By now we all heard how cloud computing will revolutionize the Internet and be the next best thing to happen to online businesses, consumers, education and the world at large. But we haven't heard much of what investigative concerns the so-called cloud brings with it. As most of us realize, the concept of cloud computing is nothing new. Technically we have been living with this "cloud" since the inception of the Internet and the World Wide Web. What this new cloud concept seems to add to the equation, is the ability to have various levels of distributed storage and application services.
While there are numerous security concerns being discussed by various cyber security "Czars," there seems to be little if any discussion about how the cloud will affect digital forensic investigations. Just off the top of my head I can think of several concerns that are generic to the concept of cloud computing to say nothing of specific concerns related to specific implementations or hardware and software applications.
Some basic questions are related to:
a) Jurisdiction - which sovereign nation or nations has/have authority?
b) Ownership - who actually owns the data in question?
c) Expectations of privacy - what will be the standard for reasonable expectations of privacy in the cloud?
d) Location of evidence - where do we even begin to look for data that may be classified as evidence for the investigation?
e) International cooperation - will countries housing/storing the data be willing to cooperate during an investigation?
f) Localized evidence - what artifacts will be left on the client machine?
To me these seem like obvious questions/concerns that we need to think about, debate and start working toward some answers. As I stated in the opening paragraph, the cloud is being touted as the greatest thing since "sliced bread," whether this is actually the case or not.
We as investigators will soon find ourselves truly immersed in the world of "virtual" evidence; a very sobering thought. One can only imagine how a judiciary who has trouble wrapping its mind around the concept of e-mail, will be able to keep up with the various technical solutions that make up the concept of cloud computing.
It behooves the digital forensics community to weigh in on discussions related to cloud computing and provide input as to what this latest technology savior will eventually become.
Sunday, February 7, 2010
Wednesday, January 13, 2010
Reactions to the NAS report on the State of Forensic Sciences
As we get ready for the upcoming American Academy of Forensic Sciences conference in Seattle February 2010, I am struck by a rather interesting debate that is coming to a head in both the forensic sciences and legal communities. As many are aware, the national academies of sciences report to Congress on the state of forensic sciences really shook the forensic sciences discipline and legal community at its very core. Most commentators have focused on the negative components of the report, but few if any have really looked at the positives and or the gaps in knowledge of those drafting the report.
During a recent discussion with several colleagues who are at the forefront of international and national standards and credentialing, we were struck at the lack of mention both in the report and the follow-up conversations by the different government and quasi-government agencies, of any of the ongoing work by the numerous forensic sciences bodies that were initiated long before the report was tabled.
I think I will leave the discussion regarding the knowledge gaps that appeared in the report for another day. A corollary issue is the heated debate over the role government has in the regulating of forensic sciences. Some post-report camps wholeheartedly support the notion that state, local, tribal and federal governments should be more closely involved in the regulation, standardization and funding of the forensic sciences. A second camp is diametrically opposed to this recommendation. The gist of this camp's argument is that by including government in a regulatory and standardization role, we will end up with an even more fragmented forensic community. It would appear that these folks endorse more of the free market economy approach and believe the scientific community will correct itself albeit under the direction of the legal justice system.
To be honest I have mixed feelings about this issue. Being both a forensic scientist and member of international and national bodies attempting to draft a universal code of ethics, nationally recognized credentials and standards etc., I see little if any real positive development by the scientific community if left to its own devices. Part of this lack of development, or probably more appropriately dysfunctional development, is the result of the interference by the vendor community and other private-sector interests who in fact often have goals contrary to the altruistic goal of developing "good science." Yet I have also seen how completely dysfunctional and self-serving government interference can be in the leadership of the forensic sciences.
Still others would argue that government interference in this domain is no different from what has been historically done. While I agree with this assertion, just because it has been done historically, doesn't mean that it has been successful or should be continued in the future. I believe a more pragmatic solution falls within the realm of what could be termed a "centrist approach". By this I mean a combination of government oversight as it relates to funding and nationally/internationally standardizing the forensic sciences and the introduction of a non-governmental agency who has ultimate oversight of the scientific community; free from influence and interference from both the government and the private sector. I fully realize that such an idea is rather utopian.
The last thing the forensic sciences community needs at this juncture is to become fragmented and bogged down in petty disputes and knee-jerk reactions to an as of yet un-acted upon NAS report. Given the current and near-term economic conditions, it is doubtful that any of the major recommendations of the report (e.g., the creation of the National Institute for Forensic Sciences) will come to fruition. I personally believe that if we look at the bigger picture we soon realize that the "moral of the story" here is that if the forensic sciences community does not get its collective house in order, we will have far less than perfect solutions thrust upon us from external bodies that more than likely will only been given a limited or, agenda biased, view of the domain in question.
If history is any indication, we will likely find ourselves in a situation where the NAS report, while garnering media attention currently, will soon be forgotten, archived, and never acted upon, as has been the fate of other forensic sciences reports that have preceding this one. Only time will tell, but regardless, this should make for a very interesting meeting in Seattle.
During a recent discussion with several colleagues who are at the forefront of international and national standards and credentialing, we were struck at the lack of mention both in the report and the follow-up conversations by the different government and quasi-government agencies, of any of the ongoing work by the numerous forensic sciences bodies that were initiated long before the report was tabled.
I think I will leave the discussion regarding the knowledge gaps that appeared in the report for another day. A corollary issue is the heated debate over the role government has in the regulating of forensic sciences. Some post-report camps wholeheartedly support the notion that state, local, tribal and federal governments should be more closely involved in the regulation, standardization and funding of the forensic sciences. A second camp is diametrically opposed to this recommendation. The gist of this camp's argument is that by including government in a regulatory and standardization role, we will end up with an even more fragmented forensic community. It would appear that these folks endorse more of the free market economy approach and believe the scientific community will correct itself albeit under the direction of the legal justice system.
To be honest I have mixed feelings about this issue. Being both a forensic scientist and member of international and national bodies attempting to draft a universal code of ethics, nationally recognized credentials and standards etc., I see little if any real positive development by the scientific community if left to its own devices. Part of this lack of development, or probably more appropriately dysfunctional development, is the result of the interference by the vendor community and other private-sector interests who in fact often have goals contrary to the altruistic goal of developing "good science." Yet I have also seen how completely dysfunctional and self-serving government interference can be in the leadership of the forensic sciences.
Still others would argue that government interference in this domain is no different from what has been historically done. While I agree with this assertion, just because it has been done historically, doesn't mean that it has been successful or should be continued in the future. I believe a more pragmatic solution falls within the realm of what could be termed a "centrist approach". By this I mean a combination of government oversight as it relates to funding and nationally/internationally standardizing the forensic sciences and the introduction of a non-governmental agency who has ultimate oversight of the scientific community; free from influence and interference from both the government and the private sector. I fully realize that such an idea is rather utopian.
The last thing the forensic sciences community needs at this juncture is to become fragmented and bogged down in petty disputes and knee-jerk reactions to an as of yet un-acted upon NAS report. Given the current and near-term economic conditions, it is doubtful that any of the major recommendations of the report (e.g., the creation of the National Institute for Forensic Sciences) will come to fruition. I personally believe that if we look at the bigger picture we soon realize that the "moral of the story" here is that if the forensic sciences community does not get its collective house in order, we will have far less than perfect solutions thrust upon us from external bodies that more than likely will only been given a limited or, agenda biased, view of the domain in question.
If history is any indication, we will likely find ourselves in a situation where the NAS report, while garnering media attention currently, will soon be forgotten, archived, and never acted upon, as has been the fate of other forensic sciences reports that have preceding this one. Only time will tell, but regardless, this should make for a very interesting meeting in Seattle.
Wednesday, January 28, 2009
ISSUES IN DIGITAL EVIDENCE INVESTIGATION
Cyber crime is an illegal electronic operation that targets the security of computer systems and data processed by them. Hacking, cyber fraud, phishing, identity and data theft come under cyber crime. Bank accounts can be hacked and credit card details can be stolen. When such cyber crimes are committed, we need digital evidence investigators to catch the culprits. Though cyber forensics is doing a great deal to find out who is responsible for misusing computer systems, it faces many issues that have to be handled with care. Listed below are some issues in cyber forensics.
