Written by Andrew Sheldon

Unlike almost any other forensic professional, a digital forensic analyst must combine a deep understanding of a number of wildly disparate elements in order to provide a thorough, impartial and compelling analysis of the data being examined.

Among these elements are:

(i) the technologies involved,

(ii) the sociological behaviour of the owner(s) of the media being examined,

(iii) the volume and storage mode of data and

(iv) the legal framework under which the analysis is being conducted.

Unfortunately, or not depending upon your viewpoint, the digital forensics professional is forever destined to be playing "catch-up" with the changes in these three elements.

For me and I'm sure for many others, these factors happily conspire to ensure that every case and every examination is approached with a mixture of excitement tinged with caution. Excitement because I learn something new from every job, and draw satisfaction from knowing that my conclusions are based on provable hypothesis using empirical data. Caution because the pace of change in the four elements identified above is so rapid that it's impossible for one individual to keep fully up to date with the impact of these changes.

It's not that the world of computer forensics has ever stood still, it's always been subject to changes. It's just that the pace of change in the digital world accelerates more rapidly than perhaps any other fields of forensic science.

I remember the day, back in 1998, when after four years of performing digital forensics, I realised I could no longer spare the time needed to read all the computer forensic resources and keep up with everything being discussed in the forensics community. If I actually wanted to get any work done, I had to make choices about what to read regularly and what to archive and use as future reference. It simply became impossible to cover everything. It is precisely this speed of change that I belielve will have the biggest and most profound impact on the future of digital forensics.

The forensics experts in some highly specialised fields of forensics such as paper, fingerprints, DNA or fabrics for example have, to their advantage, the fact that they are looking at a reasonably compartmentalised view of the evidence. A strand of cloth, a body fluid sample or a ransom note may be their entire view of the evidence in a case. Their analysis may indeed be pivotal to the outcome of an investigation but their view of the evidence in the case may be restricted to the item(s) under specialist examination and is usually based on a series of clearly defined tests with predictable outcomes. Therefore, their ability to draw evidential conclusions may be similarly compartmentalised. A specialist in blood analysis will be able to determine many important facets relating to the "owner" of the blood sample but it would probably take another specialist to determine the significance of the blood spatter pattern at a crime scene.

When dealing with traditional forensics, it is not unusual, in criminal cases at least, to draw on a number of forensic experts to deal with each specific aspect of the forensic evidence. A fingerprint expert would not be expected to give opinion on DNA evidence. Likewise, an expert in ballistics is unlikely to be expected to comment on handwriting. Each expert may provide a conclusion regarding the specific evidential item under their field of expertise and the Court then considers these conclusions together to aid a decision.

However, the story is not quite the same in the in rapidly advancing world of digital forensics. Such myopic dedication to single topic technical analysis is the exception to the rule. It certainly exists but, at present, is more likely to be spawned from more traditional IT disciplines such as network security and incident response and then usually only practiced at educational establishments.

More often, a single "computer forensics expert" is called upon to examine varied items of digital media, to provide expert testimony regarding the data under review and to draw conclusions regarding the interpretation of that data. Sometimes there will be an expert representing each side in a case but, often, it is on the evidence of a single expert that the Court will base its decisions. It is in this practice of grouping all aspects of digital forensics into one technical "bag" that, I believe, we will see the most significant and fundamental changes in the future.

I know many of the readers of this article will be specialists in specific aspects of digital forensics such as encryption, P2P technologies, networking etc., but it is my contention that, as the technologies we investigate increase in complexity along with the tools we use, the "opposing" teams will become more adept at identifying specific elements of an "experts" report and call into question the ability of that expert to speak authoritatively about that particular subject.

We are already beginning to witness such course "granularity" of expertise in a number of cases, specifically those relating to hacking, malicious code and electronic organisers but I anticipate the level of granularity will get finer until we are faced with the prospect of (say) an "expert" in PST data structures having to be called in a case which does not, in itself, relate to the email system.

By contrast, during the last 21 years, the data sources that form the basis of digital forensic analysis are to be found stored on an ever increasing number of disparate storage devices, in a multitude of data formats and under the control of complex and seemingly ever changing operating systems. Likewise, the basic computing environment has changed dramatically over the same period.

Take, for example, the introduction in 1983 of the 16bit IBM PC-XT. It used an Intel 8088 processor running at 4.7Mhz and cost a staggering $4,995 (source: http://www.jcmit.com/cpu-performance.htm). It came with a 10Mb hard disk and was likely to be running MS-Dos with the disk formatted to FAT. In the commercial world, 1983 saw the introduction of the Amdahl 5840. Based on the 370 family and 32bit capable, had 16Mb RAM and cost $2,350,000 (source: http://www.jcmit.com/cpu-performance.htm)

