±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36783
New Yesterday: 0 Visitors: 178

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Locard's Exchange Principle

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

keydet89
Senior Member
 

Locard's Exchange Principle

Post Posted: Nov 15, 05 20:04

This morning, I responded to another post and included the below link:

Locard's Exchange Principle
www.profiling.org/jour...0_1-1.html

Having re-read this article in the face of posts I've seen in several public forums, IMHO the article makes a lot of very important points.

It's a good read...take a look. It doesn't take a great leap to transition the concepts to the digital realm. In most cases, I replaced "physical" with "digital", and "crime" with "event".

When investigating an event, evidence can be very transient. Evidence left behind as a result of Locard's Exchange Principle can be volatile and fade with time (ie, network connections, process memory, NetBIOS name table entries, arp cache, etc), or simply be destroyed and lost in the purist approach to forensics (ie, take system down, image).

This needs to be considered in the face of Heisenberg's Uncertainty Principle in the digital realm, as well. In "Forensic Discovery", Dan Farmer and Wietse Venema discuss uncertainty, in part, on page 6:
"Our general philosophy recommends greater understanding instead of higher levels of certainty, which could potentially make such methodology more suspect in a court of law. Paradoxically, however, the uncertainty - primarily in the data collection methods - can actually give a greater breadth of knowledge and more confidence in any conclusions that are drawn."

To me, this makes perfect sense. Consider live response...say a methodology is developed, like the Forensic Server Project (FSP)[1]. The investigator runs multiple tests to determine and document the changes made on a system by the methodology prior to use. On Windows XP, for instance, you'll have not only changes to the system memory, but files may be added to the Prefetch directory, entries may be added if the appropriate Event Log audit settings are enabled, etc. With this documented, the investigator then uses the tools to extract volatile data prior to imaging the system.

At this point, can the volatile data collected be considered evidence? As the tools are burned to CD, a copy of the CD can be made should it be required for disclosure. The collected evidence can be released, as well.

This is definitely worth considering. Taking the requirement for legal proceedings out of the equation, it should easily become clear how valuable such a methodology would be in the face of incident verification and identification.

Harlan


[1] www.windows-ir.com/fsp.html  
 
  

hogfly
Senior Member
 

Re: Locard's Exchange Principle

Post Posted: Nov 16, 05 04:23

- keydet89
This morning, I responded to another post and included the below link:

When investigating an event, evidence can be very transient. Evidence left behind as a result of Locard's Exchange Principle can be volatile and fade with time (ie, network connections, process memory, NetBIOS name table entries, arp cache, etc), or simply be destroyed and lost in the purist approach to forensics (ie, take system down, image).

This needs to be considered in the face of Heisenberg's Uncertainty Principle in the digital realm, as well. In "Forensic Discovery", Dan Farmer and Wietse Venema discuss uncertainty, in part, on page 6:
"Our general philosophy recommends greater understanding instead of higher levels of certainty, which could potentially make such methodology more suspect in a court of law. Paradoxically, however, the uncertainty - primarily in the data collection methods - can actually give a greater breadth of knowledge and more confidence in any conclusions that are drawn."

At this point, can the volatile data collected be considered evidence? As the tools are burned to CD, a copy of the CD can be made should it be required for disclosure. The collected evidence can be released, as well.


The short answer is absolutely. It's evidence. Admissability in a case in another question. The validity of the evidence must be proven with other types of evidence collected. In fact, other types of evidence can help bolster the theories developed by the analyst/criminologist. (For instance the correlating of physical memory contents, the arp table and network data collected from an intermediary.)
The key is following the evidence. While true that we affect everything we touch, it is also true that in the digital world, everything we do leaves traces. It's a matter of identifying those traces and proving their vailidity as worthwhile evidence.


This is definitely worth considering. Taking the requirement for legal proceedings out of the equation, it should easily become clear how valuable such a methodology would be in the face of incident verification and identification.


It's not only worth considering, it is something that should be implemented for anyone that writes their own tools and conducts live forensics investigations. As a matter of course all developers should have documentation of expected results(results being system modifications) when using their tools.  
 
  

keydet89
Senior Member
 

Re: Locard's Exchange Principle

Post Posted: Nov 26, 05 18:16

Hogfly,

Excellent response...how many people out there are testing their tools? How many folks download a third party tool, to use as part of IR or forensic analysis procedures, and do so much as dump the import table (PE files?)? How many run the tools on test systems with monitoring tools to determine what they do?

Locard's applies not only to attacks on the system remotely but also local interaction with the system at the console, by a user or an investigator.

Harlan  
 

Page 1 of 1