Friday, October 19, 2012

October 2012 : some challenges in digital evidence

This week we will have an ENFSI-meeting in Rome of the Forensic IT Working group, were the new developments in forensic IT are discussed as well as solutions.

In Forensic IT currently we have the next seven long term challenges :

  1. big data 
  2. malware
  3. number of students in ICT
  4. encryption 
  5. different formats 
  6. diversity 
  7. presenting complicated evidence in court
  1. big data 
The issue with big data is that cases are growing rapidly. If all data from a person is collected in a case, the amount grow rapidly, also due to multimedia and fast datalinks. Currently indexing over 100 Petabyte is not easy, also HADOOP has issues with it and new solutions are developed by social networks such as facebook. Indexing video data is also not easy. Filtering is important, and triage is one of the solutions. Cloud computing is an issue here, since often the data is available in other states with different jurisdictions.

2. malware

Issues with malware developers is that it is difficult to investigate. Zero day exploits can be seen more often, and botnets and other attacks of many systems such as SCADA, are an issue. Malware on mobile phones is so common that the FBI placed a warning. Lawyers might use it as defense. Even medical devices can be infected by malware. Also people claim that governments  develop malware.

3. number of students in ICT

ICT and related studies are not very popular, so it is difficult to fill all vacancies. Software engineers are difficult to hire, and are needed for all developments.

4. encryption

With encryption methods getting more sophisticated and also implemented in hardware such as SSD-disks, live forensics methods are the choice instead of trying to break the keys. However live systems should be shielded from network communication, since it is possible to remotely wipe systems.

5. different formats
Many developers will make new file formats which deviate from the file format, and use coding which is not public. Analysing and repairing them is important. The golden age as Simon Garfinkel mentioned  is over, and we will enter a digital forensic crisis.

6. diversity 
There are many hardware  manufacturers as well as software developments. It is hard to keep up with developments and have methods available for doing a forensic analysis. Mobile device forensics with chip extraction is an option, however remains time consuming and expensive.

7. presenting complicated evidence in court
Often digital evidence especially in hacking cases is difficult to interpret for juries and judges. The challenge for the forensic examiner is to present the evidence in court such that it is acceptable. Many times new methods have to be developed and validated for the court, and also privacy laws have to be taken care of.

Sunday, October 14, 2012

Guest post by Ken Myers

7 Ways Social Media is Used by Forensic Investigation

As the saying goes, "What is posted on the Internet, stays on the Internet". Investigations are including
social media sites during forensic investigations to strengthen or confirm information gathered about any
given case. Sometimes, the criminal themselves will post incriminating information without thinking
about how it could affect them. How is this information gathered?

1. Profile Activity - Many people like to update his or her Facebook or other community site's profile.
However, posting pictures and commenting on robbing a gas station probably isn't the best method of
gaining fame.

2. Video Can Hurt - Sites such as YouTube and Flikr are entertaining sites created by those who use
them. Recording your criminal behavior and then posting it for everyone to see will secure your room at
the Jail House Hotel.

3. Chirping Your Crime - Tweeting about how you got away with an illegal activity isn't proving to
anyone how smart you are. On the contrary, posting the information is essentially telling everyone who
did what and how to find you.

4. No Comment - Posting on forums about your activity could give you a sense of status. Posting on
forums could solidify a case against you in a court of law.

5. Website Content - Even if you think your website is small and unnoticed, it can be traced back to you.
Detailing your deeds on a website could easily gather the attention of law enforcement.

6. Digital Information - During an Investigation, your computer could become evidence and all accounts
could be analyzed. The sites you once thought of as hang-outs, could be used against you to make legal

7. Reputation - If you think something may be too incriminating to post on the Internet, don't post it. Not
everyone needs to know every secret, and information has a way of telling more than you want it to.

If you don't want someone to know something about yourself, don't post it on the Internet. Even
photographs have a way of staying in the system long after you deleted them from your account. Data is
collected on a regular basis and could come back to haunt you if you're not careful.

Ken Myers is the founder for He frequently researches and
writes about a variety of topics like education, Technology, Health and many more. He welcomes your

Sunday, October 07, 2012

October 2012

September was as always a busy month, so not much time to write. Many reviews for articles, and rescheduling projects and making new project proposals. It is often not easy to explain technical issues or research projects to people that are not used to them, so the challenge is always to write clearly and receive as much feedback as possible, by directly asking non-technical people to explain what is written, and hear back if it is understood well. This is important in both forensic reports as well as project proposals.

At the start of October I enjoyed a week vacation in Bucharest. It was nice to see the different musea and buildings and some big shopping malls. I even saw some nice paintings of Rembrandt over there. In October I have to make preparations for a two days conference in the Netherlands on Digital Investigation which I am currently organizing together with a good team, so that should work well. Also I am looking forward to the ENFSI Forensic IT working group meeting in Rome later in October, where I am chairman of the working group. I visited in September during two days the ENFSI Digital Imaging Working group in Brussels, which was very well organized by NICC.

Of course, some casework, and currently also some students on different projects from several universities, on several topics, from camera identification, to forensic hand comparison and other body parts, super resolution and some research on iPhone forensics.