- A digital evidence investigator must keep in mind the privacy and secrecy of the clients’ data and information while performing the investigation. But in some cases when the information has to be produced as evidence in the court of law to prove a crime, it is not possible for the cyber forensics expert to maintain the secrecy and privacy of the clients’ information.
- Sensitive data and information that are very important to the client maybe lost or damaged while finding evidence. But it is the duty of the expert to take additional care to ensure that the possible evidence is not destroyed or damaged. Typically this involves making a forensic image or forensic copy of the original media, and conducting the analysis on the copy versus the original.
- While the investigations are on, it is possible that some malicious computer programs or computer viruses are released into the computer system. These viruses may corrupt the existing software and they may have the potential to damage the hardware system too. It maybe necessary to use high quality anti-virus software before the investigation is commenced.
- Once the evidence is found, it must be preserved very carefully. It must be protected against any kind of mechanical and electro-magnetic damage. Any evidence found relevant to the situation at hand will need to be extracted from the working copy media and then typically saved to another form of media as well as printed out. The information that is obtained as evidence is the responsibility of the computer forensic team.
- When the case is on, the evidence information maybe stored in court and, in some cases, the concerned partied may not be able to use that information. This may affect the business operations. In order to avoid causing any inconvenience and loss to the parties involved, the digital evidence investigator must make sure that justice is delivered as soon as possible.
- Whatever is done during the analysis has to be documented along with the findings. The findings and reports need to be based on proven techniques and methodology, and any other competent investigator should be able to duplicate and reproduce the results. It is also important that the information acquired during the analysis is ethically and legally respected.
- The operations cost of digital evidence investigations may some cases exceed regular investigations.
In spite of all these issues, cyber forensics or digital evidence investigation has gained a lot of importance in today’s computer world largely due to its vast application in varied situations.
By-line:
This post was contributed by Holly McCarthy, who writes on the subject of forensic science careers. She invites your feedback at hollymccarthy12 at gmail dot com
Wednesday, January 14, 2009
Digital Evidence Investigators Required to be Licensed PI's!
We are witnessing a very interesting and disturbing trend in the digital evidence domain. Many states are enacting or amending legislation that will require anyone conducting any type of an "investigation" where a computer is involved to be licensed as a Private Investigator – Michigan being one of the latest examples. This is interesting as it was predicted several years ago that, unless the digital evidence community came up with some sort of gold standard/professional designation with a professional code of ethics, the ability to censure unethical professionals etc. the government would intercede with a less than perfect knee jerk reaction in order to protect consumers of these services.
The American Bar Association has taken a stand on this issue and the Science & Technology Law Section has issued a resolution arguing against this requirement:
AMERICAN BAR ASSOCIATION ADOPTED BY THE HOUSE OF DELEGATES AUGUST 11-12, 2008
RECOMMENDATION
RESOLVED, That the American Bar Association urges State, local and territorial legislatures, State regulatory agencies, and other relevant government agencies or entities, to refrain from requiring private investigator licenses for persons engaged in:
computer or digital forensic services or in the acquisition, review, or analysis of digital or computer-based information, whether for purposes of obtaining or furnishing information for evidentiary or other purposes, or for providing expert testimony before a court; or
network or system vulnerability testing, including network scans and risk assessment and analysis of computers connected to a network.
FURTHER RESOLVED, That the American Bar Association supports efforts to establish professional certification or competency requirements for such activities based upon the current state of technology and science.
Unfortunately it appears that most states are ignoring the advise of the scientific and legal community. The cynical side of my nature wonders whether the motivation for moving toward the PI License requirement is driven primarily by an economic motive (It appears that the PI community has a strong lobbying presence in many of the states that have already passed these requirements) as opposed to any real concern over an unregulated "industry" and consumer protection.
This issue is shaping up to be a watershed event for the digital evidence community and the final outcome will have a long lasting impact on this maturing field.
