December 14, 2016
Analysis vs. Translation
Very often,
examiners get called upon to do what may be referred to as "push-button
forensics". Meaning that we acquire
data, plug it into a tool, and wait for the processing and output from that
tool to tell us what we have that may be relevant to the case. Unfortunately, this isn't forensics at all,
it's allowing software to do a job for us.
Perhaps that's why some prefer forensic tools such as X-Ways Forensics,
because while tools like X-Ways make the examiner's job easier, the data is not
necessarily served up on a "silver platter" and the examiner still
has to know how the tool works and how & where to find the relevant
data. This is analysis and
investigation, not simple data extraction & reporting. But there are nuances to this practice that
go even beyond the analysis for the final product to be useful and
understandable.
Analysis
Levels
In digital
forensics, analysis levels are important to know and distinguish. Very often, the quick acquisition of evidence
and triage of data can lead to a break in a case of a missing juvenile or help
stem further data loss to mitigate a breach.
Triaging evidence can also help identify which pieces are more likely relevant
and help examiners spend less time weeding through data that is simply not
important. However, triage is a very
low-level type of analysis. It's so
low-level that triage of digital evidence is being taught to non-examiners just
to help streamline the overall examination process. Triage evidence should be used for
investigative leads only as very often the finer points about where the data is
stored, how it got there, who put it there and other key factors are not part of a triage of evidence.
When we dive deeper
into the analysis of the evidence, we start to get into the nuts and bolts of
forensics. Important factors can include
the type of file system, the users on the system, the time offset on the
system, files and metadata. This is the
area where some push-button tools operate, because they do dive deeper than
triage or preview levels, but it's also a danger zone for many would-be
examiners. Push-button tools are great
for pointing you in the right direction, but sometimes lack with the detail
that is often necessary in forensics.
And as any experienced examiner will tell you, the devil is in the
details.
Deeper levels of
examination, analysis and investigation require intense, skill and above all,
experience. No course of study can
prepare an examiner for trying to prove or disprove the really hard cases. For example, will a push-button tool really
help you prove a child exploitation case without any images being present on
the system? Probably not. Even if it did present some valuable
evidence, you'd have to dive deeper and search for fragments, history and other
evidence that may be "hidden" or very difficult to locate. Most push-button tools won't dive deeper into
slack space or volume shadow copies.
They're designed to streamline the digital evidence process to decrease backlogs
and get cases out the door faster. This
is a dangerous trap in forensics and one examiners must constantly work to
avoid.
So once we've done
our in-depth analysis and completed the digital forensic portion of the
investigation, then what do we do? This
is where the intangible asset of translation becomes the point where the
proverbial rubber meets the road.
Without it, the evidence is almost useless.
The
Value of Translation
A wise man once
said, "You can make a cop a geek, but you can't make a geek a cop!" So what's a "geek" and what's a
"cop" and why is it only a one-way street? In this discussion, the term "geek"
is used to describe a person who is good with computers, good with technology,
enjoys gadgets and all of the new innovations on the market today and even goes
so far as to learn more about them, study them, hone their knowledge of them. These are skills that are necessary for a
good digital forensic examiner. One can
be taught about file systems, operating systems, metadata, slack &
unallocated space, but without the ability to articulate what those things are
and why their important (i.e., relevant) in your investigation, those skills
are only utilitarian.
In this discussion,
a "cop" is someone who has an inquisitive nature. A truth-seeker. A trained hunter of facts. Someone who has honed the ability to weed out
what may be irrelevant and concentrate on what facts or evidence help prove or
disprove the matter at hand which is being investigated. Most importantly, they've honed the ability
to explain and articulate that evidence for stake-holders in the case, being
other investigators, attorneys, judges and juries (i.e., laypeople). It is this intangible asset which turns the
analysis into something meaningful.
Because all of the technical skills in the world don't matter if you
cannot articulate what you did, why you did it, what you found, where and how
it got there. Even the ability to
explain what you may not have found is an asset to a trained examiner. Sometimes the absence of evidence can be
evidence in itself.
So when it's said
that you "...can't make a geek a cop", what it means is that many
"geeks" don't have this intangible ability in large part. Think back to the last time you asked a
really technical person a question. You
probably received a very technical answer, which is not something that lay
people understand very often. The
ability to whittle down the minutiae into specific, articulable and
understandable talking points is something many people in general don't
possess, let alone highly technical people.
Wrapping
it up
Analysis is but one
important component of digital forensics.
The translation of that analysis into specific articulated facts is
quite another. It's hard for technical
schools to teach students two basic, yet very important skills: critical thinking and effective
communication. So just because someone
has a degree/certification in digital forensics or law or medicine doesn't
always mean they can effectively translate (i.e., communicate) what they know,
suspect or conclude based upon the evidence at hand. This ability comes from one primary source: experience.
Author:
Patrick J. Siewert
Principal Consultant
Professional Digital Forensic
Consulting, LLC
Virginia DCJS #11-14869
Based in Richmond, Virginia
Available Globally
We Find the Truth for a Living!
Computer
Forensics -- Mobile Forensics -- Specialized Investigation
About the Author:
Patrick Siewert is the Principal
Consultant of Pro Digital Forensic Consulting, based in Richmond,
Virginia. In 15 years of law
enforcement, he investigated hundreds of high-tech crimes, incorporating
digital forensics into the investigations, and was responsible for
investigating some of the highest jury and plea bargain child exploitation
investigations in Virginia court history.
Patrick is a graduate of SCERS, BCERT, the Reid School of Interview
& Interrogation and multiple online investigation schools (among others).
He continues to hone his digital forensic expertise in the private sector while
growing his consulting & investigation business marketed toward litigators,
professional investigators and corporations, while keeping in touch with the
public safety community as a Law Enforcement Instructor.
Twitter: @ProDigital4n6
