The paper in 2010 by Simson L. Garfinkel, Naval Postgraduate School, Monterey, USA titled "Digital forensics research: The next 10 years" brought up may question and I have seen every single one of them become a reality in real casework.
"Digital Forensics is facing a crisis. Hard-won capabilities are in jeopardy of being diminished or even lost as the result of advances and fundamental changes in the computer industry:
- The growing size of storage devices means that there is frequently insufficient time to create a forensic image of a subject device, or to process all of the data once it is found.
- The increasing prevalence of embedded flash storage and the proliferation of hardware interfaces means that storage devices can no longer be readily removed or imaged.
- The proliferation of operating systems and file formats is dramatically increasing the requirements and complexity of data exploitation tools and the cost of tool development.
- Whereas cases were previously limited to the analysis of a single device, increasingly cases require the analysis of multiple devices followed by the correlation of the found evidence.
- Pervasive encryption (Casey and Stellatos, 2008) means that even when data can be recovered, it frequently cannot be processed.
- Use of the “cloud” for remote processing and storage, and to split a single data structure into elements, means that frequently data or code cannot even be found.
- Malware that is not written to persistent storage necessitates the need for expensive RAM forensics.
- Legal challenges increasingly limit the scope of forensic investigations."
So, here is an updated model of digital forensics, but the concept of recovered data that can not be processed is a concept that many CSI trained "professionals" are still battle with causing frustration, time delay, and unnecessary cost increase.
Fortunately, most of those accused of wrong doing are not deploying more sophisticated methods to circumvent data discovery, but device, operating system, and software vendors deploy technologies making discovery and production of evidence much harder without the increased technical skills by the users.
No comments:
Post a Comment