In case you were wondering, there is a concerted effort underway to address the issue of a neutral, board like certification for digital evidence professionals supported by the forensic science accreditation board. The Digital Forensics Certification Board (www.DFCB.org) housed at the University of Central Florida's National Center for Forensic Science will offer its certification exam early in the spring of this year. This non-partisan body represents the collective effort of law enforcement, private sector, government, military and academia. For the sake of full disclosure, yes I am part of this effort.
More information about this effort will be presented at the Digital Sciences & Multimedia Section of American Academy of Forensic Sciences Annual Meeting in Colorado this February.
The American Bar Association has taken a stand on this issue and the Science & Technology Law Section has issued a resolution arguing against this requirement:
AMERICAN BAR ASSOCIATION ADOPTED BY THE HOUSE OF DELEGATES AUGUST 11-12, 2008
RECOMMENDATION
RESOLVED, That the American Bar Association urges State, local and territorial legislatures, State regulatory agencies, and other relevant government agencies or entities, to refrain from requiring private investigator licenses for persons engaged in:
computer or digital forensic services or in the acquisition, review, or analysis of digital or computer-based information, whether for purposes of obtaining or furnishing information for evidentiary or other purposes, or for providing expert testimony before a court; or
network or system vulnerability testing, including network scans and risk assessment and analysis of computers connected to a network.
FURTHER RESOLVED, That the American Bar Association supports efforts to establish professional certification or competency requirements for such activities based upon the current state of technology and science.
Unfortunately it appears that most states are ignoring the advise of the scientific and legal community. The cynical side of my nature wonders whether the motivation for moving toward the PI License requirement is driven primarily by an economic motive (It appears that the PI community has a strong lobbying presence in many of the states that have already passed these requirements) as opposed to any real concern over an unregulated "industry" and consumer protection.
This issue is shaping up to be a watershed event for the digital evidence community and the final outcome will have a long lasting impact on this maturing field.
In case you were wondering, there is a concerted effort underway to address the issue of a neutral, board like certification for digital evidence professionals supported by the forensic science accreditation board. The Digital Forensics Certification Board (www.DFCB.org) housed at the University of Central Florida's National Center for Forensic Science will offer its certification exam early in the spring of this year. This non-partisan body represents the collective effort of law enforcement, private sector, government, military and academia. For the sake of full disclosure, yes I am part of this effort.
More information about this effort will be presented at the Digital Sciences & Multimedia Section of American Academy of Forensic Sciences Annual Meeting in Colorado this February.
Saturday, December 13, 2008
SWGDE's position on standards and controls for computer forensics
The scientific working group for digital evidence, in response to a series of articles by John Barbara that appeared in Forensic Magazine:
http://www.forensicmag.com/articles.asp?pid=138
have taken a very interesting stance. In a published document, the SWGDE claim that computer forensics is different than other forensic sciences because in computer forensics "false positives are non-existent". Therefore controls are not applicable to this field.
I am deeply troubled by what I consider to be a false belief system – computer forensics and its tools are infallible. This position is not supported by the larger scientific community and in fact numerous examples are available that contradict this position (e.g., orphan files and folders in NTFS, misrepresentation from data carving).
What is equally as disturbing, is the notion that has been proffered that somehow using a hashing algorithm to verify the integrity of a forensic copy of the original, is a control against false positives at the data abstraction and presentation layer during the analysis and examination phases.
Most of the examples of false positives occur due to an error in the data abstraction layer. Since we rely on tools (software) to abstract the data (we cannot see the ones & zeroes etc.) an error in the tool becomes problematic, as we trust the tools output. To date, none of the commercial computer forensic tool vendors are willing to share the error rates of their tools, so we are left to experimentation in order to try and determine this for ourselves.
I have weighed in on this issue with the SWGDE (full disclosure - I am a non-voting academic associate member). Since the SWGDE has publicly released their position paper, I think that in the spirit of open discussion and debate, we in the digital forensics community need to weigh in on this. I believe this is a watershed issue and it needs to be addressed.
