
In our industry, the goal would be to create a system that allows us to put in the parameters of what we already know and what we need to know. In other words, what is the goal of the examination? But inputting known information, setting the goals for the information that is needed, and then applying the expert system rule set via software, an expert system should be able to perform 50 to 90 percent of the examination on its own. Then a human expert would take over and review the results, adjust the goals based on newly acquired information and refine the process for another run.
None of this would supplant the need for a real examiner to work the case, testify in court or translate the findings for non-expert consumption.
Perhaps some time in the future we really will see the “Forensicator Pro” with the “Find Evidence” button.
If you happen to have an interest in expert systems, artificial intelligence and such, below are some links.