Wednesday 29 February 2012

When is forensically sound is really forensically sound?

Thanks to Rodney [1] for trying to articulate the actual meaning of “forensically sound”.

I think this term is important because it is an international digital forensics jargon no matter where you’re from. Malaysia, Australia or the United States of America, every digital forensics analysts must and will understand this term.

If not, there’s something wrong. You’re not a truly digital forensics analyst.

I still remember when I started my career as a digital forensics analyst, this jargon must be understood. It will be a guide whenever you are doing the digital forensics work. Be it acquisition, recovery or analysis.

As we all know, in this digital age, everything is made simple. One good example is multimedia.

With multimedia technology, video editing is made easy. Only with a single click!

Just recall the analogue video, it is really troublesome isn’t? If the case exhibit is in analogue form, it means more work to be done.

So, with digital technology, we become so complacent. You can always save any file to any format in a split second.

But, the same technology has aggravated the work of a digital forensics analyst. With the same click, a digital forensics analyst can inadvertently damage the case exhibit.

This is not easy. A digital forensics analyst work is delicate. They are not merely geek but an artist. That’s why the salary of a digital forensics analyst must be competitive because the profession is demanding.

Hahaha…you got to agree with me.

Back to Rodney’s paper, he tried to gather the meaning of forensics computing, forensically sound and the evaluation criteria that consists of meaning, errors, transparency and experience.

Most probably, I would like to add auditable. A digital forensics effort must be written in a work sheet so that you are able to recap what has been done, will be done and also to show the analysis is completed in a “forensically sound” manner. Thus, this process is auditable.

It is to show nothing has been changed and the case exhibit is as good as its original pristine state. Moreover, the work has been conducted on a bit to bit copy that is as good as the original exhibit.

Nothing is changed and every bit is being analyzed. No stone left unturned.

I think this is the truly meaning of forensically sound!

What say you?

[1] R.McKemmish. “When is Digital Evidence Forensically Sound?” The Advances in Digital Forensics IV, IFIP Advances in Information and Communication Technology, pp. 3-15, 2008.