Here is the link to the SWGDE position paper:
http://www.swgde.org/documents/swgde2008/SWGDEStandardsandControlsPositionPaper.pdf
http://www.forensicmag.com/articles.asp?pid=138
have taken a very interesting stance. In a published document, the SWGDE claim that computer forensics is different than other forensic sciences because in computer forensics "false positives are non-existent". Therefore controls are not applicable to this field.
I am deeply troubled by what I consider to be a false belief system – computer forensics and its tools are infallible. This position is not supported by the larger scientific community and in fact numerous examples are available that contradict this position (e.g., orphan files and folders in NTFS, misrepresentation from data carving).
What is equally as disturbing, is the notion that has been proffered that somehow using a hashing algorithm to verify the integrity of a forensic copy of the original, is a control against false positives at the data abstraction and presentation layer during the analysis and examination phases.
Most of the examples of false positives occur due to an error in the data abstraction layer. Since we rely on tools (software) to abstract the data (we cannot see the ones & zeroes etc.) an error in the tool becomes problematic, as we trust the tools output. To date, none of the commercial computer forensic tool vendors are willing to share the error rates of their tools, so we are left to experimentation in order to try and determine this for ourselves.
I have weighed in on this issue with the SWGDE (full disclosure - I am a non-voting academic associate member). Since the SWGDE has publicly released their position paper, I think that in the spirit of open discussion and debate, we in the digital forensics community need to weigh in on this. I believe this is a watershed issue and it needs to be addressed.
Here is the link to the SWGDE position paper:
http://www.swgde.org/documents/swgde2008/SWGDEStandardsandControlsPositionPaper.pdf
Journal of Digital Forensic Practice
As the Editor-in-Chief of the Journal of Digital Forensic Practice I would like announce the latest round of a call for papers for the Journal. Author instructions for submissions can be located at:
http://www.tandf.co.uk/journals/journal.asp?issn=1556-7281&linktype=44
National Center for Forensic Sciences Announces Certification Body for Digital Forensics
By way of full disclosure, I am the Chair of Certification Committee for this Body. This effort is an indirect result of the AAFS recognizing the new section of Digital and Multimedia Sciences.
Introduction to Certification
The Digital Forensics Certification Board (DFCB) will offer digital forensics practitioners the opportunity to achieve a professional certification. DFCB is headquartered at the National Center for Forensic Science at the University of Central Florida’s Research Foundation, in Orlando. This certification will require more than paying a fee and passing a test; successful completion of the certification process will require a peer-group validation of knowledge, skills and abilities in the analysis and evaluation of digital evidence. Certification will be based on successfully meeting core competency requirements identified by a community of experts.
Attaining certification will require strict adherence to an ethics component. Continuing education and other related professional activities will be required for all digital forensics professionals recognized by the DFCB.
Certification and Application Overview
Professional core competencies in digital forensics will be evaluated in the application and examination process: foundation knowledge, acquisition knowledge, examination knowledge and analysis knowledge and reporting (written and testimonial) knowledge. The “Founders”
graded application process will begin in the fall of 2008 and continue to the end of the calendar year. One type of certification will be offered for both managers and practitioners: the Digital Evidence Practitioner (DEP) Certification will include those who are practitioners and managers in digital evidence programs in law enforcement or the private sector. For applicants to qualify for the DEP certification under the Founders provision, an applicant must provide evidence of digital evidence practical experience. Note that, in general, an applicant’s experience should include a mixture of both digital forensic acquisitions as well as analyses. A total of at least five (5) years experience is required which will include full-time practical experience conducting digital forensics. One year of current experience in the last three years is required to apply for practitioner status.
Goals and Objectives
The goals and objectives of the DFCB are as follows:
1. To promote trust and confidence in the Digital Forensics profession
2. To provide an objective certification process in digital forensics which will help the maturation of digital forensics as a science
3. To encourage, promote, aid, and affect the voluntary interchange of data, information, experience, and knowledge about methods and processes among the membership of DFCB
4. To establish, encourage, and enforce observation of a Code of Ethics and Standards of Professional Conduct
5. To publish and distribute books, pamphlets, periodicals, papers and articles supportive of activities and purposes of DFCB
6. To establish and conduct such committees, bureaus, and offices as are necessary and incidental to the activities of DFCB
7. To conduct surveys, studies, hold conferences, symposiums, seminars, and forums
8. To arrange for the presentation of lectures and papers on matters and problems of interest
9. To foster, promote, encourage, study, research, facilitate discussion, collect and disseminate information of service or interest to the members of DFCB or the public at large
10. To conduct (such other) related activities as may be necessary, desirable, or incidental to gaining recognition of accomplishments in the field of investigations and analysis involving advanced technologies within government, business and academia.
