Evolution of Digital Forensics¶
links: DF TOC - Forensics Basics & History - Index
[!warning] This text was created using ChatGPT!
The slides were only bulletpoints, i created prose text since it is easier for me to read and learn. If you don't like it just look at the slides.
Origin¶
The term "forensics" originates from the ancient Roman Latin word "forensis" which means "of the forum." The forum was a place for public debate, including criminal trials. Criminal cases were verbally presented and decided, indicating society's need for a system of criminal judgment.
Over the time science became important and more and more scientific methods were used. E.g fingerprints, toxicology, body measurements, etc.)
Technological advancements introduced new tools and techniques such as microscopes, DNA, traces, computer aided reconstruction/simulation, etc. New technologies have always taken time to be accepted as evidence!
The 80s¶
In the 1980s, home computers became popular, and large central computers were common in companies. "War-dialing" emerged as a popular hacking method, while Bulletin Board Systems (BBS) with dial-up modems connected users. The first computer viruses and worms appeared, including the infamous Morris worm. The FBI developed the capability to analyze computer evidence, and the Computer Emergency Response Team (CERT) was established at Carnegie Mellon University. The popular hacker movie "War Games" highlighted the growing interest in computer hacking.
The 90s¶
In the 1990s, the internet gained international popularity. Law enforcement showed increased interest in computer crime and evidence, with the FBI hosting international conferences on the subject. The UK Association of Chief Police Officers (ACPO) released a guide on computer evidence, and the International Organization of Computer Evidence (IOCE) was established. The Scientific Working Group on Digital Evidence (SWGDE) was also formed. The first open-source forensic software, The Coroner’s Toolkit (TCT), was developed in 1999. This opens up forensics to the non-police sector.
The 2000s¶
In the 2000s, the field of forensics evolved significantly. After the September 11, 2001 tragedy, priorities shifted towards disaster recovery, incident response, investigation, and forensics. Corporate accounting scandals, such as Enron and WorldCom, led to the Sarbanes-Oxley Act (SOX), which mandated digital evidence collection and investigation processes.
Intellectual property concerns grew, focusing on IP/brand abuse, file sharing, and copyright violations. Corporate reliance on Internet technology increased, leading to issues like Internet fraud, phishing, infrastructure attacks, and employee misconduct.
Digital forensics became a formal scientific discipline, developing theories, models, frameworks, practical tools, methods, and procedures. A professional community emerged, with international journals, conferences, best practices, and formal standards.
The scope of digital forensics expanded to include software forensics (malware/code analysis), live system forensics (memory and running processes), embedded devices (mobile phones, PDAs, GPS), and network forensics (captured traffic, remote collection). The era also saw the rise of anti-forensics or counter-forensics techniques.
The 2010s¶
In the 2010s, the focus on investigating cyber attacks increased significantly. High-profile cases included Wikileaks publishing leaked information, hacktivism activities like DDoS attacks from Anonymous and leaks by LulzSec, and nation-state APTs such as Stuxnet and APT1. The Snowden leaks revealed the extent of government hacking, raising widespread concern.
Private sector breaches and attacks also became a major issue, with significant data thefts and leaks from companies like Sony, Target, JPMC, Anthem, Equifax, and Yahoo. Online banking trojans (Zeus, Dridex, Gozi), core banking trojans targeting SWIFT clients, social engineering attacks (BEC, CEO impersonation), phishing, vishing, smishing, and ransomware became prevalent.
Investigators benefited from easy-to-use tools, big data analysis, improved timeline correlation, and selective and logical forensic imaging. There was a significant increase in mobile device analysis and hardware forensics (Chip-off, JTAG access). Enterprise tools, sometimes integrated with e-discovery, became more common, with less focus on magnetic hard disks and more on SSDs with TRIM and over-provisioning.
The 2020s¶
In the 2020s, forensics faces new challenges and research areas. The term "Cyber" has become widespread, often rebranding old ideas. Embedded Linux and IoT forensics are growing fields, while virtual currency analysis and digital payment evidence are increasingly important. Encrypted storage and network traffic present significant obstacles, and vehicle forensics has advanced to include autos, drones, and more. Ensuring evidence authenticity and validity has seen improvements, and advanced malware analysis now leverages AI and ML. Audio and video forensics address issues like Zoom bombing and unauthorized recordings.
Forensics has become expensive and challenging, making it less accessible for hobbyists and students. Telemetry data has emerged as a valuable evidence source, while device lockdown features, such as secure elements, secure JTAG, and TPM protection, add layers of complexity. Exploits and vulnerabilities are now sold to forensic tool vendors. Wearable and medical devices, along with industrial control systems, are new forensic frontiers.
GDPR and other privacy regulations impact data handling, and virtual desktops in the cloud (VDIs) and changes in corporate forensics due to remote work and BYOD policies are significant. AI prompts and responses raise concerns about data retention, reproduction, the origin of training data, AI safety laws, and copyright issues. Deepfakes represent the next evolution of impersonation, posing serious challenges for forensics.
Future¶
While we can't predict the future with certainty, several trends seem likely to shape the field of forensics. Criminals and investigators will increasingly use AI, with AI essential for handling vast amounts of data. The "Internet of Things" might evolve into an "Internet Fabric," becoming a fully integrated part of daily life. Always-on devices, such as smart assistants, smart glasses, pervasive CCTV, and smart car cameras, could become widespread.
International data access treaties may facilitate cross-border investigations, and long-term social network analysis might lead to new advancements in forensic psychology. Despite these potential changes, crime will persist, and digital forensics will remain crucial for gathering evidence and solving crimes.
links: DF TOC - Forensics Basics & History - Index