Computer Forensics: Still in the Stone Age
Despite the popularity of forensic science, automated, digital evidence-gathering and analysis tools lag.
Half of the FBI’s cases involve computers, and digital evidence is a factor in many a court case. Yet the computer forensic discipline is still in its infancy, and shows no signs of rapidly maturing anytime soon.
So says Dan Farmer, perhaps best known as the author of SATAN (Security Administrator’s Tool for Analyzing Networks). He also co-authored Forensic Discovery, a book covering the theory and hands-on practice of forensic computing. Enterprise Strategies spoke to him recently to learn more about forensic computing.
How has computer forensics changed since you started taking an interest?
I got into forensics seriously back in about ’98, and the state then was really dire. … In the seven years since, I’d like to say there have been huge improvements and rapid technological investments, but we’ve only gone a small bit forward. There are now some readily available analysis tools, and a few more products are out now.
Why doesn’t the computer forensic discipline advance more quickly?
One of the fundamental problems we have now in forensic computing is [that] we have a very sparse understanding of how computers work. We don’t know a lot about what sits in memory and … how long it lasts, or what goes onto a disk, or the internals.
There’s just so much that’s been added to computers that we really don’t understand. You can write something to read the memory and such, but there’s the difficulty of knowing what’s going on. … And if you don’t know what’s going on on the machine, oftentimes in very serious situations—murders, name your horrible crime—if you have [these] mysterious underpinnings, getting the information you need is tough.
How widespread is the need for computer forensic investigators?
According to the FBI, half their cases now involve computers.
In general, how reliable is evidence gained from computers?
Digital data is so easy to modify and manipulate, and our understanding of computers and the interconnection of all these subsystems is so weak, that I think people are over-confident about the integrity of the data and the results they achieve.
Are you singling anyone out when you say that?
No, it’s just that we’re a step or two away from the Stone Age. …
For example, the U.S. Department of Justice has in the recommendations that you should turn off the power of a computer before you [begin] analysis. I, on the other hand, think there’s all this stuff in memory, in the subsystems and peripherals, that if you turn off the system you could lose all this data. Now there are reasons for turning it off—I’m not saying one approach is right or wrong—but we haven’t gotten to a point where we can all agree.
All of these boil down to the fear of compromising or destroying the data, or the fear of what’s going on on the system. Right now we’re either at a place where people don’t get enough data and can’t draw conclusions, or are over-confident in getting their data, or they don’t know how to use the tools they’re using. …
What are common forensics tools?
EnCase is by far the most common one. That’s on a PC. Basically it allows you to capture a disk or part of a computer and conduct some simple searches, and for what it does it seems like a fine tool. And it does some on the Unix and Linux side. … I [also] authored some tools which were then improved by Brian Carrier and called Sleuth Kit.
Those are the two most popular ones that I’ve come across, but even so, the amount of analysis and automation you can do [is limited]. … What you [ultimately] want to be able to do is allow a person who’s well-intentioned but not necessarily an expert in computers to hit a button or two and spit out results.
Where can people go to learn more about computer forensics?
Great question. One of the questions would be: What are you really trying to figure out? Do you want to be a forensics professional, or do you want to learn about this as a hobby or amateur sleuth, or are you a systems administrator looking to bone up so if something happens you can take a first pass at it?
I always go back to the books. … In general, there are a lot of analogs between the physical world and the digital realm, and there are some excellent books on criminalistics … [including] Richard Saferstein’s Forensic Science Handbook. It’s a wonderful book, in its eighth edition.
Why is the subject of forensics—obviously including the various CSI television series—so popular today?
A lot of it is just about the whole puzzle-solving; people love mysteries and crime novels. What people who are in the field understand a lot more than people who are not in the field is that forensics is not just a game; forensic computing is often dealing with very serious things and there’s a gravity here the exceeds other realms of computer security. There’s much more at stake than when you do computer auditing and such, just because of what the conclusions might bring up.
Forensic computing in itself is inherently the same as any other realm of computer science: there are certain parameters [and] you approach it with a certain mindset. But when you work on cases that involve murder, or rape, or death, or espionage, or child pornography—all kinds of stuff—it can affect someone. I don’t know if you’ve ever interviewed people like homicide detectives, but … it takes its toll. And God bless them, that there are people out there.
Do you know of any efforts underway, perhaps with Microsoft, to better facilitate computer forensic experts’ work?
I believe that if you’re even modestly careful, and you break into a computer—name your computer: White House, big bank, whatever high-security company you want—and if you break in once and then get out of there, it’s not possible for an investigator to track you down and catch you. It’s so unlike other crimes and other situations, where you can do something and leave evidence behind. You leave tire tracks behind and they get matched up to a vehicle, you go back and interview people. [But with computers] it takes repeated events to track someone down, unless they’re being very careless.
With regard to [better facilitating computer forensics], Microsoft is just one company. … Every peripheral, disk, all these subsystems in your computer have their own memory, their own operating system, their own CPU. So even if Microsoft declared forensics their top priority, you have to work with all these other manufacturers to go forward. Then think about all the other applications running on top. … The problem with forensics and dealing with this stuff is it runs the gamut from machine to applications. …
That said, you could go a fair bit if you wanted to create an operating system that was forensics-friendly, and I think we’ll get to a point down the road where despite the manufacturers, you can capture most of the salient information. I just don’t think it will come from the manufacturers.
What could facilitate major advances in computer forensics?
I would never try to predict ingenuity or inventiveness … [but] forensic computing is a very hard problem, especially on the analysis side—the automated analysis. If it becomes a priority in spending, whether the government is driving spending or companies get interested in this, I think we’ll see some pretty remarkable things happening. Otherwise, it’s going to be a while.
How can information security administrators create a more forensics-friendly environment now?
[By] creating audit logs and trails of activity, and focusing on auditing and data integrity. If you can do those things, it will enhance [your] forensic abilities.
Forensic Contingency Planning: Where to Start
Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.