Thursday, June 19, 2008

Technique Development

A number of weeks ago I was working on Biometric Bypassing techniques and decided that I needed to invest in a latent fingerprint kit. So I called ForensicsSource - formerly Armor Forensics and ordered a kit. A few days later my kit arrived and I began my projects. I'd done some homework on latent development techniques but like most things, reading a book is nothing like the real thing. You can read all you want about the correct amount of pressure, which brush stroke, how much powder to use and what to do when you discover what may be a print, but nothing prepares you for actually determining what that correct pressure is supposed to be, following the ridges properly and the brush stroke to use. Nothing prepares you for the act of lifting a print like doing it. Sure I messed up a number of prints because too much or too little pressure was used, there was too much or too little powder on the brush or the surface I was testing on was ridged itself and the powder had gone in to the ridges in the table, making the lifted print worthless. Knowing when to take a 1:1 picture and when to lift a print is important, as are the many other points involved in developing and lifting a latent print. If you've never done so yourself I recommend you give the fuming technique a try, if only to understand the process. I use the following (there's plenty of room for variance here):

Zap-a-gap superglue - nickle sized drop.
aluminum tea candle containers - remove the tea candle
A plastic storage container with lid
candle warmer
Hot cup of water
item to be fumed

So, you might be saying who cares about latent prints? This is digital forensics, not fingerprinting 101. Remember this, studying other fields is the best way to master your own. In digital forensics, like other fields of study, we must understand that technique development is of the utmost importance. Anyone can shoot a gun, but can they hit the target? In order to master the mozambique drill one needs to master the fundamentals.

Anyone can install a tool and execute it, but can you interpret the results properly? Do you know how the tool works? Do you know the underlying OS well enough to have the proper foundation? When you're dumping memory on a live system, do you dump to the suspect file system, and then copy it off, as is implied in this post? It's all about technique development. I've maintained since the early days that forensics is not about tools. It's about process, procedure and technique. In the early days forensics was done with simple tools such as a hex editor. These days we have flash bang, gee whiz tools that do it all for us. Consider if you will, a live scenario. Which tools are you going to use, what order are you executing them in, where do the results end up, and how do they get there, and what gets altered in the process? For all the flashing, blinking, and marketing where are our techniques going? It's an inverse relationship.

I am baffled that we are entering a new era in tool execution happiness. The forensic market is becoming saturated with tools that have "find evidence" buttons and everyone is telling us that the product they're selling is the best on the market, yet the underlying techniques and knowledge are still lacking. When it comes down to it, forensics is not about how flashy the tools you use are, it's about the techniques used. Go ahead, try developing and lifting a latent print. Buy the really expensive fingerprint kits(to get that digital forensics gouging feeling) to really understand what I'm trying to say here. For fun, try it on different surfaces. You may get lucky and do it right the first time, but odds are you'll need to develop your technique, and you may just realize that had you done your homework you could have gotten the same results with the smaller, cheaper toolkit.


Mark McKinnon said...

Well stated Hogfly.

Lack of understanding is/will be a huge problem. With the availabilty of people to buy CF packages and just "Push the Button" we will be seeing more and more of people with a lack of understanding. As Operating Systems become more complex these CF people will become more and more dependent on their tools to tell them what is going on.

Here is a quick example of a lack of understanding:

Q. Can you tell us what the MRU list is?

A. What are you referring to?

Q. Capital M, capital R, capital U, list. Have you ever heard that term?

A. I have not heard that term.

Now would you expect this type of answer from a competent forensic examiner? I would hope not especially if you were paying this person.

Troy said...

Couldn't agree more. I would add, as Mark illustrates, its not even process, procedure and technique that is most fundamental, it's the subject matter of digital forensics: data--file systems, data structures, file formats and how the OS and applications functions. Lack of knowledge about the actual data that forensics tools parse is almost standard operating procedure.

When people ask me to point them to forensics resources for Windows, the primary resources I mention are the Windows Internals book (new one on the way), Brian Carrier's book on file systems and Harlans latest book. The last thing I would recommend is a vendor/tool specific class.

hogfly said...

That's alarming. Would I want that person as my 'expert'? No, in fact I'd love to get that type of person on cross exam.

Troy - the field is definitely lacking the fundamentals. Any course, University, training etc that is vendor independent should force the trainee's to work with the lowest tech tool in order to get the job done. I have to wonder why there is no CBK for forensics...