Ready or not ?

Posted on March 25, 2011. Filed under: forensic, security | Tags: , , , , , , , , , , , , , |

In a couple of weeks time I’ll be off to Singapore, missing the Malaysian GP (but flying over it), to attend the next ISO/IEC SC27 meeting. Another week of sitting in meeting rooms in an exotic location.

While there, I’ll be proposing some new work that the UK delegation feels is necessary to complement the existing work on ISO 27037 (Identification, acquisition and preservation of digital evidence). Our view is that 27037 represents the middle of a 3-stage sub-process in Information Security Incident handling.

By the time you need to collect potential evidence, and incident has already occurred – and in order to be able to collect useful material you need a plan. Our view is that IS Incident Investigation should start with proper planning, then move on to collection and finally analysis & reporting. All of which should be properly underpinned by a robust validation & verification mechanism.

So – we are going to propose that some new work on IS Incident Investigation Readiness should be conducted, with a view to including it in ISO 27035 (Security Incident Management). Why there rather than in 27037 or a new standard ?

Well – Investigation is just one possible response to an incident – a common and useful one, but not the only one, so it makes sense to have it included in the management standard, which already includes risk assessment & management. Planning needs to come from an understanding of possible incidents and the systems which can be affected. Also, we know that many companies, particularly SMEs, will need to outsource the collection & analysis stages – which is perfectly acceptable – but still need to do their own planning to ensure that the organisation they call in can understand the nature of the incident and the systems affected, and that the methods to be employed in stages 2 & 3 meet the requirements of the plan.

I think it’s necessary work – certainly based on reports I’ve heard over the years from companies who complain that intellectual property breaches and acquisition of commercially sensitive data have not been investigated or prosecuted properly. In every case I’ve considered there has been a failing from day 1 on the part of the company – they didn’t take proper actions to secure the information or data, and they had no mechanism in place to prevent or investigate. As someone once said “Fail to plan and you plan to fail”.

There’s nothing really new in this – Incident Response guides recommend investigation as well as post-incident clean-up as good practice. It helps the organistion to learn from mistakes. The only real difference is that we are planning to set an international minimum standard for it – to help people understand the basic requirements.

If you haven’t already done some planning for incident investigation – why not start now ? or give me call or e-mail ? It needn’t take long, or be hugely expensive – but it could save a fortune if something untoward does happen.

P.S. – note that I haven’t said “forensic” anywhere in this note – not every investigation results in court action – sometimes it just results in improvements internally.

Read Full Post | Make a Comment ( 1 so far )

Contracting

Posted on March 10, 2011. Filed under: forensic, life | Tags: , , , , , , , , , , , |

Just recently I’ve been having discussions about possibly becoming a contractor for a little while and it’s thrown up a question that’s haunted me ever since I started examining other people’s computers.

I’m a fan of open-source software and I really do believe that one of the benefits I offer as a consultant is the fact that I don’t use the same examination kit as everyone else. It means that when I check their results or they check mine we are using significantly different tools, and mine are open for anyone to scrutinise at the source-code level. So, if we find a discrepancy we can dig deep into at least one the tools, if necessary, to find the reason why. It’s proper dual-tooling, or as close as we can get for now.

Now, in the past I’ve had to explain this (because there are two or three tools that everyone expects to see and eyebrows are raised when I don’t mention them ) but it has never stopped me getting an expert witness job. The critical word there is “expert” – in that role I am supposed to exercise my judgment to select the best tools and methods for the job.

However, a contractor is different creature – if I do get offered this job, I have to fit into someone else’s working environment and do things their way with their tools. I can do it. In my academic life I had to learn new skills, tools etc. very quickly and be able to teach them to other people. It’s a knack that a good lecturer picks up soon, or they don’t survive in labs. for long. The question is, will the client believe I can do it or will they wait until they find someone with the right piece of paper instead ?

My argument, for what it’s worth, is that I can learn the tool quickly and, because I have a background in computer science and am used to creating little ad-hoc tools whenever I need them, I can check the tool’s results in a way that someone who just know the program might not be able to.

