Tuesday, March 29, 2011

The End of Digital Forensics?

by Craig Ball

Craig Ball
About the Author

Craig Ball is a Texas lawyer who limits his practice to service as a court-appointed special master and consultant in computer forensics and electronic discovery.

When Microsoft introduced its Encrypting File System (EFS) in Windows 2000, the Cassandras of computer forensics peppered the listserves with predictions that the days of digital forensics were numbered. Ten years on and hundreds of systems acquired, I’ve yet to handle a case stymied by encryption—and 90% of my acquisitions were corporate machines, many with TPMs and fingerprint readers. Voluntary encryption turned out to be no encryption at all.

The next sky falling threats to forensics were privacy tools and features. “Surely,” our Chicken Littles clucked, “everyone will run free tools that routinely wipe unallocated clusters and securely delete data!” Turns out, they only run the antiforensic tools right before the examiner arrives, and most such tools do a lousy job covering their tracks. Instead, we’ve come to see much more revealing data and metadata created and retained by operating systems. The Windows Registry and all those logs and .dat files are like birthday presents from Bill Gates.

Finally, there are the stormy forecasts about the Cloud. Absent dominion over physical storage media, digital forensics is indeed different. We need credentials to acquire data in the Cloud, and deletion tends to mean really gone. But the silver lining is that the portable devices used to access Cloud data tend to store so much information that they’re proving a cornucopia of case-making information. Are handhelds trickier to acquire? Sure. Are they less revealing? Not on your life!

But lately, one acorn that has fallen on my head and caused me to look warily aloft is the quantum leap in hard drive capacity. I suspect I’ve acquired more aggregate data in the last year than in all of the previous nine years put together. Not more media, mind you, more data. At least more nulls, but we’ve got to read those too, right?

Read more at http://www.forensicfocus.com/craig-ball

1 comment:

Dave Jenkins said...

Do you need to acquire the whole disk though? Digital forensics is changing. It has to become more targeted rather than what it was like 3 or more years ago. i.e. receive a drive, image it, analyse it, that's what it used to be like. Now it should be more like ... ask what information they are after, extract only that information from the drive and ignore the rest.