Many people talk about and write books on what digital forensics is, but most covers the forensic technician skills. Forensic technicians are trained Personal Computer ( PC ) technicians with skills for the most recent technology in order to mainly acquire and retrieve digital data. In many cases, the technology is so new and techniques of retrieving data is so unknown to a sector of technicians that it is considered "woodoo forensics". ( i.e. Chip-off )
At the end, digital forensic analysis is the true detective work where acquisition becomes the sub-process that supports the actual investigation. Forensic technicians can be trained to focus on risk management in order to maintain evidence integrity, but getting the data in new devices violates many forensic science rules. ( i.e. uploading client software to phones in order to acquire physical data )
Digital forensic analysis is to result showing human involvement using application(s) to commit an act unlawful or against policy in a way that resulting relevant evidence can be presented in court proceedings.
Scientists rely on facts, numbers, and logic. Technicians rely on tools, methodologies, and skills. Courts require relevant, scientific, and admissible evidence. Digital forensics could grow into science if scientists will focus on analysis in a scientific manner and not technicians try to prove their cutting edge skills as science. The ultimate goal is to find a human connection to the digital data and not to look at digital data extraction as the "Holy Grail". A phlebotomist is not a doctor, he/she is a trained technician with tools, methodologies, and skills to draw blood, but at the end the doctor will use that acquired specimen to draw conclusions and to gather numbers to see a larger problem than just an individual being sick. The phlebotomist will just draw blood seeing discreet individuals. Thus, data acquisition is nothing to do with the analysis of data nor the technician needs to be scientifically educated, only trained on how to extract data with various methodologies.
So, the scientific analysis result shows data states at the time in question ( stored, transactional, transmission ). The data itself can be generated by the user, application, or operating system where the user generated data is considered hearsay, thus the weakest evidence. User generated data must be supported and validated by business records ( application and/or operating system generated data ). The data content need to be also considered in order to lead the investigator toward the truth of finding intent if unregulated encoding or encryption of data is located on storage device(s). Many user activities result in data being deleted or hidden from view of "normal means". All these activities and modifications of data can be traced back to the ability and motivation of the human involved that can be as deep as cultural influence. Since activities do not necessarily mean illegal activities, the scope of the investigation need to be considered in order to find out the who, what, when, and how questions or determine the need to extend the scope of the investigation ( scope creep ). Since science does not guarantee undisputed evidence, but merely offer the scientifically proven facts based on knowledge at the time of question, it is the investigator's duty to find relevant evidence that is unbiased in nature ( inculpatory vs. exculpatory ).
Digital forensics is not a business process driven by monetary gains, but the location of the truth. Those believing that looking for only inculpatory evidence is what digital forensics is about should not be considered forensic analysts, but merely business men. Digital forensic analysis is also not merely the location of digital data, location if digital data is done by technicians. Court require the evidence to be scientifically produced and scientific method does not exists for partial methodology, but for the location of the truth.
There are not many people that can simplify the definition of science, but this chart does it.
http://undsci.berkeley.edu/article/scienceflowchart
What is Science?
I have also been in conversations and read a lot about discussion to have digital forensics accepted as a field of science , but no one was specific about how they would fit it into science. So, I created a comprehensive chart of the science field as a reference, so anyone bringing up the subject again could also point to the section that they think digital forensics should be inserted into.
Inman & Rudin defined forensic processes:
Identification: - determination of physical-chemical composition (i.e., illicit drugs)
Classification: - determination of class, type (i.e., hair, fibers, blood type, DNA)
Individualization: - determination of unique identity of source (i.e., fingerprints) by means of class characteristics with known frequency in the relevant population and individual characteristics (also called typica)
Association: - determination of contact between two objects (i.e., fibers, glass)
Reconstruction: - determination of facts of the case: nature and place of events in time and space(i.e., murder, explosion)
Digital Forensic association:
Identification: - determination of physical-location, number, and relevance of storage devices (i.e., CD/DVD, USB, SATA, PATA, SCSI, IEEE 1394)
Classification: - determination of class, type (i.e., Operating System, File System, volatility)
Individualization: - determination of unique identity of source (i.e., userID to human mapping, serial number, IMSI/ICCID ) by means of class characteristics with known frequency in the relevant population and individual characteristics (also called typica)
Association: - determination of contact between two objects (i.e., date/time, browsing history, tool usage, link files)
Reconstruction: - determination of facts of the case: nature and place of events in time and space(i.e., keyword search, create user, create file, install/uninstall application )
It leads toward more of a cognitive or behavioral science field like psychology than a branch of formal science. The question will remain open for a long time since mostly non-scientists are focusing on this issue at this time.
( Note: Let me know about any additions or modifications that you might think would be appropriate in order to have a compete and accurate chart. )
No comments:
Post a Comment