We shall see.

Meanwhile, in the world of standards and regulation things have gone quiet in the Regulator’s office. His contract has been extended for another 3 years, but I rather think he’s suffering from budget cuts elsewhere. No matter, plans are well underway for the next ISO meeting in Singapore where we will be trying to get some new work approved to go beyond the current ISO/IEC 27037 and ensure we have guidance for a complete process from planning through acquisition to analysis, with proper validation all the way through.

Read Full Post | Make a Comment ( 4 so far )

Expertise vs. common sense

Posted on January 23, 2011. Filed under: forensic | Tags: , , , , , |

My attention has been drawn to http://www.wired.com/threatlevel/2011/01/morphed-child-porn/ in which it is reported that a professional expert witness deliberately produced manipulated images as part of a defence case.

What he chose to do was to buy pictures of children from a stock photo library and then alter them to show the children engaging in sexual activity. In one case, it seems, it would have been fairly obvious that the image was fake as the child’s head had been placed onto an adult body.

However – I am left with one fundamental question – “what on earth was he thinking ? ”

There is absolutely no need to produce the sort of pseudo-image that is described in the article in order to show how easily digital images can be manipulated. Why could he not have carried out the same sort of manipulation using innocent imagery, or at least images of adults ? Does this expert really think the jury are so unintelligent that they cannot see the connection between his examples and what might happen in reality ?

More worryingly – why are so few of the comments associated with this article concerned with the fact that he produced offensive and obscene images (illegal in several countries) and more concerned with breach of licensing agreements ?

Maybe we need to start carrying out more certification of expert witnesses – beyond concepts of competence and into the realms of professionalism and ethics ?

Read Full Post | Make a Comment ( 4 so far )

ISO ISO baby – part 1

Posted on October 8, 2010. Filed under: All, Education, forensic | Tags: , , , , |

As I write this, it’s 8:50 a.m. on Friday in Berlin. I’ve been here since Sunday night attending a meeting of ISO/IEC JTC1 SC27 (that’s the Information Technology – Security Techniques sub-committee to anyone who isn’t fluent in standards committee numbers).

It’s my first time at an event of this type, though I’ve been to a few BSI meetings to discuss the work that’s going on within ISO that relates to “forensic” work. More on that in the next post.

What I’ve found fascinating this week, though, is the way language is being used. Within ISO the convention is to use english for all meetings and documents – but it isn’t quite the english that you or I know. It isn’t the Queen’s english, it isn’t American english, it isn’t even Euro-english – it’s something quite strange. It’s ISO english.

Words that we think we know the meaning of have to be defined and, much like Humpty Dumpty, when a drafting committee (the body responsible for defining a standard) uses a word, it means exactly what that committee wants it to mean, no more and no less.

As a result, ISO has had to produce a Concepts Database to manage the definitions. Try it – see if the words you thought you understood have the same meaning(s). You’ll find it at http://cdb.iso.org/ Don’t bother looking for “forensic”, by the way – it isn’t there.

Read Full Post | Make a Comment ( None so far )

Requirement acquirement

Posted on May 19, 2010. Filed under: All, forensic | Tags: , , , , , , , , |

In a few recent posts, I’ve talked about the “fitness for purpose” challenge and the fact that it seems to be causing confusion or consternation amongst those who haven’t dismissed it as irrelevant. Partly, I think, this is because of misunderstanding about what the regulatory environment really means. The Forensic Science Regulator’s primary role is to produce Quality Standards for Forensic Science, not to define procedures. In that context, “fitness for purpose” is a test of whether or not something passes tests to show that it is fit for whatever purpose the forensic science provider wishes to use it for. Nothing more. There is no complex or secret agenda here. It’s simply a question of demonstrating that anything being used (method, process or tool) meets the requirements defined by the person using it, or by their customers.

