The scientific working group for digital evidence, in response to a series of articles by John Barbara that appeared in Forensic Magazine:
http://www.forensicmag.com/articles.asp?pid=138
have taken a very interesting stance. In a published document, the SWGDE claim that computer forensics is different than other forensic sciences because in computer forensics "false positives are non-existent". Therefore controls are not applicable to this field.
I am deeply troubled by what I consider to be a false belief system – computer forensics and its tools are infallible. This position is not supported by the larger scientific community and in fact numerous examples are available that contradict this position (e.g., orphan files and folders in NTFS, misrepresentation from data carving).
What is equally as disturbing, is the notion that has been proffered that somehow using a hashing algorithm to verify the integrity of a forensic copy of the original, is a control against false positives at the data abstraction and presentation layer during the analysis and examination phases.
Most of the examples of false positives occur due to an error in the data abstraction layer. Since we rely on tools (software) to abstract the data (we cannot see the ones & zeroes etc.) an error in the tool becomes problematic, as we trust the tools output. To date, none of the commercial computer forensic tool vendors are willing to share the error rates of their tools, so we are left to experimentation in order to try and determine this for ourselves.
I have weighed in on this issue with the SWGDE (full disclosure - I am a non-voting academic associate member). Since the SWGDE has publicly released their position paper, I think that in the spirit of open discussion and debate, we in the digital forensics community need to weigh in on this. I believe this is a watershed issue and it needs to be addressed.
Here is the link to the SWGDE position paper:
http://www.swgde.org/documents/swgde2008/SWGDEStandardsandControlsPositionPaper.pdf
Subscribe to:
Post Comments (Atom)
This comment has been removed by the author.
ReplyDeleteWOW - No errors in computer forensics.. I am troubled that someone even tries to state that. I am very disturbed that someone would try to state that... I read the document released by SWGDE and I am deeply troubled especially by the statement that in other forensics disciplines someone may be wrongfully accused suggesting that someone may not be wrongfully accused in a digital forensic investigation. I can ramble on for hours about this - but this goes back to the computing community believing that computers never fail... This was a very interesting entry thanks for sharing it...
ReplyDeleteIt is really a very interesting position. However, I think Computer Forensics cannot be limited to “find existing data / never find non-existent data”, therefore, I can't agree with this position. The Computer Forensics examination can produce erroneous results and can suggest the guilt of an innocent party. Below are some arguments that I would like to present to support this:
ReplyDelete- IDS tools (HIDS or NIDS) can generate false positives;
- Tools used to detect steganography in files can generate false positives;
- Tools which uses parsing for forensics analysis can generate false positives;
- Tools used to find malware in a system can generate false positives;
- Timestamps issues can generate false positives;
And so on... the list is non-exhaustive. A tool that does not show an error today can show it tomorrow. In fact, and more important than the list above, is that the analysis and correlation of digital evidences can generate false positives. How to guarantee that the correlation of digital evidence was done in a way that actually corresponds with the real facts? And what about the chain of custody? And what methodologies and standards were employed?
We can go even further and talk about another “layer” in the Computer Forensics investigation: what about if an attacker staged the digital crime scene? Will you trust in what you see, even if all tools are saying that the md5 hashes of the evidences are ok? Again: Computer Forensics cannot be so limited. Studies like “The Trojan made me do it” [1] shows that we need to look for more than bits and bytes.
Besides Computer Forensics strongly uses computer resources and tools, analysis are executed (and tools are developed) by human beings. And every human being makes mistakes.
[1] The Trojan Made Me Do It: A First Step in Statistical Based Computer Forensics Event
Reconstruction - https://www.cerias.purdue.edu/assets/pdf/bibtex_archive/2004-15.pdf