Sunday 27 May 2012

Digital Forensics: Is it a science, engineering or an art?

This is another weekend reading for you. Though not for leisure. It might spoil your weekend because for those who bother, might want to think and think about this topic.

As for me, this is important and highly important for those who want to do research in digital forensics.

So, how are we going to conduct a research if the description of digital forensics is still vague?

I don’t know if you have read this paper, “A Comparative Study of Forensic Science and Computer Forensics” [1]. This paper creates the interest to ‘investigate’ more on digital forensics itself but not conclusive (got future work).

Another one is this, http://computer-forensics.sans.org/blog/2009/06/04/is-digital-forensics-a-science/.

And according to Wikipedia, scientific method refers to a body of techniques for investigating phenomena, acquiring new knowledge or correcting and integrating previous knowledge. To be termed scientific, a method of inquiry must be based on gathering empirical and measurable evidence subject to specific principles of reasoning.

If you read the second part of Wikipedia definition, you might be relief but some people might create another issue or question it again (just to be polite here, not assertive).

There is another paper that I read, "A comparison of forensic evidence recovery techniques for a windows mobile smart phone" [2]. This is another informative and good reference paper for the practitioner and also researcher.

Well, if you are entangled or over zealous whether digital forensics is science or not than you might question everyone’s papers, e.g. [2]. But to me [2] is very important. There is a lot of ‘knowledge’.

My Mac Book Pro Dictionary says:
Science - the intellectual and practical activity encompassing the systematic study of the structure and behavior of the physical and natural world through observation and experiment.

Hence, isn’t that digital forensic a science?

Is digital forensic ever going to be technological engineered? The tools! Or merely reverse engineering.

The word forensic already means science! What the fuss?

Or is it an art (there are so many ways of doing it)?

It seems that digital forensics is a science, engineering and…an ART.

The keyword is empirical.

What say you?

P.S: Btw, I admire Leonardo da Vincci.
(1452–1519), Italian painter, scientist and engineer. His paintings are notable for their use of the technique of sfumato and include The Virgin of the Rocks (1483–85), The Last Supper (1498) and the Mona Lisa (1504–05). He devoted himself to a wide range of other subjects, from anatomy and biology to mechanics and hydraulics: his 19 notebooks include studies of the human circulatory system and plans for a type of aircraft and a submarine.

[1] R. Hankins, T. Uehara, and J. Liu. “A Comparative Study of Forensic Science and Computer Forensics.” Third IEEE International Conference on Secure Software Integration and Reliability Improvement, 2009.
[2] G. Grispos, T. Storer, and W. B. Glisson. “A comparison of forensics evidence recovery techniques for a windows mobile smart phone.” The Journal of Digital Investigation, pp. 23-36, 2011.

Friday 11 May 2012

Digital Forensics: Is it a reverse engineering?

A few days ago, I read a paper on Xbox 360 forensics [1]. Personally, I think it was a good paper, not just because it is being published in The Journal of Digital Investigation but most importantly for practitioner reference.

Well, part of my job is to read. Learn and unlearn something. It is worthy and interesting.

As a researcher, if I don’t like reading, then I have to find another job. For me, I could just go back and do some electronics stuff or SCADA design or programming or hacking (hahaha). The pay as an engineer is not bad either. They design things aka products.

For a scientist, discovery is their work. A systematic study…to solve a particular problem…hypothesis…testing/experiment…result and bang! SOLUTION.

So, how do you refer to a person with two specialized backgrounds (to digress a bit from the main topic)?

Digital Forensics Engineer or Computer Forensics Scientist and the funny thing is, some may want to be referred as Principal Specialist…CTO and bla…bla…bla…

It doesn’t really matter to me because money/pay/business is more important. Isn’t it (just joking)?

Whatever it is, the biggest question is on the above title.

Is digital forensics a reverse engineering?

Majority of the literatures, if you refer to, gives the impression digital forensics is a reverse engineering. If not, the paper will be something theoretical, mathematical and with limited dataset (just wondering if it will be useful to the practitioner). I.e. Mobile phone forensics.

What is the new knowledge? New methods? Framework? Practical? How to?

Some may say “clever skullduggery!” You must be kidding!

Nonetheless, most of the literatures are helpful for the practitioner (may be the authors were practitioners).

Some may even argue if digital forensics is a science?

Engineer vs scientist!

Practitioner vs researcher! or

Student vs supervisor!
This situation is even worse. The supervisor might not be an expert in digital forensics and unsure about its research. I’m not trying to offend anybody here but this is a reality.

The least that a supervisor could do is to assist on how to conduct a proper research. Learn together and not act like a “boss”. My Prof did that. Awesome!

I promise you…the student would eventually provide the supervisor with some knowledge. It will not be a waste. I’ve done it. I treat my students just like my buddies. If not, the students are in blunder! God bless them.

Another case is… Author vs reviewer!
Newbie being bullied by the so-called “seasoned researcher.” When I review a paper, I put myself as the author, if not up to standard, try to assist the author, give suggestions on how to improve it. Not empty rejections. Don’t insult their work. Be like a dad, advice the son.

I guess all these questions are debatable. Just like the politicians during an election. Condemning one and another. Who loose? The people!

In this matter, the clear winner is the cyber criminal! Wake up dudes!

P.S: I copied the pic from my student’s Facebook.

[1] K. Xynos, S. Harries, I. Sutherland, G. Davies and A. Blyth. “Xbox 360: A digital forensic investigation of the hard disk drive.” The Journal of Digital Investigation, pp. 104-111, 2010.

Saturday 5 May 2012

Digital Forensics: Integrating Researcher and Practitioneer

If you are thinking to do a research in Digital Forensics (master degree or PhD), Nance et al. [1] article is a good start for your critical reading. There are a few categories to pick up and further divided into motivating areas that might be of your interest.

Well, I wish you good luck. It is going to be difficult because you need to justify why you choose that particular topic. Basically, you will need to defend your choice. You need to have an 'insight' in the chosen area and above all must be passionate about it.

Avoid choosing something that is relatively new i.e. cloud forensics or the one that requires a lot of fund i.e. mobile phone forensics (e.g. dismantling the packaging and study on the hardware to extract digital evidence). You don’t want to change your topic after a year of research or worse during your second year.

If everything is fine than at the end of 3 years you will finish writing your thesis and get your PhD. But one big question will arise! Is your discovery @ new knowledge will contribute to the digital forensics practitioner community?

Perhaps, during your critical reading, you might find some papers that are not exactly contributing to the practitioner need. Purely theoretical (academic) but not practical (practitioner). Not sure, refer below links.

Academic: http://dictionary.reference.com/browse/academic
Practical: http://oxforddictionaries.com/definition/practical

Is this an issue? Yes and no. What is the suggestion for betterment?

It is advisable for the researcher and practitioner mindset to be ‘coherent’. Both need to work together in order to fight against cybercrime (direct or indirectly). A practitioner does not have time to do research and a researcher is not entrusted to investigate a case. Both need each other and to date the relationship is progressing satisfactorily.

But sometimes, things are beyond our control. Think about it!

[1] K.Nance, B.Hay and M.Bishop. “Digital Forensics: Defining a Research Agenda” in Proceedings of the 42nd Hawaii International Conference on System Sciences, 2009.