Tuesday, July 10, 2007

A peer review - DOJ methodology

Back in April, after I posted on peer reviews and how no one shared their methodologies I was a little surprised that the responses were few. However, Ovie from Cyberspeak decided to send me something he picked up from the DOJ. Thanks Ovie!

First, here's Ovie's disclaimer.

Again, this is not a cyberspeak product it was produced by the Department of Justice, Computer Crime and Intellectual Property Section and they said it had no copyright so people were free to use it however they want.


So, here is the methodology:



Look at all the purdy colors! I must assume first off that there is a glossary for many of the terms listed in the flowchart because this is a very high level overview of the process.


From the get-go there is one thing missing. Validation of the hardware to be used by the examiner. Similar to calibration of the radar detectors before you go out and try to get someone for speeding. There's a block that says "setup forensic hardware" so maybe it's actually buried there but I don't see it.

There's also no mention of scanning for malware. While this isn't foolproof, it's a must for any analysis procedure in my opinion.

I personally don't care for the use of the word triage in this methodology. It just doesn't fit with the section it's listed under. I'd say "data identification/processing" rather than triage. There's really no triage happening here. If someone wanted to add something reminiscent of triage to this phase, they should add a method of prioritization of forensic data sources to be analyzed. In fact, adding that would fit with the arrow along the bottom where ROI diminishes once enough evidence is obtained for prosecution. Prioritizing would meld nicely here.

Data Analysis: Again, there is no mention of scanning for malware.

What I find really interesting is in the Data Search Lead List. There's mention of attempting to reconstruct an environment or database to mimic the original. Kudos to the DOJ for acknowledging the power of reconstruction!

This document provides a really great overview of the forensics process, but it raises a lot of questions about the guts of the process rather than the overview but I'm really happy that Ovie decided to send this along. This is the kind of stuff we need to start sharing if we're ever to narrow the gap that divides this industry and holds it back. If anyone else wants to send something to me, I'd be happy to take a look and send you my feedback. If you have a step-by-step, I'll even run it through a validation process.

For you Binary geeks....
Have a look at the at the bottom of the ROI arrow. There's something interesting in there..

2 comments:

Anonymous said...

Hey Hogfly,

I am glad I could contribute. Just wanted to add some comments to your blog. For your first observation about them missing the equipment validation; I spoke with DOJ and they stated you are correct, but in an attempt to minimize the text of this very busy flow chart, they edited the word “validation” out of the 3rd shape down in Block #2. They stated the forensic workstation validation is conducted and implied in the box that states “Setup forensic hardware and software…as needed”. I agree with you that I would like to see the work “validation” and suggested they put that word back into the chart.

When I told them about your objection to the word Triage and advised them they you suggested just removing that word, they asked about replacing the word with “Phase”. They advised that the word Triage came from their earlier drafts where they were discussing the possibility to speed up the process whereby investigators and prosecutors get information quicker, rather than being left in the dark until every eye is dotted and tee is crossed and the final forensic report is completed. They tried to explain how on many investigations, if forensic examiners could work more closely with the case agent and prosecutor, i.e. a quick phone call or something when something significant was found or perhaps an update every 2 weeks or so, they feel they may be able to help advise on what other kind of things might help in prosecuting the case or even speed up subpoena processes to obtain other types of data.

The guy I spoke to stated he would
be incorporating your suggested changes and would get me a new copy of the flow chart as soon as he could. I will send it to you as soon as he gets it to me.

All in all, the DOJ guys seemed to really like your input and asked that you pass any further input you have to them. You can just send me the ideas, I have a pretty good contact with DOJ, which from your post…I assume you knew that.

Cheers

Ovie

hogfly said...

Cool, a comment from Ovie!

I figured it was implied or not included for some good reason. I'm glad "validation" is making it back in to the chart. It's always a given, but it's always helpful to show it's being taken in to account, especially if it gets shared with outside sources.

I certainly understand the need to fast-track information exchange while in the middle of a case. Investigations never take place in a vacuum as the saying goes and case updates need to happen faster than they typically do.

I think "phase" might be a little redundant since the phases are already identified by using blocks and arrows in the overview and having a number assigned to it.

I'd suggested processing for a few reasons. First, this phase made me think of going to the DMV and all of the processing that happens there. Think about it. You fill out paperwork, get in line, walk up to the counter, a grumpy lady processes your document, gets grumpier when she realizes you missed something, hands it back to you, you fill it out, re-submit, and she enters it in the computer, prints something out, hands it to you, you sign it and go on your way..you've been processed.
In addition, processing is actually mentioned in the purple boxes.

My reason for suggesting something other than triage goes to an incident response background. When I think triage, I think assess, prioritize, "stop the bleeding", re-assess, re-prioritize, act. If you've seen saving private ryan, when they're on the beach and the field medics are going down the line saying "priority", "he's gone", "morphine" etc..that's what I think of when I think triage.

When it boils down to it, the DOJ knows what works for it, far better than I do, I'm just really stoked that you even bothered to send it, and I'm really happy I could make some suggestions.