Digital Forensics, a view from the inside out

After over a decade practising among other skills Digital Forensics I have seen it progress from an area that was often reserved for the investigative fields often involving court based proceedings to a more business as usual capability particularly in part to the expansion of the Information security field in areas such as incident response.

Not only have I seen this gradually shift more to the private sector with organisations realising that digital forensics skills had a business value that was not just focused on law enforcement or criminal based investigations. With the adoption and rapid movement of 'Cyber' Security where incident response teams had a need for digital forensics when dealing with incidents this is starting to move to a more everyday skill from an information security perspective and is becoming more of a requirement on job postings related to information security.

Following on from this I hear the term 'forensic' being used by business to explain an action such as we will do forensics on the logs. In my experience, I find the term used by organisations to mean detailed or technical, perhaps a combination of them both. I started practising digital forensics as well as criminal based investigations in 2007 and have seen a significant change over the years not just from technology but also how it is applied or in some cases attempted and interpreted.

Where the view at the start of my career was that a Digital Forensic investigator worked with law enforcement or roles supporting the criminal justice system. Today it seems that digital forensic skills are becoming more of a standard function found in an information security department. I feel the role of a Digital Forensic investigator has merely expanded to be part of something bigger.

Today I hear the term 'Forensic' used quite often particularly in business. As a key word it is becoming more of business jargon that I fear causes it to lose its meaning or instigated the meaning to change.

An Oxford dictionary define forensics as:

Relating to or denoting the application of scientific methods and techniques to the investigation of crime.

or

Scientific tests or techniques used about the detection of crime.

or

The term digital relates to the electronic nature of the field.

The above definition highlights that the term 'Forensic' merely covers how you got to an answer and that the methods applied were repeatable and scientifically sound to provide answers to support or refute a hypothesis regarding an event. This does not tell you what you need to know about computer science or that you need to be trained in a specific market leading tool.

When reviewing CVs, I often see reference to Digital Forensics as a skill however I discover this to mean the candidate has used or have been trained to use software that is used for Digital Forensics processing or abstraction. This does not mean they understand the principles or methodologies that surround them. This also does not mean a vendor tool training will provide the computer science knowledge require to understand what the tool does or how the operating system works.

One of the questions that often without fail would appear during interview was, 'What is your favourite tool?'. The expected response was often FTK or Encase however my response was always 'it depends on what you need me to do'. The tool should not define the investigator, instead the investigator should select the best tool for what they need to do.

By looking at the traditional forensic sciences the roles are often described as a forensic expert in 'A Specialism' for example ‘forensic expert in blood spatter analysis’ the practitioners are not generally described as forensic experts as the field is too large for them to be an expert in everything. The Digital forensic field is also quite large from a body of knowledge perspective yet digital forensic practitioners are often described as a forensics expert or a subject matter expert.

My personal view is that digital forensics is a skill to be applied and may not be a specific job title or role, not as it was when I began my career. I see everything as an investigation, ranging from Incident Response or compliance issues to HR and formal investigations. From an investigation perspective, the journey is always the same with the same methodologies, the same skills applied. What changes is the destination, this could be tribunal, court or risk management.

Even though the destination can influence the journey I have come to find over the years that the destination should not define the journey an investigation should take. Having the mindset that an investigative journey can be shorter, less defined to save time can be a dangerous one. In the beginning an investigator cannot say where the journey will end, as the journey progresses the destination can become clearer. I have found aiming for a criminal standard and stepping back as evidence becomes available is far easier than blindly starting an investigation and finding there are elements to the case that require response that may have formal constraints surrounding it.

It may not always be feasible to approach everything to criminal standards as this may introduce additional resource cost in the sense of time however I find the best option is to preserve to a criminal standard particularly if involved within an Incident Response capacity as there is often an indicator something untoward has already occurred or could get worse.

When I started my career, I was given a bit of advice by some of the Law Enforcement community I worked with which to this day I still find useful and may help new members of the field.

1. You are only as good as your last case. - Your reputation is key ensuring the best is presented at all instances as this is the part that will stick in people’s minds. If something goes wrong only that it went wrong will be remembered not necessarily why.
2. Protect your rear end - This is quite important as this ties in with the first point, only comment on what you are comfortable with and what actions you took.
3. Stick to the facts - Keeping to the facts of the investigation will prevent it moving off topic and causing the investigator to talk about areas that they may be less knowledgeable in.
4. Opinions - Offer an opinion if needed or asked but do not let them lead the investigation and be prepared to justify it based on evidence.

I have recently encountered a training course that had an element of Advanced Digital Forensics and I was concerned to see that the training began with basic disk/partition explanations. I found this troubling as it meant the courses are being designed for students to pass the course rather than test them on what they should already know to pass the course. There were elements of explanation regarding the techniques but like many courses a level of self-study was needed.

This may have something to do with the business paying for this training expect something in return, that the candidate learnt something to deploy within the business to add value. This is a potential separate topic I will not go into here but presents the question are the training courses providing value or should failing them be an option.

Universities focus more on the principles and methodologies and then a little of how to apply them however what they lack is the experience and exposure to real world events which will only come with experience of different circumstances that working in industry will provide. I have found the knowledge of principles then allow the investigator to apply these to different circumstances where as experience of a tool merely allows the investigator to apply this to the same situation or criteria. Knowing how to parse a registry hive is one thing, knowing what it contains and when it may be of value is another.

Some of this can be explained with the culture surrounding this particularly in the information security field in that it is very much focused on obtaining a few certificates as this leads to being viewed as an expert. There is very much a ==here and now== mentality behind this and that becoming an expert is very much a combination of knowledge and applying that knowledge to a range of circumstances provided by experience.

Unfortunately, this takes time often many years and the job market in this area does not always support the long term or provide an environment to develop and achieve the knowledge and experience needed.

There has always been that saying that ==‘knowledge is power’== something I have never quite agreed with as possession of knowledge for the sake of it is meaningless, it is the application of knowledge and that application is what defines us.

Of course this is just my opinion.