Every person certified by DFCB will be required to demonstrate excellence, integrity, and objectivity in every forensic analysis where conclusions are formulated and reported for presentation in the judicial system.
For more information, please contact:
Sam Guttman – DFCB President sguttman@mail.ucf.edu
Mark Pollitt – DFCB Vice-President mpollitt@mail.ucf.edu
Carrie Whitcomb – Director, NCFS whitcomb@mail.ucf.edu
Telephone number for all officers: 407-823-6469
Certification of Digital Forensics Professionals - Becomes a Reality
Introduction to Certification
The Digital Forensics Certification Board (DFCB) will offer digital forensics practitioners the opportunity to achieve a professional certification. DFCB is headquartered at the National Center for Forensic Science at the University of Central Florida’s Research Foundation, in Orlando. This certification will require more than paying a fee and passing a test; successful completion of the certification process will require a peer-group validation of knowledge, skills and abilities in the analysis and evaluation of digital evidence. Certification will be based on successfully meeting core competency requirements identified by a community of experts.
Attaining certification will require strict adherence to an ethics component. Continuing education and other related professional activities will be required for all digital forensics professionals recognized by the DFCB.
Certification and Application Overview
Professional core competencies in digital forensics will be evaluated in the application and examination process: foundation knowledge, acquisition knowledge, examination knowledge and analysis knowledge and reporting (written and testimonial) knowledge. The “Founders”
graded application process will begin in the fall of 2008 and continue to the end of the calendar year. One type of certification will be offered for both managers and practitioners: the Digital Evidence Practitioner (DEP) Certification will include those who are practitioners and managers in digital evidence programs in law enforcement or the private sector. For applicants to qualify for the DEP certification under the Founders provision, an applicant must provide evidence of digital evidence practical experience. Note that, in general, an applicant’s experience should include a mixture of both digital forensic acquisitions as well as analyses. A total of at least five (5) years experience is required which will include full-time practical experience conducting digital forensics. One year of current experience in the last three years is required to apply for practitioner status.
Goals and Objectives
The goals and objectives of the DFCB are as follows:
1. To promote trust and confidence in the Digital Forensics profession
2. To provide an objective certification process in digital forensics which will help the maturation of digital forensics as a science
3. To encourage, promote, aid, and affect the voluntary interchange of data, information, experience, and knowledge about methods and processes among the membership of DFCB
4. To establish, encourage, and enforce observation of a Code of Ethics and Standards of Professional Conduct
5. To publish and distribute books, pamphlets, periodicals, papers and articles supportive of activities and purposes of DFCB
6. To establish and conduct such committees, bureaus, and offices as are necessary and incidental to the activities of DFCB
7. To conduct surveys, studies, hold conferences, symposiums, seminars, and forums
8. To arrange for the presentation of lectures and papers on matters and problems of interest
9. To foster, promote, encourage, study, research, facilitate discussion, collect and disseminate information of service or interest to the members of DFCB or the public at large
10. To conduct (such other) related activities as may be necessary, desirable, or incidental to gaining recognition of accomplishments in the field of investigations and analysis involving advanced technologies within government, business and academia.
Every person certified by DFCB will be required to demonstrate excellence, integrity, and objectivity in every forensic analysis where conclusions are formulated and reported for presentation in the judicial system.
For more information, please contact:
Sam Guttman – DFCB President sguttman@mail.ucf.edu
Mark Pollitt – DFCB Vice-President mpollitt@mail.ucf.edu
Carrie Whitcomb – Director, NCFS whitcomb@mail.ucf.edu
Telephone number for all officers: 407-823-6469
Subscribe to:
Posts (Atom)
