Rod, Other things I think you should consider addressing in the interview, besides encryption, include: Standards and certification of people, processes and technologies: We currently have a hodge podge of certifications out there. Some are focused only on a specific tool set. Some are focused on a particular methodology. Some are open only to a certain subset of practitioners. Some are nothing more than a marketing gimmick to sell more of a particular tool, methodology or training. As we move into the future, a recognized certification and accreditation body like the American Society of Crime Lab Directors or NIST or some other body should promulgate a formal certification and accreditation methodology for people, processes and technologies in this discipline. I see you are in Germany. How about International standards? Since the courts and laws in different countries are so varied, can there really be an International Standard for Computer Forensics? If you take the abstract standards that apply in every jurisdiction (least common denominator), are they really rigorous enough for any particular jurisdiction? The specification of a certification process for people, processes and technologies, while being controlled by an entity recognized by everyone in the discipline, should not be closed to any subset of practitioners. Here in the States, NIST is making some small headway in a tool set specification, but have only addressed an imaging specification and have not allowed open participation by our community. And the process is terribly slow. They just recently (Aug 02) published tests of a specific imaging tool (dd from file utils version 4.0.16) using their imaging specification to craft test cases. But those tests were accomplished almost a year ago. Not only that, the version of file utils tested (4.0.16) was superceded in April 01 with version 4.1. This is something our community must deal with. Getting test results in Aug 02 for a tool that was superceded by a newer version in April 01 is not going to keep our practitioners on the cutting edge. We need a standard set of definitions. Anyone with a new marketing idea can put his or her spin on our terms. That is unacceptable. Some practitioners think of Computer Forensics as a very focused set of tasks involved primarily in what I call Media Analysis. I believe Computer Forensics, as an overarching discipline, has many specialized sub-disciplines, including media analysis, imagery enhancement, audio and video enhancement, database visualization, and more. But others may not agree. We have no standardized dictionary. My version of Computer Forensics is just as valid as any one else's. And mine may not actually be the most appropriate. I also think there is a big difference between an "investigative" tool and a "forensic" tool. To me, the term "forensic" has a very clear meaning in the context of computer investigations (back to the dictionary again). For me, part of what makes something "forensically" sound is repeatability. If I image a hard drive today, and image it tomorrow, and image it again using a forensically sound methodology and a "forensic" toolset, the results will not vary. But imaging a live system is not repeatable in relation to the output. I cannot image it today, and image it tomorrow, and image it again the next day and get the exact same results. From an investigative standpoint, I may very well learn something valuable and useful, but it is not a "forensic" process. So there again we get to the need for definitions. What is a "forensic" tool? What characteristics should a forensic tool have that make it separate and distinct from an investigative tool? Ok. Now to more mundane things. How about portable devices? They are ubiquitous. We need tools that can talk to a wide range of devices. My cell phone is also a Palm Pilot. Soon, the cell phone will also be a pager, a phone and a computer (vice a mere PDA). File system and operating system security and privacy utilities are now an issue for investigators. As are enterprise environments. The standalone PC is nearly history. Almost every PC gets connected to a network via NIC or Modem these days. So investigators must have more training in networking, including network traffic routing hardware and software. And how about collecting data from Intrusion Detection Systems using a methodology that will get the data in court. That is a good topic for discussion. How the system is implemented/deployed can have a tremendous impact on the viability of any data or evidence an investigator can collect. Well, I'm rambling on now. So I'll quit. I could write about this topic all day. James =============================== James O. Holley Ernst & Young Litigation Advisory Services & Computer Forensic Services http://litigation.ey.com Office: 703.747.1059 Fax: 703.747.0104 Lab: 703.747.0253 Pager: 888.620.5275 Pager email: 6205275 "AT" skytel.com =============================== ________________________________________________________________________ The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. Ernst & Young LLP ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Oct 18 2002 - 08:14:10 PDT