Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Why I Hate Digital Forensics Damir Delija Varaždin, FSEC 2015 A few reasons for the title Proposal for lecture arrived just after I finally get my long overdue vacation … Since 2008 I have experience with digital forensics a lot of things that annoy me and makes me think about … I’d like to put up some thoughts and maybe it will start some process about fixing it … Why I Hate Digital Forensics 2 Lets start - what to talk about It will be about digital forensics and: Naming •Real name has power, remember Lord of the Rings Its tools and practices Its community Practitioners Standards and definitions Trainings, certificates, curriculum People using its results Subfields Relations with other computing science fields Why I Hate Digital Forensics 3 Forensics definitions Forensics is “The application of scientific knowledge to legal problems" (Merriam-Webster) • Includes forensic medicine, physics, chemistry, dentistry, fingerprints, DNA, firearm analysis, accounting, .... Forensic sciences widely tied to Locard's Exchange Principle "Every contact leaves a trace" (Prof. Edmond Locard, c. 1910) This is from my favorite source: • Is Mobile Device Forensics Really "Forensics"?, NIST Mobile Forensics Workshop, Gaithersburg, June 2014, Gary C. Kessler 4 Naming – techie side The term itself, name, what is correct? We have evolution since beginning, comes from debugging … • Forensic Computing: • V.Venema, D.Farmer late 1990’s: „Gathering and analyzing data in a manner as free from distortion or bias as possible to reconstruct data or what has happened in the past on a system.” this is also SANS definiton • Digital forensics and Computer forensics (Wikipedia /technical): • Computer forensics, sometimes known as computer forensic science is a branch of digital forensic science pertaining to evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the digital information. • Cyber forensics • new buzzword or extension into cybernetics in a sense as N. Weiner define cybernetics or into something more like S. Lem ideas ? • just read “Tragedy of washing machines” or “Invincible” and think about Internet of things 5 Naming – legal side Comes from usage in legal process • combination of concept of digital evidence and forensic computing gives current legal definition Digital evidence or electronic evidence is any probative information stored or transmitted in digital form that a party to a court case may use at trial. Judd Robbins: Computer Forensics is simply the application of computer investigation and analysis techniques in the interest of determining potential legal (digital) evidence 6 Definitions - topics to think about Digital forensics is an engineering science, which is again part of a computer science The profession of digital forensics requires continued education, training, and practice Two communities: • computing science • law enforcement / legal Some discrepancies and rough interfaces because of different definitions, meanings, terms Important concepts like case, evidence etc. comes from law enforcement but lacks in technical implementations 7 Standards and definitions Standard exists? In theoretical sense yes, but: • Are tools, data formats, procedures standardized? NO • Different legal system has wide implications • Compatibility is nonexistent - more in tools , just try to combine and compare results from commercial tools What about digital forensic language which can describe tasks, procedures, results, data? • automatisation ? • results comparation as automated controls ? 8 Current standards and definitions are they correctly understood? In theoretical sense yes, but: • what about meaning of write-blocking procedures (holly grail almost) in modern systems • is it forensically acceptable or perfect? • remeber what computer is now and what was than • same for mobile, live acquisition, data analyses, etc. What about legal boundaries? • Locard's “Exchange Principle“ works for Internet perfectly but data is not available • In that sense Internet is a big flat room but each spot has it custodian and different rules 9 Relations with other computing science fields Because of fast development always something new, undefined, unbaked Prime example mobile forensics • Gary Kessler, Gary Kessler Associates, ”Is Mobile Device Forensics Actually "Forensics“”? That is why I’m for “Forensic Computing” approach in general, but with size of data we have to deal with, its more like data mining • do we apply anything what was learned in data mining and data science to practical digital forensics? • since I mentioned “practice”, again more in tools 10 Tools and practices Tools – plenty Usual story about open / commercial and corporate policy Commercial • mostly based on evolution of a tool someone from law enforcement developed ages ago • by law enforcement – for law enforcement Free • development from good computing theory but lacking development pace • mostly not for “law enforcement forensics” but for incident response and analyses • for engineer type of mind-set 11 Commercial tools Preferred in legal part / law enforcement (why?) What about reliability – a lot of talk about in legal circles in EU Stephen Mason: challenges of international investigations (search and seizure) and other trial considerations (methods of presentation, admissibility tests) Mostly based on evolution of a tool someone from law enforcement developed ages ago for his usage In commercial constant development but a lot of misfires Lack of cross compatibility • • Just try to combine mobile forensics tools Just try to use logical evidence files Very expensive and inflexible All bad choices of MS philosophy of computing incorporated No chance of automatization or piping tools Scripting practically no existing Practically no UNIX platform in mainstream forensics Last story about encase v7 is perfect horror example Not well funded theory (better to say not taken into account) Not best computing practices also taken into account Lack of standardization • Physical evidence files are standardizes but nothing after that 12 Free / open source tools and practices Again plenty of tools Usual story for open source Special commercial – free versions • Some wonderful tools like FTKimager • Free / test versions Venema, Farmer, Carrier developed good tools, but for mass usage community knowledge and skills are missing • Developed in sense as forensic science is extension of ordinary science • You have to be very good in medicine to become forensic pathologist – this is the same attitude for these tools and missing from ordinary curriculums Most recent python development very promising • But I'll say in current state of mind we need “forensic python” which works forensically sound on all supported OS platforms 13 Its community and practitioners Trainings, certificates, curriculums • • • • There is a lot but not well defined and profiled Computing and other basics (often) missing Some horrible side effects as “hexadecimal fetish” in training My opinion is that knowledge and skillset is needed,one which ages ago described system programmer, with some modern add-ons • Often no careere path • Continuous learning is a problem too, because of organisationa issues, • Some interesting initiatives like OLAF but again quality of materials and tools are questionable 14 People using its results Again lack of understanding and different mindsets An classical communication problem among experts Some definitions are outdated • What is forensically acceptable ? • What is forensically correct today? When we are talking about computer as network of subsystems • Write-blocking on disk which is a computer itself or SD disk • Live forensics • Mobile devices How to cooperate, how to trust, how to precisely define tasks and results? Things get complicated because of mindset issues • Computer is a bit untrusted • Computer can’t do work alone • Labs and communication chains are not set by common computing sense 15 Subfields Subfields – what are subfields? Can we even list subfields of digital forensics/cyberforensics ? • Some subfields are not even clear what they are • “mobile forensics” is perfect example • starting with “what is mobile device ?” • How a subfield can be defined? • Skills and practices than …? • Who defines new rules (theory sets one thing)? • From engineers of law enforcement? • Remember - it’s application of science in legally acceptable way 16 Future? Grim of glorious ? • Here in Balkans its a grim .... World? • All around the world a lot of glorious opportunities? • But IT security which forensics is part of, is in very bad shape • Just read reports and do some analyses • In IT security we don't have technical problems but organizational and management problems Something's sounds almost religious • … Oh lord give us a security Messiah who’ll expel evil from our corporate / governmental networks and IT systems ... What about elementary hygiene and practices? Its attitude that should be changed! 17 Conclusion and Questions? Since IT penetration is unstoppable it should be safe and controlled Lets think about all this How we can help to fix this issues? How this kindergarten type of problems will influence future? 18