Cyberforensics

This is, undeniably, our favorite review group and there always is a lot to showcase here. The forensic world is evolving, though, and this year we have had what we might think of as forensic anomalies - or, at least, anomalistic behavior in the forensic market. Some of our old favorites are sporting new UIs and new underlying capabilities. Some have converged various capabilities that they have kept separate in years past into a single coherent product. There was some slick new packaging - and for a change, the packaging was useful, not just a new coat of paint - and there were a few products that disappeared from the scene entirely.

When we look back on the state of forensics over the years, we see a convergence of single point solutions to single point problems. We saw separation between computer, network and software forensics. None of that matters now. In fact, the playground is much larger and, instead of fragmenting tool capabilities even more, developers have continued to converge them. This really is necessary because the sub-genres of digital - now "cyber" - forensic science have merged into a landscape where the bits cannot be distinguished from each other.

Of course, this makes sense since the entire notion of threat hunting, incident response and threat and event detection all depend in their own ways on forensic techniques. Virtually every competent SIEM, IDS/IPS and advanced firewall has the capability to collect forensic data. When we look at next-generation threat detection, analysis and intelligence tools, they are almost universally built around forensic approaches to data collection and analysis. That's a far cry from the early days when digital - or, at the time, computer - forensics was decried as a technique - data analysis - not even a technology, much less a science. Today we apply advanced machine learning and sophisticated data analysis algorithms.

But, there still is a major distinction to be made in the cyberforensic world. This distinction, arguably, has at least some of its roots in the war on terrorism. When we collect forensic evidence in a legal environment - as evidence of a crime, tort or contract dispute - we need to be able to account for each place the evidence has been handled since its collection (chain of custody), its source and "life story" (provenance), as well as the logical sequence of evidentiary events that the forensic evidence represents. We take a lot of time and use a lot of resources to ensure that this happens as it should.

However, when we use cyberforensics for intelligence analysis we are not quite as concerned with chain of custody. Unfortunately, we have seen a breed of cyberforensic tools - particularly in the network arena - that are weak in chain of custody. That does not, by any means, obviate their use in a forensic investigation. It just changes their contribution a bit. Now, instead of becoming part of the evidence chain, these data become investigative leads. Good investigators know, though, that if there is enough corroborating evidence we can --sometimes - get away with a weak or non-existent chain of custody.

This "forgiveness" is an extension of the emergence of techniques that once were strictly verboten but are, today, accepted. One example is the use of live forensics. This is where we capture digital evidence on a live system while it is operating. Back in the day that evidence would be excluded for some very good reasons. Today, however, there is no way to extract evidence from certain types of environments in a practical manner using dead-box techniques. Over time these techniques have been court-tested and have become accepted digital forensic procedure. So it is likely that other techniques that are growing rapidly in the intelligence community will become increasingly prevalent.

The tools that we have this month have a mix of intelligence and legal proclivities. However, knowing these tools and having used most of them over the years and watched them evolve, we can say that we would unabashedly include them in any investigation where their capabilities were a good fit for extracting the types of evidence we needed to find and analyze. Some of these are point-solution tools, such as mobile device forensics tools, and some are more generalized. But, in all cases, we can say, comfortably, that this is a very good mix without a clunker in the bunch.