Sorry it is long , but there are a number of points and assumptions to be made to address the original questions. Forensics -I'll define as a process of objectively evaluating a crime scene (or violation of civil/copr codes/scenes) with the intent to present the facts as they relate to a specific incident or group of incidents. The objective is to present all of the facts (or as much as possible) so that factual (hopefully irrefutable) conclusions can be drawn. A crime scene can be physical, such as a muder scene or it can be digital such as stalking over the Internet or espionage. Some issues can obviously transcend both the physical and the digital. As I see it, I believe that forensics will become more commonplace throughout both the private and public sectors. There are a number of groups working otgether to share this knowledge, i.e HTCIA, CFID, RCFG, etc. Until rcently, IT security was not given the support that it needed (and IMHO still needs more). As IT security becomes more established, private and public sectors are coming to realize that they need to log and monitor digital events. They need to be able to investigate things both for internal issues as well as external. Corporations are realizing that they can't afford to have people surfing the net. It costs money in lost productivity and potentially opens them up to law suits. They need to determine who has been looking at what, when and why to ensure CIA (confidenitality, integrity an availability). In fact I have seen a significant incerase in such requests from various companies to their IT depts. Public/Leo-wise, they did not have enough knowledge and budget to do much. That too is changing. Street detectives are getting more savy as their theft cases involve the Net. Identitiy theft and credit card fruad are increasing and therefore the necessity for forensics and savy are more necessary for them to complete their jobs. I have done a lot of pro bono for some detectives to help them out. Crypto-wise. Not going to make too much of a difference. Avergae user still can't figure it out. XP is not going to be wide spread for a number of years (how many people are still using 95/98/me??) People won't implement it because they don't know how, don't want to, have "nothing to hide", or are just lazy. Or they may forget their password which would probably be pretty simple anyway to crack. And I can just put keystroke logging on their machine anyway or sniff it in most cases. Corporate - they are still on NT. Just migrating to 2000. XP won't be rolled out to most also for a number of years. And PGP and other encryption has been avaiable for years and 99.9% of the population does not employ it anyway. While I see it becoming slightly more prevalent, I don't think it will be signifcant enough to cause a major problem for investigations. Heck, I'm still trying to get people/corps to get rid of old accounts and pick a good password. So to sum it up - forensics will become more prevalent and their will eventually become a certifying body to govern it to ensure that people are truly "forensic experts" since it is imperative to investigate in a manner that can be presented in court. Who knows what you might find when you start to dig. -----Original Message----- From: Ralph S. Hoefelmeyer [mailto:ralph.hoefelmeyerat_private] Sent: Friday, October 18, 2002 12:52 PM To: Gary L. Palmer; Morris, Rod Cc: forensicsat_private Subject: RE: Future trends in computer forensics I'll chime in here - forensics has historically been applied in a legal sense, which is slow, geared toward "beyond a reasonable doubt". In the real world of business and intelligence - there are different standards, i.e., will it help us in a business sense or do we think the target needs to be serviced - room to be wrong, and while not indifferent to being wrong, that is why we have the term "collateral damage". Different paradigms. The time criticality mentioned below is very important, especially when reacting to Internet threats - your response time is measured in minutes now - search on warhol worm. Ralph Ralph S. Hoefelmeyer, CISSP Senior Engineer WorldCom GPE 719.535.4576 Office "Security is a process, not a product" Bruce Schneier -----Original Message----- From: Gary L. Palmer [mailto:palmergat_private] Sent: Friday, October 18, 2002 8:02 AM To: Morris, Rod Cc: forensicsat_private Subject: Re: Future trends in computer forensics Rod, I work at the Air Force Research lab in Rome, NY. From a conceptual, basic research perspective some items that are being worked on that will have significant impact in our field (Digital Evidence or Digital Forensic Science/Engineering - some would cringe at the phrase) present real challenges. Some are: - Understanding digital transformations - the detailed trial of processing that is employed from molecular storage of magnetic forces as voltages to the representation of that information on a monitor as human readable text. Not many understand the full spectrum of events. It may tell us volumes. This is true especially in light of Daubert/Kumho and FRE 702 - The application of Lockard's Exchange Principle in the digital realm. Does it apply? This famous basic rule of all traditional forensic analysis has yet to be verified or falsified when considering forensic computer/network investigations. - Authorship attribution: many forensic disciplines are employed mostly to ascertain two important probative items (there are other items of course), 1. The irrefutable identity of the victim, and 2. the incontestable identity of the perpetrator. To date that has been very difficult to do in the digital world. Applications of Forensic Linguistics and Stylometery are rising to meet the digital challenge. - The application of rigorous, relatively slow moving Law enforcement techniques (mostly ex post facto) in forensic analysis of near-real-time operational environments (business and military). This is a matter of time criticality and overall perspective. Prosecution verses Availability of service. Which one drives. - Digital Forensic Analysis in a wireless/cellular environment. RIM Blackberry, Bluetooth, 802.11x, CDMA, GSM, 3G, 4GSM, etc.. Very complex and challenging. $.02 Gary "Morris, Rod" wrote: > Hello everyone, > > I've been asked to say a few words for an interview concerning "the future > of computer forensics". Amongst other things I thought I'd mention the > challenges posed by (IMHO) an increasing use of encryption amongst users, > developments in forensic tools (such as EnCase Enterprise edition) and an > increasing awareness of the legal issues surrounding computer forensic > investigation. > > This specific interview aside, I'd be very interested to hear other opinions > on where we're going and what others working in this field think the major > technological challenges and developments are likely to be over the next few > years... > > Kind regards, > > Rod > > -- > Rod Morris > KPMG > Forensic Technology > tel +31 (0) 20 656 8884 > fax +31 (0) 20 656 7790 > e-mail Morris.Rodat_private > X.400 c=NL;a=CONCERT;p=KPMG;s=morris;g=rod > > ********************************************************************** > De informatie verzonden met dit e-mailbericht (en bijlagen) > is uitsluitend bestemd voor de geadresseerde(n) en zij die > van de geadresseerde(n) toestemming kregen dit bericht te > lezen. Gebruik door anderen dan geadresseerde(n) is > verboden. De informatie in dit e-mailbericht (en bijlagen) > kan vertrouwelijk van aard zijn en kan binnen het bereik > vallen van een geheimhoudingsplicht en een verschonings- > recht. > > Any information transmitted by means of this e-mail (and any > of its attachments) is intended exclusively for the addressee > or addressees and for those authorized by the addressee > or addressees to read this message. Any use by a party > other than the addressee or addressees is prohibited. > The information contained in this e-mail (or any of its > attachments) may be confidential in nature and fall under a > duty of non-disclosure and the attorney-client privilege. > ********************************************************************** > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ********************************************************************** This message is a PRIVILEGED AND CONFIDENTIAL communication, and is intended only for the individual(s) named herein or others specifically authorized to receive the communication. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender of the error immediately, do not read or use the communication in any manner, destroy all copies, and delete it from your system if the communication was sent via email. ********************************************************************** ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sat Oct 19 2002 - 14:07:52 PDT