Having recently written a “complementary evidence” report, in which I gave an independent view of some deviation from accepted procedures, I am now convinced that the approach we came up with at the meeting in December (see http://www.n-gate.net/ under “Regulation”) is right – we need to consider whether or not we can produce a set of industry-wide requirements which can be used as a starting point or menu by each provider. If we can get them agreed by the industry, we have the potential to standardise testing of methods, processes and tools as well as identifying gaps in current practice, and laying the groundwork for the future.

“Where to begin?” has been the stumbling block for the last couple of months, but now I have an idea. Watch this space and http://www.n-gate.net/ for progress.

Unrelated : I’ve been playing with a product called ZumoDrive on my Mac, Palm Pre (thankyou HP – WebOS has a future it seems!) and Linux server for a few weeks now. At the basic level it’s a free 2Gb cloud filespace which can link folders across multiple machines so they are always in sync as well as appearing as a targetable drive on all machines. It hasn’t fallen over yet and is providing me with an online backup for some important, but not confidential, files as well as taking over as a music storage service. Highly recommended. Upon installation, you get 1Gb free, but if you complete the online “dojo” training, you get another 1Gb. ( http://www.zumodrive.com/ ). Don’t rely on it as your only backup – but if you need to have access to different types of files in multiple locations, try it out – it even has version tracking and a web interface. (Apparently, it works on some lesser smartphones too ;P )

Read Full Post | Make a Comment ( None so far )

Fitness for Purpose revisited

Posted on April 29, 2010. Filed under: forensic | Tags: , , , , , , , , , |

I posted a hint, a few weeks ago, that I was intrigued by differing attitudes to the validation task which is effectively required by ISO17025 and the Forensic Science Regulator’s standards.

The two attitudes seem to be :

  • “Well, it’s just testing isn’t it ? How hard can it be ? “
  • “We have to do it, but think of the complexity! How many hardware and software configurations do we need to consider ? “

One comes from end-users of the tools, one from developers. I’ll let you decided which is which. the second response, though, is particularly interesting in light of some stories I’ve heard from teams who have tried to get accreditation for mobile phone work. There has been a suggestion that they have to test every handset which their systems claim they support – even the American spec. phones which don’t work in the UK.

Interestingly, in spite of the requirement to do this validation, there doesn’t seem to be much work going on to determine what we mean by “valid”. Personally, I fall back on software engineering definitions of validation and verification in this situation – it has to do the right thing in the right way. How do we find out how commercial software is doing something anyway ?

Back in December, I hosted a meeting of some industry representatives – mainly people I know or who were recommended to me, to look at the problem more closely. To start the ball rolling, I asked a couple of questions

  • What do we mean by fitness for purpose ?
  • What do we mean by purpose ?

Fairly obviously, the second questions needs to be answered before the first can be dealt with, but the outcome of the discussions we had was quite fascinating to me. You can find a copy of the full report in the “Regulation” section at http://www.n-gate.net/, but the short version is – we struggled to define purpose.

As we considered the various phases of a digital forensic investigation, and the different types of devices, methods and data which might have to be considered it became clear that relatively few people have sat down and done a proper old-fashioned requirements analysis. The view of the group was that we should launch a pilot programme to see if a requirements-led approach can work. The group recommended starting with the data acquisition phase (carefully chosen phrase as it encompasses non-digital data too) as this is the foundation of everything else that can be done.

Thinking more about this process has led me to start challenging accepted wisdom in digital forensics – for example, do we always have to try to get a complete image of every storage device ? Even the ACPO guide doesn’t say it, but anyone who doesn’t can rely on their methods being challenged in court. A proper requirements analysis, determined in part by the type of case might help here.

As always, though, we have the golden question – who has the gold to pay for this ?

(If you have any to spare, let me know – I’d love to get my teeth into this problem properly)

Read Full Post | Make a Comment ( None so far )

Reuse

Posted on April 8, 2010. Filed under: Education, forensic | Tags: , , , , , , , , , , , , , , |

or re-use ? Either way – this article (thanks for bringing it to my attention, Darren) expands on something that gets a mention in my next IRQ column in Digital Forensics Magazine – so that’s saved me a job (Oh! the irony!) for this week.