But while it's easy to simply draw dramatic comparisons between historical hardware and what we use today, from the forensic perspective, we are probably less interested in the performance characteristics than we are in the way in which the systems create, store, manage, display and retrieve data. However, unlike the traditional forensic analyst, the individual digital forensic analyst encounters a vast array of evidential data from multiple sources and in multiple formats with almost every job undertaken. One can draw an analogy between the technical complexity faced by the digital forensics analyst and a tree: (see following graphic)

Branches and Leaves represent application familes and typical applications
The trunk represents current core forensic competencies underwritten by standardised and accepted procedures
The roots represent the wide diversity of data storage formats and data management systems

At the roots are the multitudinous storage devices, media formats, data types and interfaces that a digital analyst can be expected to encounter. The branches represent the many varied application families such as email, networking, accounting, technical and entertainment. Finally, the leaves represent the enormous variation in file data structures and data presentation schemes. Between the two extremes there is a trunk representing the core forensic competencies of forensic data acquisition, preservation and control.

During a digital forensic investigation, it is not uncommon that a single analyst may be responsible for most aspects, from data acquisition through to evidential assessment and final conclusion. The ability of a single analyst to provide expert testimony on all possible permutations of this "tree of experience" is obviously unrealistic so, in general, we have to resort to experimentation and experiential study to support our findings.

The only part of the above model that is truly beginning to globally formalise are the "trunk" components. Reasonably well developed principles exist on an international scale for the seizing of digital evidence in common scenarios. Likewise, standard procedures have been developed for imaging and subsequent validation of forensic images, although it is recognised that, even now, there is healthy debate relating to the latter issue.

Formal standards and procedures relating to the examination of even the most common data structures such as email or databases are not yet globally adopted. Instead, we rely on a collection of third party tools and our own experience or experimentation to deliver expert testimony and yet it is these basic components of nearly every investigation that forensic analyst encounters on a daily basis.

The analysis of the memory on mobile phone bodies is not yet standardised despite their all pervading presence. Even the forensic imaging of a phone SIM card has only been available for a few months.

Likwise, few police offices searching a home of a suspected paedophile would think twice at seizing the X-Box under the television as a potential source of evidence despite the fact that, with the use of a retro fitted chip, the X-box can quite easily be used to run a Linux FTP client or a number of other systems equally suited to task of file distribution using the built in modem.

Over the next few years, this convergence-divergence paradox will, I believe, lead to an inevitable stratification effect within the digital forensic community until it more closely resembles the traditional forensic science community. Analysts will become specialists in an increasingly small subset of the digital environment, providing the granularity of expertise demanded by the Legal system. It will become common for forensic examinations to be carried out by multi-disciplined forensic teams under clearly defined standards and using globally accepted methodologies.

I anticipate that we must see the adoption of formal standards for the interpretation of the more common file structures such as MS Word documents, disk formats and such like. However, the problem that faces us in achieving this task is two fold: the rapid development and release cycle of new and modified data structures combined with the commercial imperative of the major vendors to retain an element of secrecy regarding the data structures they use.

At present, the majority of forensic analysts rely on 3rd party tools to provide an interpretation of many of these structures. This raises a question over the ability of the analyst to provide an expert opinion based on the output form these tools. To be able to draw accurate conclusions in all such cases, evidential corroboration techniques must be used to verify the results obtained from one source by using another, independent source. Again, the problem here is explosive growth in new, and the regular modifications to existing, common data sources. Time is not on the side of the average forensic examiner!

If one combines the demands of finer evidential granularity driven by a , with the increasing capacity of most data storage devices and the resultant increase in the time required to perform analysis, the future will require an alternative approach be adopted it simply is not feasible to continue performing forensic analysis using the accepted approaches that we use today.

One of the key differentiators between the traditional and the digital forensics analyst is that the focus of the latters analytical attention is not restricted to a single piece of evidence (such as blood or paper) but rather to a collection of evidential data such as the behaviour of the operating system and that of many different applications. Such analysis is made complex not just by the number of possible data formats, information structures, originating actions and data sources affecting each byte but also by the inference, interpretation and evidential value each byte or group of bytes receives from the analyst.

This bias is based, in part, on other data present on the media, the circumstances of its location and discovery and the investigation framework under which the analysis is conducted.

When conducting analysis of a suspects media, it could be argued that the discovery of (say) an encryption or peer-to-peer application might cause the analyst to infer a certain type of behaviour of the suspect which may or may not be at odds with the actual behaviour of the suspect.

Let us suppose that, with the increased processing power available to the forensic analyst of 2015, we are able to build a forensic analysis application with an element of artificial intelligence that is able to exploit this feature of digital forensics. Integrate rules governing the Four Elements indicated at the beginning of this article and make it capable of assimilating the nature of the contents of a piece of digital media. Then, use a set of inference rules to produce output aimed at guiding the forensic analyst in conducting a manual examination.

Let us also assume that such a forensic application was able to accept input from all the key software development companies in the form of recognised rules for interpreting each developers industry standard data structures. Add to this the ability to learn from each case it was used on and to link to a central global forensic network over which that knowledge was shared with all other instances of the application. Could this be digital forensic nirvana?

top