In the footsteps of Bob & Bing

Posted on April 7, 2011. Filed under: forensic, security | Tags: , , , , , , , , , |

Just 2 more days till I’m off to the ISO/IEC SC27 meeting in Singapore and I couldn’t resist the opportunity to use a clip from a relevant film;)

Anyway – some interesting new agenda items have appeared. Of these the most significant is new discussion slot on “Digital Forensic Processes”, suggesting there may be some new work items (aka drafting of new standards). It’s not clear where the request for this has appeared from or exactly what it relates to.

Given that I volunteered to be a rapporteur for study periods on “Digital Evidence Readiness & Analysis” and “Digital Evidence Validation & Verification” it seems a little redundant to me. We (the UK panel dealing with these) are proposing that readiness should be considered as part of Incident Management since it involves planning & auditing, Analysis should probably sit inside the existing draft 27037 document about evidence recovery, since it shares many common features and requirements, and that there should be a new standard for Validation & Verification.

With those in place, we think we cover all the critical phases of an investigation (and we are not going to say “forensic” because we now believe it is appropriate to broaden the standards so that every investigation is carried out to a high standard just in case it needs to go to court) – so I’m curious where the extra discussion has come from. Maybe the committee has realised just how much I like the sound of my own voice ?

 

Read Full Post | Make a Comment ( None so far )

Twits in court

Posted on March 28, 2011. Filed under: forensic | Tags: , , , , , , , , , , |

Here’s an interesting one – a friend of mine was giving evidence in crown court today and has just sent a text message to say that a journalist mentioned their name on Twitter.

Not so surprising ? Their name will probably appear in the press reports in tomorrow’s paper anyway. Well, yes – except for one thing. The tweeting was happening in real time. As the witnesses were being cross-examined a journalist was relaying highlights directly from the courtroom.

Now – I can’t help but wonder what effect this could have on the testimony of a witness who has yet to be called and who is being kept away from the court in a witness room. Usual practice calls for witnesses to give their evidence without hearing anyone else’s to ensure that they have not been influenced by anything that has happened in the court (with the exception of “experts” who have been granted the privilege of sitting in court to advise counsel).

Mobile data networks and blogging sites, of course, can completely destroy this isolation – witnesses can be sitting in the witness room receiving selected detail of the evidence as it is presented, possibly very carefully filtered by someone who really wants to influence them.

In this case, I don’t think that’s what happened – it’s just yet another instance of someone using a technology without thinking through the consequences.

Perhaps it’s time to revisit the issue of technology in court – cameras have been banned almost since they were invented – perhaps we need a blanket ban on everything which can communicate with the outside world, in the interests of impartiality and fairness for all ? Perhaps news, just like travel and food, would be better for being a little slower ?

Read Full Post | Make a Comment ( 1 so far )

Ready or not ?

Posted on March 25, 2011. Filed under: forensic, security | Tags: , , , , , , , , , , , , , |

In a couple of weeks time I’ll be off to Singapore, missing the Malaysian GP (but flying over it), to attend the next ISO/IEC SC27 meeting. Another week of sitting in meeting rooms in an exotic location.

While there, I’ll be proposing some new work that the UK delegation feels is necessary to complement the existing work on ISO 27037 (Identification, acquisition and preservation of digital evidence). Our view is that 27037 represents the middle of a 3-stage sub-process in Information Security Incident handling.

By the time you need to collect potential evidence, and incident has already occurred – and in order to be able to collect useful material you need a plan. Our view is that IS Incident Investigation should start with proper planning, then move on to collection and finally analysis & reporting. All of which should be properly underpinned by a robust validation & verification mechanism.

So – we are going to propose that some new work on IS Incident Investigation Readiness should be conducted, with a view to including it in ISO 27035 (Security Incident Management). Why there rather than in 27037 or a new standard ?

Well – Investigation is just one possible response to an incident – a common and useful one, but not the only one, so it makes sense to have it included in the management standard, which already includes risk assessment & management. Planning needs to come from an understanding of possible incidents and the systems which can be affected. Also, we know that many companies, particularly SMEs, will need to outsource the collection & analysis stages – which is perfectly acceptable – but still need to do their own planning to ensure that the organisation they call in can understand the nature of the incident and the systems affected, and that the methods to be employed in stages 2 & 3 meet the requirements of the plan.

I think it’s necessary work – certainly based on reports I’ve heard over the years from companies who complain that intellectual property breaches and acquisition of commercially sensitive data have not been investigated or prosecuted properly. In every case I’ve considered there has been a failing from day 1 on the part of the company – they didn’t take proper actions to secure the information or data, and they had no mechanism in place to prevent or investigate. As someone once said “Fail to plan and you plan to fail”.