The regulator’s working group on digital forensics met for the first time in nearly a year yesterday – and the validation/verification debate kicked off again. Interestingly there was a clear split between the software engineers and the rest of the community – I’m going to ponder and reflect for a while longer and then post something here about it, I think. Meanwhile, if you haven’t seen the papers I’ve produced (with the support and help of some industry figures), you’ll find them here.

Read Full Post | Make a Comment ( None so far )

What’s in a name ?

Posted on March 29, 2010. Filed under: All, forensic | Tags: , , , , |

I’M ON THE TRAIN!

on my way back from yet another meeting. Funny how I used to hate them when I was a salaried employee, but find them quite interesting since there’s no way they can turn into extra work, unless I want them to, now.

The topic and participants aren’t really relevant to this entry, other than to note that it was a meeting about standards (of a sort) in digital forensics and that the participants were drawn from quite a wide community.

What I found really interesting about it was the way that the meeting seemed to start with the premise that digital forensics is a sub-discipling of information security. That’s something I’ve heard time and time again over the years and have even struggled with when it comes to getting papers published. The info. sec. community quite rightly understand that there is a “forensic” element required in their work – especially when things go wrong or when some sort of attack is attempted, but I would argue that digital forensics goes beyond the realms of info. sec. (and that’s why I always got bad referees’ reports on papers).

It’s not just about law enforcement either, which is the other view I’ve heard expressed on occasion.

No, to me, digital forensics is about the investigation of activity using data found on digital devices. The activity itself may not be a crime, may not constitute misuse, but may have some value in another context. Yes we ought to understand that, strictly speaking, “forensic” means it relates to courts & the law, but common use of the word now seems to mean “investigative science” (isn’t that redundant – isn’t all good science investigative anyway ? ) and digital forensics is a tool which can be deployed in a multitude of contexts. So, my stance is that it overlaps law enforcement and information security as a discipline in its own right, with features from both of those areas and more.

In fact – on Wednesday this week, snow permitting, I’ll be talking about yet another use – digital forensics in fire investigation – in Aberdeen.

Leave your thoughts and comments and I might award a buttery for the best one 😉

Of course, maybe the real problem is that we haven’t stopped to define digital forensics properly yet…

Read Full Post | Make a Comment ( 6 so far )

Websites and fitness for purposes tests

Posted on November 2, 2009. Filed under: 1, All, forensic | Tags: , , , , , , , |

Websites : new material on the book website – now up to chapter 6 with the exercises! (bet it’ll take me longer to do the model answers though) – see http://www.digital-forensics.org.uk/
Fitness for pupose tests In the last week or so I’ve been talking to a lot of people about the “fitness for purpose (ffp)” requirement that the regulator’s working group have recommended for the digital evidence standard. We’ve been kicking around ideas about how this can be demonstrated. At one level, the vendors could go for ISO17025 or CESG CTM (CTM) certification themselves – but this only really tests the product “out of the box” as they ship it, with no real accounting for how it is used in the field. This is a particular problem, I think, for anything which includes scripting capabilities as each script will still need to pass the ffp test. It gets worse when we start to think about all the really good open source, non-forensic software and tools produced by small companies without the budget or resources for performing their own ffp testing.

I am more convinced than ever that we need to introduce a national ffp testing service which can deal with the complexities of non-standard hardware and software combinations, in-house developed tools and rapid deployment of vital patches.

It’ll be a heck of challenge to get it right, but you know something ? – I really want to try to make it work!

Read Full Post | Make a Comment ( None so far )

Next Entries »

    About

    This is the weblog of Angus M. Marshall, forensic scientist, author of Digital Forensics : digital evidence in criminal investigations and MD at n-gate ltd.

    RSS

    Subscribe Via RSS

    • Subscribe with Bloglines
    • Add your feed to Newsburst from CNET News.com
    • Subscribe in Google Reader
    • Add to My Yahoo!
    • Subscribe in NewsGator Online
    • The latest comments to all posts in RSS

    Meta

Liked it here?
Why not try sites on the blogroll...

%d bloggers like this: