The rantings of Craig Chapman, Computer Forensics Geek.
Lest Big Galoot be accused of souding too flippant at the undeniable benefits of “Standards” in our lives, let’s not forget an often overlooked human side of the increasing “Standardisation” of our world and those who feel the irrepressible urge to write them.
Standards make many people happy, warm and comfortable as does a nice pair of fluffy slippers and a cup of warm cocoa. This is not necessarily a bad thing. I like my cocoa and slippers as much as the next bloke. But make no mistake, standards are sometimes touted by those who feel an overwhelming need to compartmentalise theirs and other peoples lives by standardising the way in which everyone does things.
For those mother hens of the world who seem to take pleasure in writing procedures & processes for everything we do – from walking our dog off its leash in the park, to spitting on a footpath, is it more a case of process – at the expense of performance?
A recent article at CIO mag http://www.cio.com.au/index.php/id;1626336618;fp;4;fpid;51238 proposes that new network forensics standards are “crucial to the speed and fairness of the US judicial system.”
What a complete load of puffed-up, breast-beating, piffle! The irony is, they’re likely to achieve the opposite effect, resulting in a lower conviction rate and slower trials due to forensics people being simply unable to comply with every little nuance laid down by unworkable standards written erroneously to cover every conceivable network crime scene. Which of course, they can’t. Hence my point.
So what about that term, “Standard”? By virtue of the word, it comes attached with an inference of a way in which things ought to be done, given a certain circumstance. But that’s the problem. Is every network
architecture the same? Is every botnet, Phishing or DDOS attack the same? Does every hacker deploy the same methods?
Attempts to further standardise the way in which all of these matters are forensically investigated, in addition to the already universally accepted, existing digital evidence handling and crime scene procedures, would be a ridiculously cumbersome, onerous and overly ambitious proposition. Worse
still, in order to keep up with the evolving nature of networks and e-crimes, those standards would need to be re-written on a daily basis.
So whats the difference between standard computer forensics evidence handling methodology or any other crime scene, evidence handling process? Not much. The overriding principles of evidence preservation remain the same, no matter if its a murder investigation or a botnet attack. Which is why there’s no need for such additional red-taped standards.
So instead of trying to impose additional standards upon the computer forensics profession, what’s needed is recognition by the “standardisers” of the world, (you know who you are) of the enormously liquid, complex and constantly evolving nature of networks and the inherent need for network-based forensics to be adaptable to every scenario, now and in the future.
But if they simply must write yet another boring, red-tape standard (read -rule\law), here’s a thought: Please, will someone write a standard – to those annoying and foul smelling, IPOD-wearing, greasy haired gits who catch my train at 6.30am every morning – who pretend they can’t be heard – banning their 1000dB mp3 techno-funk, noise pollution? I just want to read my morning paper in peace. Surely, that’s a far more noble and worthy “standard”?!
Big Galoot
Keen on your take on the various Australian “Standards” from SAI Global for your line of work Chappo:
http://www.saiglobal.com/shop/Script/Result.asp?PSearch=false&Db=All&SearchType=simple&Status=all&Max=15&DegnKeyword=forensics&Search=+Go+
I’ll be honest with you Chappo. You know we do quite a bit of investigation, forensics and incident response work but I have little to no awareness of these “standards”. The only reason I knew where to look to include the link was because one of my team a couple of years ago showed me the one on evidence collection. Since then, I have never referenced it. You know I go to the source for information…..so am I missing something by not knowing about these documents? (You know I ask that tongue in cheek also?)
I see another post on standards coming.
Standards are generally good to have in most lines of work I can think of and I imagine are very useful in industries where physical safety (OH&S) is an issue, or from a financial compliance perspective to try & keep people honest. But in the computer forensics area, the Courts are the final arbiter of whether correct evidentiary processes have been followed.
There’s a set of Australian Standards for the collection of computer-based evidence, and from my reading, they are ok, as far a standards go. I have a problem when a Standard is touted as a bible, or a way in which things must be done in all circumstances. It all comes down to how the Standard is going to be used, or it’s intended purpose.
“The most expedient way to implement these standards may be to use proprietary tools rather than open source software or freeware.”
There is *no* logical argument that I can cite which states that “proprietary tools” have an advantage over open source or freeware, excluding cost
The pcap format is supported by *both* “proprietary tools” and “open source software or freeware”.
Furthermore, “proprietary tools” are burden by anti forensics attacks, such as those presented at RUXCON 2K5 and lack of peer review by the community.
I totally agree, Christian.
While the motivation behind having a Standard itself may be entirely honourable and proper, this surely must be balanced against the potential financial motivation of what I’d call the Standards-writing industry.
I’m talking about those who derive a financial benefit – writing standards. I for one would have to question the actual benefits of any standard formulated by those who would derive an income from it.
@Big Galoot
In relation to Standards Australia, you may want to refer to the article “Sales arm cashes in” published in “The Australian” at http://www.australianit.news.com.au/story/0,24897,19597342-15316,00.html
On a related note, ComputerWorld have published “Uni to develop computer forensics standards to help cops nab crims” at http://www.computerworld.com.au/index.php/id;1132639156;fp;4;fpid;16