There’s nothing really new in this – Incident Response guides recommend investigation as well as post-incident clean-up as good practice. It helps the organistion to learn from mistakes. The only real difference is that we are planning to set an international minimum standard for it – to help people understand the basic requirements.

If you haven’t already done some planning for incident investigation – why not start now ? or give me call or e-mail ? It needn’t take long, or be hugely expensive – but it could save a fortune if something untoward does happen.

P.S. – note that I haven’t said “forensic” anywhere in this note – not every investigation results in court action – sometimes it just results in improvements internally.

Read Full Post | Make a Comment ( 1 so far )

Contracting

Posted on March 10, 2011. Filed under: forensic, life | Tags: , , , , , , , , , , , |

Just recently I’ve been having discussions about possibly becoming a contractor for a little while and it’s thrown up a question that’s haunted me ever since I started examining other people’s computers.

I’m a fan of open-source software and I really do believe that one of the benefits I offer as a consultant is the fact that I don’t use the same examination kit as everyone else. It means that when I check their results or they check mine we are using significantly different tools, and mine are open for anyone to scrutinise at the source-code level. So, if we find a discrepancy we can dig deep into at least one the tools, if necessary, to find the reason why. It’s proper dual-tooling, or as close as we can get for now.

Now, in the past I’ve had to explain this (because there are two or three tools that everyone expects to see and eyebrows are raised when I don’t mention them ) but it has never stopped me getting an expert witness job. The critical word there is “expert” – in that role I am supposed to exercise my judgment to select the best tools and methods for the job.

However, a contractor is different creature – if I do get offered this job, I have to fit into someone else’s working environment and do things their way with their tools. I can do it. In my academic life I had to learn new skills, tools etc. very quickly and be able to teach them to other people. It’s a knack that a good lecturer picks up soon, or they don’t survive in labs. for long. The question is, will the client believe I can do it or will they wait until they find someone with the right piece of paper instead ?

My argument, for what it’s worth, is that I can learn the tool quickly and, because I have a background in computer science and am used to creating little ad-hoc tools whenever I need them, I can check the tool’s results in a way that someone who just know the program might not be able to.

We shall see.

Meanwhile, in the world of standards and regulation things have gone quiet in the Regulator’s office. His contract has been extended for another 3 years, but I rather think he’s suffering from budget cuts elsewhere. No matter, plans are well underway for the next ISO meeting in Singapore where we will be trying to get some new work approved to go beyond the current ISO/IEC 27037 and ensure we have guidance for a complete process from planning through acquisition to analysis, with proper validation all the way through.

Read Full Post | Make a Comment ( 4 so far )

Expertise vs. common sense

Posted on January 23, 2011. Filed under: forensic | Tags: , , , , , |

My attention has been drawn to http://www.wired.com/threatlevel/2011/01/morphed-child-porn/ in which it is reported that a professional expert witness deliberately produced manipulated images as part of a defence case.

What he chose to do was to buy pictures of children from a stock photo library and then alter them to show the children engaging in sexual activity. In one case, it seems, it would have been fairly obvious that the image was fake as the child’s head had been placed onto an adult body.

However – I am left with one fundamental question – “what on earth was he thinking ? ”

There is absolutely no need to produce the sort of pseudo-image that is described in the article in order to show how easily digital images can be manipulated. Why could he not have carried out the same sort of manipulation using innocent imagery, or at least images of adults ? Does this expert really think the jury are so unintelligent that they cannot see the connection between his examples and what might happen in reality ?

More worryingly – why are so few of the comments associated with this article concerned with the fact that he produced offensive and obscene images (illegal in several countries) and more concerned with breach of licensing agreements ?

Maybe we need to start carrying out more certification of expert witnesses – beyond concepts of competence and into the realms of professionalism and ethics ?

Read Full Post | Make a Comment ( 4 so far )

Ideas beginning to sprout

Posted on September 15, 2010. Filed under: Education, forensic | Tags: , , , , , , , , , , |

Last week, I was in Brussels for the launch of the latest Framework Programme 7 security call. In amongst all the usual work proposals for activities on counter-terrorism, border controls, communications and collaboration, there are a couple of items with the “F” word in them. (calm down Mr. Ramsay – I mean Forensic, of course).

They are “Digital Forensic Capability” and “Advanced Forensic Framework”. Both topics call for exploration of methods to improve the perceived reliability of evidence, demonstrate competence of scientists and allow for greater portability of evidence from one jurisdiction to another.

As I read through the topic summaries, it struck me that forensic science may not be in quite the poor state that they seem to imply. Generally, there is an acceptance that ISO17020 & ISO17025 standards can be applied to crime scene & forensic science (through the addition of intrepetive guidance documents such as ILAC G19) and most good conventional labs are already accredited to those standards.

In England we have the Code of Conduct being produce by the Forensic Science Regulator, which serves as further clarification and it looks like the the ISO SC27 group’s work on Digital Forensic Standards (More on that when I get back from Berlin next month) may well produce something very concrete for digital forensics in the next year or two.

However, those deal with the short to medium term situation. These projects are an opportunity for the forensic science community to come together to share experiences across disciplines, involving the litigators and the investigators too, to look to the future and agree frameworks for validation of future methods. They’re also a great chance for use to take a step back and look more closely at how we train & educate our scientists, investigators and legal representatives  to see if we can agree some common minimum standards which will allow evidence & professionals to move more freely around Europe, if not the world. If we can reach agreement, we can reduce time and cost wasted in dealing with material which should either never exist, or is completely non-contentious.

Best of all, it’s a requirement that any project proposals must involve several countries and the very nature of these projects means that they will be multi-disciplinary too. Even if we don’t get the money (I have two outlines circulating for comments already – email me if you would like to get involved), there are some great opportunities to establish new partnerships just through the bidding process.

Read Full Post | Make a Comment ( None so far )

Requirement acquirement

Posted on May 19, 2010. Filed under: All, forensic | Tags: , , , , , , , , |

In a few recent posts, I’ve talked about the “fitness for purpose” challenge and the fact that it seems to be causing confusion or consternation amongst those who haven’t dismissed it as irrelevant. Partly, I think, this is because of misunderstanding about what the regulatory environment really means. The Forensic Science Regulator’s primary role is to produce Quality Standards for Forensic Science, not to define procedures. In that context, “fitness for purpose” is a test of whether or not something passes tests to show that it is fit for whatever purpose the forensic science provider wishes to use it for. Nothing more. There is no complex or secret agenda here. It’s simply a question of demonstrating that anything being used (method, process or tool) meets the requirements defined by the person using it, or by their customers.

Having recently written a “complementary evidence” report, in which I gave an independent view of some deviation from accepted procedures, I am now convinced that the approach we came up with at the meeting in December (see http://www.n-gate.net/ under “Regulation”) is right – we need to consider whether or not we can produce a set of industry-wide requirements which can be used as a starting point or menu by each provider. If we can get them agreed by the industry, we have the potential to standardise testing of methods, processes and tools as well as identifying gaps in current practice, and laying the groundwork for the future.

“Where to begin?” has been the stumbling block for the last couple of months, but now I have an idea. Watch this space and http://www.n-gate.net/ for progress.

Unrelated : I’ve been playing with a product called ZumoDrive on my Mac, Palm Pre (thankyou HP – WebOS has a future it seems!) and Linux server for a few weeks now. At the basic level it’s a free 2Gb cloud filespace which can link folders across multiple machines so they are always in sync as well as appearing as a targetable drive on all machines. It hasn’t fallen over yet and is providing me with an online backup for some important, but not confidential, files as well as taking over as a music storage service. Highly recommended. Upon installation, you get 1Gb free, but if you complete the online “dojo” training, you get another 1Gb. ( http://www.zumodrive.com/ ). Don’t rely on it as your only backup – but if you need to have access to different types of files in multiple locations, try it out – it even has version tracking and a web interface. (Apparently, it works on some lesser smartphones too ;P )

Read Full Post | Make a Comment ( None so far )

Fitness for Purpose revisited

Posted on April 29, 2010. Filed under: forensic | Tags: , , , , , , , , , |

I posted a hint, a few weeks ago, that I was intrigued by differing attitudes to the validation task which is effectively required by ISO17025 and the Forensic Science Regulator’s standards.

The two attitudes seem to be :

  • “Well, it’s just testing isn’t it ? How hard can it be ? “
  • “We have to do it, but think of the complexity! How many hardware and software configurations do we need to consider ? “

One comes from end-users of the tools, one from developers. I’ll let you decided which is which. the second response, though, is particularly interesting in light of some stories I’ve heard from teams who have tried to get accreditation for mobile phone work. There has been a suggestion that they have to test every handset which their systems claim they support – even the American spec. phones which don’t work in the UK.

Interestingly, in spite of the requirement to do this validation, there doesn’t seem to be much work going on to determine what we mean by “valid”. Personally, I fall back on software engineering definitions of validation and verification in this situation – it has to do the right thing in the right way. How do we find out how commercial software is doing something anyway ?

