Tuesday, March 23, 2010

Applying medical diagnostic principles to digital forensics

by Sean McLinden

In an ideal world, health care would cost nothing and medical tests and procedures would be without risk or discomfort to the patient. The fact that the world is not ideal is one reason why health care reform is one of the top political issues in the United States at the moment. Medical tests can be costly, invasive and potentially life threatening to the patient and, for those reasons, the skillful practice of medicine involves the judicious use of testing which balances all of the costs against the likely benefits.

Patient care does not always involve certainty. In many cases, the health care practitioner (HCP) is forced to deal with likelihoods and probabilities on the path to certainty and, in rare instances, certainty may never be achieved. The absence of certainty is not always a barrier to treatment and response to treatment can be a step toward definitive diagnosis but, like medical tests, treatments can have their risks and the decision to treat must weigh these risks against the likelihood that the presumptive diagnosis is correct. To address the issues of uncertainty, cost, risk and benefits, HCPs employ, whether explicitly or implicitly, a collection of heuristics which provide guidance in the selection of tests and the determination of treatments. That a similar set of heuristics can, will, and in some cases, must guide the practice of digital forensics I hope to demonstrate by what follows.

Traditionally, computer forensics begins with the seizure of all possible evidence then test, test, test until either you find something or you decide that there is nothing to be found. To paraphrase an example attributed to Rob Lee, this is like doing an autopsy as the first step in a medical examination.

This is a luxury which may become the exception rather than the norm for digital forensic (DF) examinations in the future. The ubiquity of personal, portable, storage devices, the sheer volume of storage available on even the smallest of digital devices and the costly and invasive nature of indiscriminate requests for the bit for bit copy are all issues with which US courts and DF examiners have grappled. Simple techniques for hiding data and obfuscating user activities are readily available and widely known though less widely used, although I expect the latter to change as threats to privacy become greater. The Internet and the proliferation of social networking, peer to peer file sharing and other technologies have the potential to put much of the evidence outside the grasp of the traditional forensic investigator where, again, privacy concerns may limit the courses of action in civil matters.

Increasingly, DF practice is likely to parallel the process of medical diagnosis in key aspects...

Read more

No comments: