More Like this My Searches Business : Anti forensics: The End of Computer Forensics?
Computer Forensics is a relatively young discipline. In short it is about using computer science and technology to establish facts and preserve evidence of those facts. (I realize that are definitions are in use.) It is an after the fact reactive method of establishing what has happened or reconstruct crimes that have taken place. More and more tools are coming out that are being used to make reconstruction more difficult if not impossible, computer forensics more and more expensive and legally irrelevant.
During an investigation into data theft it was established that one of the employees of the client had been downloading an mp3 and played it.t was also established that hidden in the mp3 was a rootkit that had installed itself. As a result a hacker had been able to gain “administrators” access to the system of the client, completely undetected and for over a year this access had been used to obtain confidential information. But here’s the catch. It was not identified who the hacker was and most likely no one ever will. (If there are some up for the challenge they are hereby invited). It makes you wonder: who and what else?
More and more hackers appear to focus on what is currently being named as the field of anti-forensics. Tools that make it hard if not impossible for computer forensic investigators to identify what has happened, who the perpetrator is and to link the perpetrator to the identified security breaches and data thefts. What makes life especially hard for forensic investigators is that the elite nature of these techniques is over. Very similar to the availability of hacking techniques that focussed on gaining access in the old days more and more these anti-forensic tools are coming down the ladder of availability for the greater public. What’s more, this is taking place in a time when more and more people with less noble intentions, technically not up there are looking for ways to get their hands on all the cash moving around on-line. Anti-forensics are a great help in covering their tracks.
In the good old days, hackers and data thieves tried to avoid detection using back doors and other techniques. Nowadays, they seem not to care. Why? Because even when you do detect what is happening and this gets easier and easier, you will never find out who the perpetrator is.
The Legal Side of Things: from hard evidence to circumstantial evidence
It is my sincere expectation that well before the field of computer forensics has come to full bloom, especially here in New Zealand, we will already be faced with a situation or at least an increased chance that computer forensic evidence will become more and more circumstantial as a result of the anti forensic tools that are readily available on the market.
Computer forensics is in a way telling a story, establishing what has happened and who made things happen. The basis has always been that data captured could be trusted. This is no longer necessarily true (btw very similar to abuse of telephone facilities since VOIP networks came in place).
While it has always been a challenge to put a person behind a machine in terms of reconstructing what has happened, we are now faced with an additional problem of establishing which machine was the one that can be identified as “the guilty machine”.
In this environment data is no longer trustworthy. The implication of this can hardly be understated. Where a presumption of reliability falls away, prosecution becomes a severe challenge and more and more a less appealing option when you take into consideration the relatively heavy burden of evidence in criminal prosecutions.
Anti forensic tools could in effect create a form of de facto legal immunity for those that know how to use these new tools.
Will Computer Forensics stay an Economically Viable Option?
With the rise in insecurity of a useful and reliable outcome and with the continuously growing difficulties in this field of investigation, it is not too hard to imagine what will happen with this field of expertise.
If it becomes increasingly difficult to figure out what has happened and if the chances of legal usability of the findings decrease as a result of these anti forensic tools, chances are that corporates will opt for the economically most viable alternative: forget about investigations and write off the losses. (Might there be a new market for the insurance industry here?)
Back to Basics
What does this mean for the computer forensics field? In my view it means that we will need to (re-)establish broader approaches to investigating computer crimes.
I cannot help but finding myself in situations where the technical capabilities will need to be downplayed and instead a broader focus is required that takes into consideration physical investigative techniques such as traffic analysis of phones, email, mobiles and data, interviewing and interrogation, physical inspection and investigations of suspect’s premises, telephone taps, running informants and focusing on witnesses close to the suspects, loggers on suspected computers, following up on victim transactions (including and where possible appropriate camera footage analysis and for instance instance in case of credit card abuse tracing and surveillance of people and goods) and good old crime analysis techniques that depart from an all-source approach.
Come to think of it, every computer forensic investigation I did had a physical component to it if only to interview and take statements of subjects thought to be behind the incidents. What has changed over the years in many instances is that the technique has become a means in itself, used by those with great technical capabilities but not necessarily equipped with the general investigative skills and creativity to come to a satisfactory result. Back to basics I would say.
Thinking about it, this takes me back to the days I worked with one great police officer in the Netherlands, Hoofd Inspecteur Harm Beukenholdt. He once told me, years back: “John, you have the technical guys, and you have the old school detectives. Success will be for those that know how to bring these apparently strictly divided worlds together to work efficiently and effectively.”
The field of anti forensics is now proving him well ahead of his time. He could basically have predicted what is taking place at the moment.
What he understood and so many nowadays have forgotten is that it is all a matter of layering the evidence, building it up and narrowing the escapes. If we had to rely on computer forensic evidence solely, we would get stuck. Luckily however there are those that understand the value of a multi-disciplinary approach.
For those considering a business in computer forensics: don’t give up your day job if that is all you have to offer. Some time ago I wrote a blog called Evolutionary Notes on Private Investigators, dealing with the changing face of investigators. The last stage in evolution the investigator manager of all new experts in a multi-disciplinary approach. That’s where we at Dierckx & Associates shines. We have a network in place covering all relevant disciplines and John Dierckx is equipped and experienced in bringing these disciplines together.
During an investigation into data theft it was established that one of the employees of the client had been downloading an mp3 and played it.t was also established that hidden in the mp3 was a rootkit that had installed itself. As a result a hacker had been able to gain “administrators” access to the system of the client, completely undetected and for over a year this access had been used to obtain confidential information. But here’s the catch. It was not identified who the hacker was and most likely no one ever will. (If there are some up for the challenge they are hereby invited). It makes you wonder: who and what else?
More and more hackers appear to focus on what is currently being named as the field of anti-forensics. Tools that make it hard if not impossible for computer forensic investigators to identify what has happened, who the perpetrator is and to link the perpetrator to the identified security breaches and data thefts. What makes life especially hard for forensic investigators is that the elite nature of these techniques is over. Very similar to the availability of hacking techniques that focussed on gaining access in the old days more and more these anti-forensic tools are coming down the ladder of availability for the greater public. What’s more, this is taking place in a time when more and more people with less noble intentions, technically not up there are looking for ways to get their hands on all the cash moving around on-line. Anti-forensics are a great help in covering their tracks.
In the good old days, hackers and data thieves tried to avoid detection using back doors and other techniques. Nowadays, they seem not to care. Why? Because even when you do detect what is happening and this gets easier and easier, you will never find out who the perpetrator is.
The Legal Side of Things: from hard evidence to circumstantial evidence
It is my sincere expectation that well before the field of computer forensics has come to full bloom, especially here in New Zealand, we will already be faced with a situation or at least an increased chance that computer forensic evidence will become more and more circumstantial as a result of the anti forensic tools that are readily available on the market.
Computer forensics is in a way telling a story, establishing what has happened and who made things happen. The basis has always been that data captured could be trusted. This is no longer necessarily true (btw very similar to abuse of telephone facilities since VOIP networks came in place).
While it has always been a challenge to put a person behind a machine in terms of reconstructing what has happened, we are now faced with an additional problem of establishing which machine was the one that can be identified as “the guilty machine”.
In this environment data is no longer trustworthy. The implication of this can hardly be understated. Where a presumption of reliability falls away, prosecution becomes a severe challenge and more and more a less appealing option when you take into consideration the relatively heavy burden of evidence in criminal prosecutions.
Anti forensic tools could in effect create a form of de facto legal immunity for those that know how to use these new tools.
Will Computer Forensics stay an Economically Viable Option?
With the rise in insecurity of a useful and reliable outcome and with the continuously growing difficulties in this field of investigation, it is not too hard to imagine what will happen with this field of expertise.
If it becomes increasingly difficult to figure out what has happened and if the chances of legal usability of the findings decrease as a result of these anti forensic tools, chances are that corporates will opt for the economically most viable alternative: forget about investigations and write off the losses. (Might there be a new market for the insurance industry here?)
Back to Basics
What does this mean for the computer forensics field? In my view it means that we will need to (re-)establish broader approaches to investigating computer crimes.
I cannot help but finding myself in situations where the technical capabilities will need to be downplayed and instead a broader focus is required that takes into consideration physical investigative techniques such as traffic analysis of phones, email, mobiles and data, interviewing and interrogation, physical inspection and investigations of suspect’s premises, telephone taps, running informants and focusing on witnesses close to the suspects, loggers on suspected computers, following up on victim transactions (including and where possible appropriate camera footage analysis and for instance instance in case of credit card abuse tracing and surveillance of people and goods) and good old crime analysis techniques that depart from an all-source approach.
Come to think of it, every computer forensic investigation I did had a physical component to it if only to interview and take statements of subjects thought to be behind the incidents. What has changed over the years in many instances is that the technique has become a means in itself, used by those with great technical capabilities but not necessarily equipped with the general investigative skills and creativity to come to a satisfactory result. Back to basics I would say.
Thinking about it, this takes me back to the days I worked with one great police officer in the Netherlands, Hoofd Inspecteur Harm Beukenholdt. He once told me, years back: “John, you have the technical guys, and you have the old school detectives. Success will be for those that know how to bring these apparently strictly divided worlds together to work efficiently and effectively.”
The field of anti forensics is now proving him well ahead of his time. He could basically have predicted what is taking place at the moment.
What he understood and so many nowadays have forgotten is that it is all a matter of layering the evidence, building it up and narrowing the escapes. If we had to rely on computer forensic evidence solely, we would get stuck. Luckily however there are those that understand the value of a multi-disciplinary approach.
For those considering a business in computer forensics: don’t give up your day job if that is all you have to offer. Some time ago I wrote a blog called Evolutionary Notes on Private Investigators, dealing with the changing face of investigators. The last stage in evolution the investigator manager of all new experts in a multi-disciplinary approach. That’s where we at Dierckx & Associates shines. We have a network in place covering all relevant disciplines and John Dierckx is equipped and experienced in bringing these disciplines together.