Managing Network Security

Digital Forensics

by Fred Cohen

Series Introduction

Computing operates in an almost universally networked environment, but the technical aspects of information protection have not kept up. As a result, the success of information security programs has increasingly become a function of our ability to make prudent management decisions about organizational activities. Managing Network Security takes a management view of protection and seeks to reconcile the need for security with the limitations of technology.

Looking Back

It is somehow fitting that during the first part of a new 1,000 year period I would be looking back... but then, according to my calendar, I'm looking back on 5,670 years, so that's not the issue in today's issue. The issue today is - looking back ... that is what forensics is all about after all. We don't use forensics to look at the future, or even at the present. We use it to look back at the past and try to reconstruct what took place based on the historical (and sometimes hysterical) record... anybody who is or has been engaged in this endeavor realizes that the records are often laughable at best.

So here we are - today - and we want to know who, what, where, when, why, and how something happened in the past. If we were in the pathological field of forensic medicine, we would know to take the temperature of the body, look for marks, and so forth. In the digital forensics field, we do much the same thing. We start with a computer or other piece of hardware and start looking for the telltale tracks of criminal activities.

I know a guy that says something to the effect that you don't find rats by looking for rats. You find them by looking for rat droppings and then tracing back to the rats. In a lot of ways, it's the same with digital forensics. You don't find many smoking guns right out of the box. First you look for the tell tale tracks, and then, if you know how to do it and take the time and effort, you have a chance at tracing it back to the rat.

Is There a Doctor in the House?

The first observation I have of the difference between forensic medicine and digital forensics is that nobody in their right mind would engage in forensic medicine without a medical doctor involved in the process, and no defense lawyer worth anything would miss the chance to lambaste the prosecution if the medical examination was done by a detective who had a hobby of checking out bodies.

There are a couple of reasons we get away with this so often in digital forensics. One reason is that there aren't a whole lot of qualified digital forensic experts - in fact, there may not be any. After all, how many degree programs are there? The first ones are only now coming on line. How many certification boards and standardized tests? None! How many Ph.D. programs in computer science include a digital forensics track. None!

For forensic medicine, we generally start with medical schools and find interested students. For forensic examination of computers today, we generally start with police that have some familiarity with personal computers and they learn more on their own. This has got to change. Today, most of the best digital forensic examiners are consultants and police personnel who, by experience and experiment have learned more about computers than many of the people who now design them. Unless and until this changes and professional education in digital forensics takes hold, the value of digital evidence in terms of its reliability and ability to withstand legal and technical challenges will remain dubious at best.

How many pasts are there?

When you take the present and look back at the past, you may find that there are a lot of different versions of events that pop up. At a minimum, there are typically a lot of different possible histories that could produce a current situation. The challenge of the digital forensic examiner is to (1) determine what pasts may have produced the evidence before us, (2) understand what pasts could not have produced the evidence before us, and (3) be able to demonstrate the validity of this assessment to independent third parties, including juries, in a manner that is understandable to them.

Assuming you have done your job well, you should be able to clearly demonstrate your theory of the case, demonstrate that alternative theories presented by possible opponents are not valid through a refutation process, and confirm your theories by experimental demonstrations.

Forensics is a Science

If you read that last paragraph carefully, you are likely aware that it sounds more than a bit familiar. It is of course very close to the classic characterization of the scientific method. We put forth testable theories and perform experiments to confirm or refute these theories. If there is a strong refutation, the theory falls over and we need a new theory. Confirmation help to bolster the theory, but are not proof that it is true in all cases, unless it is a theory about a finite set of objects that can all be tested against the theory (in forensics, this is never the case because we cannot test all possible pasts, or some might say, even one of them).

Forensics is based on the scientific method, and thus, regardless of any personal beliefs we may have, we generally have to leave religious feelings and notions of miracles at the door. This implies that we cannot do a credible job of forensics if we have an axe to grind. I often face people who oppose the notion that I should be investigating one of their co-workers or who believe that because they feel that a particular party to a case is good or bad, the evidence is somehow to be treated differently. This too must be left at the door. If you are somehow personally involved in a case, either because of a predisposition to a particular outcome or because of a personal knowledge of the parties involved, you should not work on the case. I tell people that I don't know individuals are that are involved in the case and that I don't case if they are innocent or guilty. All I do is evaluate evidence on a factual basis and report on the results.

If people were perfect, we wouldn't have a 'del' key (I personally use 'backspace', but to each their own). Nobody is perfect, and forensics clearly demonstrates this on a daily basis. Science is a human activity, and thus science is also not perfect. It is just the best tool we have available. Digital forensics is even less perfect than science in general because we are trying to draw conclusions about something we cannot truly experiment with. All we can really do is our best.

Forming the Mosaic

Part of doing our best is not being lazy. I have seen a lot of cases where people found a little bit of inculpatory or exculpatory evidence and claimed victory. The courts are not yet up to a level of knowledge where they know what to believe and because of the poor manner in which digital evidence is presented and prepared, the courts are often left at the mercy of experts who are not... experts that is.

In most cases, digital evidence forms a mosaic that is very hard to invalidate and reasonably easy to demonstrate, if you only take the time and money to do it. Of course one of the reasons that you don't see a lot of high quality digital evidence based on the totality of evidence available is that the dollar values associated with most cases of this sort are not high enough to justify the expense of a really strong case. In fact, the facts of digital evidence are, more often than not, stipulated to before they ever reach trial. Furthermore, the digital evidence is rarely, if ever, the only evidence in a case.

In forming the mosaic of a case, you invariable come across missing pieces. Here is an example. I looked into a case in which it was purported that a user logged into a RAS server and used remote access to a company network to go out to the Internet through the company firewall to an ISP where confidential information was placed. The full mosaic in this case would, at a minimum, involve RAS logs, system logs, firewall logs, web server logs, web postings, telephone records, and evidence from the disks on the computers involved. I did not have access to all of this information, however, the RAS logs and the web postings were available. After doing a time correlation between the RAS logs and the web postings, I was able to determine whether or not the user identity was in use via the RAS server at the time of the postings. To follow this case up further would have required more effort than was thought worthwhile, primarily because a subpoena and a high quality interview of suspects yielded admissions that obviated the need for a court case. Once the evidence we already had was on the table, there was no need to complete the picture.

Back to the Scene of the Crime

In cases where things are not so easy, and where claims are likely to be tested, the best way to examine evidence scientifically is through a crime scene reconstruction. While the reconstructed digital crime scene is clearly not identical to the original crime scene, neither is any other kind of reconstruction. For example, the alignment of the stars is different. Now, if the alignment of the stars is critical to the issues in the case, this is an important difference and it must either be reconstructed in some way, or there will be a need to explain how this would have affected the outcome.

This brings us to the point of reconstructions. We can spend an unlimited amount of time and money doing higher and higher quality reconstructions of a crime scene, and any little detail that is different between the original crime scene and the reconstruction can always and rightfully be disputed by the opposition. The goal of the crime scene reconstruction is to help identify elements of the mosaic and how they are similar and different from the evidence observed. In almost all such reconstructions, there will be differences, but the key is to show the similarities and differences for what they are and what they mean relative to the issues in the case.

There is a principle called Occam's Razor. This principle is that when two theories are available for a given phenomena and neither can be determined to be better on any other basis, the simpler theory should be used. Imagine, for example, that we have a crime that can be explained by a complex series of interlinking events or can be explained by a very simple event. Unless there is some reason to believe that the more complex sequence of events took place, the simpler explanation is generally taken. This, of course, doesn't make it true, but it certainly appears more plausible on the surface. If the case calls for it, it is the job of the forensic examiner to dig deeper and either determine a reason that one or the other explanation is superior of show that neither can be shown better.


Folks in corporate settings may feel a bit distant from this article, but they should not. In fact, the same principles apply to forensics in corporate settings as in legal settings. The standards of proof are less because the penalties tend to be less, but civil actions can result from corporate as well as state activities, and the process is the same regardless.

Digital forensics is a field of great and growing interest, and increasingly management needs to be aware of the forensic process and requirements. I hope this article has been of use in this process at least.

About The Author:

Fred Cohen is exploring the minimum raise as a Principal Member of Technical Staff at Sandia National Laboratories, Managing Director of Fred Cohen and Associates in Livermore California, an executive consulting and education group specializing information protection, and a practitioner in residence in the University of New Haven's Forensic Sciences Program, where he educates cybercops on digital forensics. He can be reached by sending email to fred at or visiting /