Forensic Challenges
Whenever something new comes out, one of the things people in particular fields ask is, how will this affect us and what we do? This is especially true in our field. With the recent release of new technologies, not the least of which is Vista, lots of folks have been asking about the challenges to digital forensics these new technologies will pose.
Thinking about this, I would suggest that the challenges don't come from "new" technologies being introduced, but rather from our community's myopic point of view.
I know what you're thinking...what did he just say? Well, I'm suggesting that new technologies...increased storage capacities, increased sophistication in cybercrime, new operating systems, etc...aren't imposing the "challenges" we think they are...we are. As a community, we're limiting ourselves, and imposing these challenges on ourselves somewhat artificially.
Rather than trying to describe my reasoning, let's look at a couple of examples. First, increased storage capacity...newer, smaller hard drives with greater capacity make things like iPods and cell phones that do everything for you possible. However, this is something that the forensic community has been dealing with for some time. This is not a 'new' challenge at all. The same holds true with new technologies, like Vista. New operating systems have been coming out all the time...at one time, Windows NT 4.0 was "new" (heck, even I remember that!).
What about drive encryption? Is this particularly a "new" challenge? Encryption has been around for a while, and we have to deal with encrypted files all the time. With freeware encryption for files, and even commercial products, it's not unusual to have to deal with such things. Those of us that haven't had to deal with such things specifically need to keep some knowledge of what to do, an "SOP", if you will, in mind in case we do encounter these things.
IMHO, the real challenges to the digital forensic community are largely self-imposed. New technology doesn't necessarily impose new challenges on the community, as the introduction of "new" technologies is almost a steady-state in this industry, isn't it? DOS led to Windows 3.1 and OS/2, which led to Windows 95 and NT 3.51/4.0, etc., etc. Storage capacity has increased over time. New devices have been introduced. There's really no "challenge" in this, per se...simply wait until someone produces a product to deal with the "new" technology, and things continue as before.
It appears that the real challenge is incorporating new ways of doing things, such as live response. Now, we won't always have the opportunity to employ live response, as not all of us have the benefit of talking to the "victim" prior to them taking some action on the affected system(s), but live response is one of those things that flies in the face of the traditional (dare I say "purist") approach to computer/digital forensics. However, live response can do a great deal to help us solve some of the other perceived challenges, if we can change the mindsets of the major players in the community. From there, this mindset change will permeate the minds of others...corporate IT, lawyers, etc.
What challenges do you see?
Thinking about this, I would suggest that the challenges don't come from "new" technologies being introduced, but rather from our community's myopic point of view.
I know what you're thinking...what did he just say? Well, I'm suggesting that new technologies...increased storage capacities, increased sophistication in cybercrime, new operating systems, etc...aren't imposing the "challenges" we think they are...we are. As a community, we're limiting ourselves, and imposing these challenges on ourselves somewhat artificially.
Rather than trying to describe my reasoning, let's look at a couple of examples. First, increased storage capacity...newer, smaller hard drives with greater capacity make things like iPods and cell phones that do everything for you possible. However, this is something that the forensic community has been dealing with for some time. This is not a 'new' challenge at all. The same holds true with new technologies, like Vista. New operating systems have been coming out all the time...at one time, Windows NT 4.0 was "new" (heck, even I remember that!).
What about drive encryption? Is this particularly a "new" challenge? Encryption has been around for a while, and we have to deal with encrypted files all the time. With freeware encryption for files, and even commercial products, it's not unusual to have to deal with such things. Those of us that haven't had to deal with such things specifically need to keep some knowledge of what to do, an "SOP", if you will, in mind in case we do encounter these things.
IMHO, the real challenges to the digital forensic community are largely self-imposed. New technology doesn't necessarily impose new challenges on the community, as the introduction of "new" technologies is almost a steady-state in this industry, isn't it? DOS led to Windows 3.1 and OS/2, which led to Windows 95 and NT 3.51/4.0, etc., etc. Storage capacity has increased over time. New devices have been introduced. There's really no "challenge" in this, per se...simply wait until someone produces a product to deal with the "new" technology, and things continue as before.
It appears that the real challenge is incorporating new ways of doing things, such as live response. Now, we won't always have the opportunity to employ live response, as not all of us have the benefit of talking to the "victim" prior to them taking some action on the affected system(s), but live response is one of those things that flies in the face of the traditional (dare I say "purist") approach to computer/digital forensics. However, live response can do a great deal to help us solve some of the other perceived challenges, if we can change the mindsets of the major players in the community. From there, this mindset change will permeate the minds of others...corporate IT, lawyers, etc.
What challenges do you see?