Friday, June 1, 2007

The faces of Digital Forensic Science

Previously I discussed Digital Forensic Science and after talking to many people about the subject and giving a few talks on the subject I think I'm finally reaching a conclusion about the discipline. Digital Forensic Science exists in concept but not practice. Don't get me wrong, I think the science is there, but the majority of practitioners don't use it. As such I'm beginning to create an ontology to conceptualize my thoughts on the field. Here's some early work on the idea, providing a simple outline of DFS as a whole, some of the contributing disciplines and areas of specialty. You'll see there are no connecting lines between anything but the areas of specialty. That's simply due to the fact that I don't think I'm anywhere near done yet.



Digital Forensic Science has many faces. Or should I say it has many facets? Either way not all of them are directly related to the legal system and very few of them are forensic science at all. However, they each contribute to what is considered Digital Forensic Science.

I touched on Pollitt's keynote from the 2004 DFRWS conference where in one slide he proposes the addition of Roles to the Framework. These roles he says are not defined by "forensics" as a process but rather they are constrained by the role's purpose for using forensics. I find this to be very interesting and true.

Well, why don't we attempt to define some roles and the purposes for using forensics in each. Ask yourself "Why do I use forensics?"

If you've got suggestions for addition or think I'm wrong let me know..afterall I'm only one man and I'm not involved in a couple of these fields

Incident Response:
Maintain or restore business continuity
Provide accurate information to security team to defend against further attacks
Determine root cause
Report findings to management or client
Provide evidence that suggests or "proves" that regulated or sensitive data was or was not accessed(insert stolen if need be) by unauthorized individuals.


Law Enforcement and Criminal Investigations
:
This one is simple...
Get the conviction, get the conviction, get the conviction.


Civil Discovery
:
Determine the truth of the claim of the plaintiff
Corroborate the physical evidence provided by recovering the digital copy

Intelligence:
Real time analysis
Keeping systems available and accurately providing information


Incident Responders like EMT's provide triage and stabilization of a scene. While preserving data for possible use in a forensic examination is important, it's not always the primary concern. There's a difference between operational responses and forensic responses. There's typically a decision tree that's followed where the team lead decides to go to full blown response and investigation mode or conduct RCA, then flatten and restore the system from backup. DFS doesn't really apply to incident response because of the fluid nature of response and the fact that response scenarios aren't really repeatable. What does apply are the best practices utilized in each Digital Forensic specialty.

Law Enforcement and Criminal Investigations are probably the closest we get to real digital forensic science. However, as I've said in a previous entry, I don't believe that true "science" is carried out. I base this on the failures I laid out when facing a Daubert Challenge.

Civil Discovery situations aren't exactly science either. The same failures related to Daubert still apply here. In addition, we don't always conduct a full forensic examination. Sometimes all we do is a keyword search, or grab representative data from a logical drive. It depends on the case at hand.

I'm afraid I can't add commentary to the intelligence community since I'm not involved there and have no experience with that community. If a reader is part of the intel group using forensics..please indulge me.


I tend to believe that we can reach a full blown "science" but we're not there yet. We need development in many areas. One such area is live response/live forensics (or the term I coined a while back Forensic Incident Response). We're going to start seeing more widespread use of these techniques in the court system pretty soon, especially given the direction many tools and investigators are taking.

3 comments:

Keydet89 said...

Incident Response:
...
Provide accurate information to security team to defend against further attacks

I would suggest expanding "defend" to "prevent, detect, and defend"

Provide evidence that suggests or "proves" that regulated or sensitive data was or was not accessed(insert stolen if need be) by unauthorized individuals.

This is a BIG one because this is the question I'm getting asked more and more.

Law Enforcement and Criminal Investigations are probably the closest we get to real digital forensic science.

I would agree with this, only in the sense that law enforcement and operating under the color of law places the individual under a more stringent set of rules and circumstances.

So, it appears to me that your goal, at least in the near-term, is to create a Daubert methodology to validate the use of tools during incident response. Would this be correct?

hogfly said...

This is a BIG one because this is the question I'm getting asked more and more.

I'm curious..how are you answering this question? I've been coping with it for about 2-3 years now, and the thing I try to remind folks is that I can't prove that the data didn't walk(can't prove a negative) because I don't have all the requisite information, even though business managers want to hear that it "didn't get stolen".

...is to create a Daubert methodology to validate the use of tools during incident response

Not so much a Daubert methodology - since Daubert is used to qualify the expert, but a methodology to assist an "expert" in using incident response and live response related data in the legal system and for use in corporate investigations when the veractiy of our accounts are questioned.

Keydet89 said...

...how are you answering this question?

If the data's not there, I can't answer the question.

The question of what files were copied to an external storage device (without having that storage device to analyze) has also come up, even though it was explained to the customer that forensics cannot show that.