Back in December, I hosted a meeting of some industry representatives – mainly people I know or who were recommended to me, to look at the problem more closely. To start the ball rolling, I asked a couple of questions

  • What do we mean by fitness for purpose ?
  • What do we mean by purpose ?

Fairly obviously, the second questions needs to be answered before the first can be dealt with, but the outcome of the discussions we had was quite fascinating to me. You can find a copy of the full report in the “Regulation” section at http://www.n-gate.net/, but the short version is – we struggled to define purpose.

As we considered the various phases of a digital forensic investigation, and the different types of devices, methods and data which might have to be considered it became clear that relatively few people have sat down and done a proper old-fashioned requirements analysis. The view of the group was that we should launch a pilot programme to see if a requirements-led approach can work. The group recommended starting with the data acquisition phase (carefully chosen phrase as it encompasses non-digital data too) as this is the foundation of everything else that can be done.

Thinking more about this process has led me to start challenging accepted wisdom in digital forensics – for example, do we always have to try to get a complete image of every storage device ? Even the ACPO guide doesn’t say it, but anyone who doesn’t can rely on their methods being challenged in court. A proper requirements analysis, determined in part by the type of case might help here.

As always, though, we have the golden question – who has the gold to pay for this ?

(If you have any to spare, let me know – I’d love to get my teeth into this problem properly)

Read Full Post | Make a Comment ( None so far )

Reuse

Posted on April 8, 2010. Filed under: Education, forensic | Tags: , , , , , , , , , , , , , , |

or re-use ? Either way – this article (thanks for bringing it to my attention, Darren) expands on something that gets a mention in my next IRQ column in Digital Forensics Magazine – so that’s saved me a job (Oh! the irony!) for this week.

The regulator’s working group on digital forensics met for the first time in nearly a year yesterday – and the validation/verification debate kicked off again. Interestingly there was a clear split between the software engineers and the rest of the community – I’m going to ponder and reflect for a while longer and then post something here about it, I think. Meanwhile, if you haven’t seen the papers I’ve produced (with the support and help of some industry figures), you’ll find them here.

Read Full Post | Make a Comment ( None so far )

What’s in a name ?

Posted on March 29, 2010. Filed under: All, forensic | Tags: , , , , |

I’M ON THE TRAIN!

on my way back from yet another meeting. Funny how I used to hate them when I was a salaried employee, but find them quite interesting since there’s no way they can turn into extra work, unless I want them to, now.

The topic and participants aren’t really relevant to this entry, other than to note that it was a meeting about standards (of a sort) in digital forensics and that the participants were drawn from quite a wide community.

What I found really interesting about it was the way that the meeting seemed to start with the premise that digital forensics is a sub-discipling of information security. That’s something I’ve heard time and time again over the years and have even struggled with when it comes to getting papers published. The info. sec. community quite rightly understand that there is a “forensic” element required in their work – especially when things go wrong or when some sort of attack is attempted, but I would argue that digital forensics goes beyond the realms of info. sec. (and that’s why I always got bad referees’ reports on papers).

It’s not just about law enforcement either, which is the other view I’ve heard expressed on occasion.

No, to me, digital forensics is about the investigation of activity using data found on digital devices. The activity itself may not be a crime, may not constitute misuse, but may have some value in another context. Yes we ought to understand that, strictly speaking, “forensic” means it relates to courts & the law, but common use of the word now seems to mean “investigative science” (isn’t that redundant – isn’t all good science investigative anyway ? ) and digital forensics is a tool which can be deployed in a multitude of contexts. So, my stance is that it overlaps law enforcement and information security as a discipline in its own right, with features from both of those areas and more.

In fact – on Wednesday this week, snow permitting, I’ll be talking about yet another use – digital forensics in fire investigation – in Aberdeen.

Leave your thoughts and comments and I might award a buttery for the best one 😉

Of course, maybe the real problem is that we haven’t stopped to define digital forensics properly yet…

Read Full Post | Make a Comment ( 6 so far )

« Previous Entries Next Entries »

    About

    This is the weblog of Angus M. Marshall, forensic scientist, author of Digital Forensics : digital evidence in criminal investigations and MD at n-gate ltd.

    RSS

    Subscribe Via RSS

    • Subscribe with Bloglines
    • Add your feed to Newsburst from CNET News.com
    • Subscribe in Google Reader
    • Add to My Yahoo!
    • Subscribe in NewsGator Online
    • The latest comments to all posts in RSS

    Meta

Liked it here?
Why not try sites on the blogroll...

%d bloggers like this: