Archive for June 28, 2007

Why Computer Forensics is a Bad Idea

In CIO there is a really good article on why Computer Foreniscs is, as we say in the security business, hard. And by that we mean really, really hard.

The general problem here is that people assume that foreniscs is a good science with results that can not be (easily) manipulated, because we see the “science” of it in shows like CSI. And, from what I understand, traditional forensics is quite hard to manipulate. It is not possible for an amateur to fake blood splatter, to change traces of DNA, or even to easily manipulate footprints etc. The trouble is that with computer forensics we are dealing in a digital world where changes can be made, easily and without that much prior knowledge.

In fact, there is a wast selection of ready made tools available for the user with even the most basic googling skills and an interrest in the subject. The makers of forensic tools are running a constant battle with the anti-forensic tools, and there will never be a winner. In fact, the race itself makes everyone a loser. Because it is so easy to manipulate computer forensic data, it is arguable that it can be used in a court of law at all. Would we use DNA samples as evidence, if anyone could easily manipulate DNA data? No, we would not. Yes, there is a lot of users who does not have the knowledge to run these tools on their computers; but the problem is that other users might. The most obvious defense would of course be to argue that someone else has used the computer to do nefarious acts. And as a defense it is quite a good one. A good attacker would not leave any traces at all, so how can you disprove that argument?

Basically, we are stuck. Computer forensics are probably useful in certain cases, but the tendency to base investigations on their results, or even to confuse the validity of it with traditional forensics, is dangerous. In fact, we must probably face the fact that computer evidence really only have a very narrow usage, and must be combined with a lot of traditional police work if we are going to have any kind of legal protection as individuals.

June 28, 2007 at 14:59 Leave a comment

RSS My twitter updates

  • An error has occurred; the feed is probably down. Try again later.

Subscribe to my blog using RSS


RSS Things I recommend reading now

  • An error has occurred; the feed is probably down. Try again later.

Right now:
June 2007