"Expert vs. Expertise" - Computer Forensics and the Alternative OS
by Melisa LaBancz-Bleasdale - IT Journalist - Thursday, 31 July 2003.
"File systems basically work in the same manner. So the OS driving the file system is the major hurdle. A lot of forensic "experts" are dismayed when they have to investigate a UNIX box. Basically it comes down to a lack of training. Different OS's create different files which can be used by the forensic examiner. For instance, /var/log/messages is a good source in Linux, and WINNTsystem23LogFilesW3SVC1 is a good source in Windows," says Dave.

The customization of scripts is another challenge for UNIX administrators. I spoke with Jon Bair, Director of Professional Training at Guidance Software, about the issues a UNIX administrator faces in trying to customize scripts that run auto forensic-audits of their network.

Jon states, "In many cases, UNIX administrators are responsible for managing various types of systems at once and not all of these systems may be running the necessary components to allow the use of one script to effectively audit their infrastructure, let alone audit these systems in a forensically sound or trustworthy manner. What if during their audit he/she stumbles across a system that was being used in illegal activity; the very actions of their script may have just altered valuable data that may have proven important upon later investigation. What if their script requires specific files such as binaries or libraries to be present on the system they are auditing, but do not exist? Even worse, what if they are calling local system binaries from their script in order to gather data, but the binaries they are calling have been "trojaned" and do not produce true data?"

Peripheral and Large Scale Forensics

Then there is the subject of utilizing computer forensics to investigate PDA's and cell phones. Both can be investigated utilizing computer forensic methodologies. The question arises as to their differences from the PC's OS.

Dave explains, "PDA and cell phones handle data differently, but there is still a spot on them which identifies the location of all the files/programs. How different is this from Win98 OS? It really isn't, the issue stems from how to get the data from a non-standard device in a forensically sound manner."

Conducting an investigation on a single PC is a daunting enough task without having to search the entire network for criminal activity. I asked Dave to explain the major challenges between conducting a single PC audit and conducting a full-scale WAN based investigation.

"Basically, the major problem becomes the overwhelming size of evidence and preserving the chain-of-custody. If I seize a 2TB server, then I will need a 2+TB server to examine the data. I have had occasion to examine 29TB of data, and one must stay extremely organized and patient in such a case," states Dave.


The meteoric rise of computer forensics is clearly noticeable when browsing today's security conference agendas. There are numerous courses taught by what are termed "experts" in their respective fields. Since computer forensic technology is ever-evolving, it would be difficult to term oneself an expert in a field that has not yet finished developing. Many corporations get themselves into trouble when they hire an expert investigator with almost no real investigative experience. The use of poorly trained individuals for the purpose of conducting a digital investigation can prove costly to a corporation trying to recover both their reputation and their data.


Critical bug found in Cisco ASA products, attackers are scanning for affected devices

Several Cisco ASA products - appliances, firewalls, switches, routers, and security modules - have been found sporting a flaw that can ultimately lead to remote code execution by attackers.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th