A research survey o...
 
Notifications
Clear all

A research survey on Foorensic Methodologies

8 Posts
6 Users
0 Likes
629 Views
(@kimsmith64)
Posts: 2
New Member
Topic starter
 

Dear members of the forum,
You are being invited to participate in a research study titled
Is it possible to create a standardised Digital Forensic Procedure to be used globally in Digital Forensic Investigations.

I am a student at the University of South Wales.
The purpose of this research study is to identify weaknesses in the current digital forensic methodologies used by digital forensic investigators in order to identify best practice to build a single methodology. The aim of the proposed methodology is to go forward as a global standard to be utilized for all technology and in a global environment.

Your participation in this study is entirely voluntary and you can withdraw at any time. You are free to omit any question that you feel are unnecessary.

The SurveyMonkey survey should take you no more than 10 minutes to complete.

https://www.surveymonkey.co.uk/r/GMBQNP7

Thank you in advance

Kim

 
Posted : 06/08/2018 12:06 pm
MDCR
 MDCR
(@mdcr)
Posts: 376
Reputable Member
 

Do you want LEO responses only, or do you want insight from other agencies/private business and discovery peeps too? What is the scope/purpose of the survey?

I'm asking because in some places, methodology is fast and loose since you do not go to court but act upon the information immediately.

 
Posted : 06/08/2018 1:09 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I'm asking because in some places, methodology is fast and loose since you do not go to court but act upon the information immediately.

I fully agree with this statement, but also believe that not going to court should not be a reason to obviate rigor.

More importantly, it is similarly not a reason to obviate documentation.

Within the private sector, IMHO, workflows are critical. For example, there are various different types of investigations that would benefit greatly from documented, living workflows, such as BEC investigations, malware discovery, etc. However, many analysts are reticent to either establish and follow a workflow, or to document that they did.

I firmly believe that having a documented, repeatable process in place (where applicable), something that is a living document (updated to include new findings) provides a basis for automation, and does not limit the analyst. Rather, such a process makes a new analyst much more productive, and frees up the more experienced analyst to be creative.

 
Posted : 06/08/2018 1:46 pm
watcher
(@watcher)
Posts: 125
Estimable Member
 

…More importantly, it is similarly not a reason to obviate documentation.

… I firmly believe that having a documented, repeatable process in place (where applicable), something that is a living document (updated to include new findings) provides a basis for automation, and does not limit the analyst. Rather, such a process makes a new analyst much more productive, and frees up the more experienced analyst to be creative.

I absolutely agree with you in principle.

Unfortunately there are environments that turn repeatable process into a stultified checkbox mentality instead of a living reference guide. This often goes hand-in-hand with the complaint that reports are too long and too technical and a demand that all process documentation be removed to shorten and simplify the report. Formatting the report into an executive summary without details followed by a full technical report with process quickly becomes a clipped out summary only. New analysts learned that without process detail, their reports can not be effectively reviewed or challenged, speeding everything up.

This is also an effect of applying simple metrics to complex issues (reports per month). You end up getting simple and wrong results.

"Should" and "Human Nature" often work in opposition.

 
Posted : 08/08/2018 5:05 pm
(@kimsmith64)
Posts: 2
New Member
Topic starter
 

Thank you for the question concerning who I would like to compete the questionnaire. I am happy to receive a range of responses from both the private and public sector. The main aim is to identify common issues that could be alleviated through the use of a common model for all digital forensic investigations. This is only a first step to investigate the possibility of a set of common steps that would provide a more scientific method to digital forensic investigators and to thus have a similar impact in terms of reliability that Fingerprints now have.

 
Posted : 08/08/2018 8:18 pm
MDCR
 MDCR
(@mdcr)
Posts: 376
Reputable Member
 

Assuming that the quality of the fingerprint image is sufficient and that the analyst does a human inspection of the matched results

https://www.theregister.co.uk/2004/05/26/fbi_madrid_blunder/

 
Posted : 09/08/2018 7:47 am
(@trewmte)
Posts: 1877
Noble Member
 

New analysts learned that without process detail, their reports can not be effectively reviewed or challenged, speeding everything up.

Insightful observations about the problem. In particular, should an analyst know the process merely as to his/her actions in an examination? What about the process of knowing the digital forensic hardware and software?

Director of Public Prosecutions -v- Power [2018] IECA 119 (24 April 2018) -
Court of Appeal Record Number 150/2014

'Ground of Appeal No. (vi) – the admissibility of the XRY Report/Printout
87. During the course of the trial the respondent sought to introduce into evidence a printout of data (the “XRY report”) downloaded from the mobile phone and SIM card of the deceased using a software tool known as the XRY Forensic Phone Analysis System.

88. The evidence relied upon in support of the application came, inter alia, from Sergeant Mary Gilmartin who told that court that she was trained and qualified to operate the XRY Forensic Phone Analysis System, that she had received a Nokia mobile phone handset labelled BC 08 from Sergeant Brendan Carey (there was later evidence that Sgt Carey had recovered that handset from the kitchen of the deceased’s house where it was plugged in to charge), and that using the XRY Forensic Phone Analysis System she had on the 17th of October 2012 downloaded data from the SIM card in that handset, and further on the 18th of October 2012 had downloaded data from the mobile phone handset itself. Then again using XRY Forensic Phone Analysis System software she had generated a printout (the “XRY report”) covering a specified period, which she was exhibiting. This report or printout contained details of calls made and received over the period of interest as recorded on either the SIM card or the handset itself, as well as details of the dates and times of SMS texts sent and received in the period of interest, the numbers from which texts were received and to which they were sent, and a record of the actual text transmitted or received.

89. Under cross-examination, Sergeant Gilmartin accepted that she did not really know how the XRY Forensic Phone Analysis System worked
“Q. Yes. I think your role essentially, Sergeant, was to get your device or programme, to plug it into the phone, get a printout and hand it on?
A. That is correct, Judge.

Q. Do you know how the software works?

A. Very vaguely, Judge, I'm not

Q. You wouldn't purport to be an expert in that?

A. Absolutely not, Judge, I'm qualified in the operation of it.

Q. Yes?

A. And to make sure that it's done correctly, but that is my sole function in relation to it.

Q. Certainly, you wouldn't be able to help us as to how it actually operates?

A. No, Judge, I would not.

Q. Did you check the device time?

A. The only place that that is recorded is sometimes depending on the model of the phone, on the first couple of pages of the report, if you just give me a moment and I'll just check and see if it was recorded on this, no, Judge, it's not recorded on the download.” '

 
Posted : 09/08/2018 8:57 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Insightful observations about the problem. In particular, should an analyst know the process merely as to his/her actions in an examination? What about the process of knowing the digital forensic hardware and software?

Only for the record, I once raised a similar problem
https://www.forensicfocus.com/Forums/viewtopic/t=2488/
my (totally invented and obviously exaggerated) report of court happenings
https://www.forensicfocus.com/Forums/posting/mode=quote/p=6521007/
are not that much different from what you just reported about "admissibility of the XRY Report/Printout"

jaclaz

 
Posted : 09/08/2018 1:39 pm
Share: