Home > Computer forensics > Fragmentation of the digital forensics community

Fragmentation of the digital forensics community

I started in the digital forensics community about five years ago, and I already feel old, and I am a Johnny-come-lately. This post may come off as a “Hey, you kids, get offa my lawn!” rant. Rather than a rant, I really hope that people start talking about a way to find a small number of safe lawns for all the kids to play on.

In those five years I’ve noticed that the computer forensics community has become *less* supportive, not more supportive. This runs contrary to trends to other communities such as software engineering tools, web frameworks, and startups. I have some feelings and thoughts on why this is. I wish I had some good ideas on how to turn this trend around.

I think there are four major problems:

1) Fragmentation of the sites supporting the community.

When I showed up, there was Forensic Focus, the CCE list, and HTCIA. (And other people probably had their three or four sources that don’t overlap with mine.) Now, I’ve got Forensic Focus, CCE, HTCIA, HTCC, DFCB, wn4n6s, and a host of OS and tool specific sites. Then there is LinkedIn, with an almost one to one mapping of all the external groups, plus subgroups, plus additional new groups not represented elsewhere.It seems that everyone wants their own lawn to play on rather than contributing to the health of an existing lawn. How often have you seen a post along the lines of “Hey, I set up a new forensics wiki! Come check it out and help it grow!” Or found yet another computer forensics LinkedIn group?

This leads to two related problems: Where do you post, and where do you go looking for information? I belong to a lot of the mailing lists and use my personal mail archive as a research tool when I have questions, but that doesn’t reach into the various web based forums. And if I want to post a question, where does it go? Some people blast every mailing list they’re on, hoping for an answer. And the more we balkanize, the more likely those questions are to go unanswered.

I still use FF and the CCE list mostly, but then there are items #2 an #3.

2) Web of trust.

When I joined the CCE list with certification #832. There’s no way I’d ever meet all 832 people, but by proxy, we knew of most people on the list. It was a small, tight community. Forensic Focus was similar – it was a place where we had a pretty good sense of most of the people posting, and most of the new people took some time to get up to speed on the community.I don’t know how many CCEs there are on the list now, but it seems that I  know fewer of the people who are posting now that I did two years ago. People I used to see regularly on Forensic Focus are rarely seen, often replaced by very new people who are unfamiliar with the community. Many of these new posters seems to be looking for a solution to some university project. There are now people on the HTCC  list posting anonymously.

3) Archiving, auditing, and reach of social media.

The growth in the number of forums, and the number of participants in those forums, greatly increases the number of potential employers, detractors, auditors, etc. Five years ago I felt pretty comfortable about asking stupid questions on the CCE list (a closed list) and even on Forensic Focus. Now, I’m very reluctant to ask anything that might display a lack of knowledge in an area where I am an expert.

We all know that none of us knows everything, and we’re all better for the support and feedback of our community. But when those questions can be spun, taken out of context, or turned back on us in some way, it makes us wonder if the potential downsides are worth it. Since there are almost always other people with the same question who aren’t speaking up, our failure to ask those questions means the entire community is worse off for these questions not being asked.

4) Pointing out that the Emperor might not be wearing any clothes is discouraged, actively and passively.

Some of this is due to “there but for the grace of God go I”, some  due to over sensitivity to political correctness, some due to fear of legal action, and some due to fear of getting dragged into the mud. (“Never wrestle with a pig: You both get all dirty, and the pig likes it.)The end result is that bad information lingers in the community, bad behavior persists, and people get fed up and move on to other places to invest their time and energy. And once you lose people, getting them to come back is often very hard.

I know I’ve become far more of a content consumer than generator over the last few years, though I still go through bouts of trying to contribute. My solution was to grow a small group of people I can trust to bounce ideas off of and I’ll turn to them rather than the larger community.

I am poorer for this fragmentation, and if you aggregate the loss of many people such as myself, the community is poorer as well.

About these ads
Categories: Computer forensics
  1. Alan R. Vance
    March 28, 2011 at 10:09 am | #1

    I have to agree with the writer on numerous, if not all points. I ventured into the forensic world back in the very early 1990s, when only the Air Force OSI was doing any form of data recovery in pursuit of a case. We (the Army) decided we needed a similar program and created it.

    Now as digital forensic tools are becoming more and more commonplace, the original concept of apply digital means as an “asset” to an investigation became the primary way to do things. The old “Sit back and theorize what you have and what is going on” was replaced by “push-button” investigations and forensics.

    I predicted years ago, and still stand by it, that within a few short years, the age of the “cloak and dagger” spy will find the “Good Guys” wearing virtual goggles and digital tracking, while the “Bad Guys” will be reverting to the old standard ways, because the new generation won’t have a clue about how it is being done. They are too used to hooking up the media and pushing a button and “ding” out pops their evidence.

    Just as clothing styles do a full circle around and come back, espionage and crime will do the same because it isn’t expected. A phrase I use in the classes I give is, “Expect, the unexpected.”

    My 2 cents worth. :-)

  2. Amber Schroader
    March 28, 2011 at 12:13 pm | #2

    Thank you for pointing out and saying something when so many remain silent. It has become a witch hunt to actually help people anymore. I quit answering any of the lists and helping people because all I got in return was “mud”. I am sad because I have always believed in what we do and in doing the right thing, and attitudes have made it so those are not the popular opinion anymore and it can cost you a career to do either.

  3. Phil Rodokanakis
    March 28, 2011 at 1:04 pm | #3

    And the points raised in this post don’t take into account the fragmentation that was caused since eDiscovery became a big business. Even the big company which made their name developing forensic software, like Guidance and AD, are now viewing eDiscovery as their main market. I think it’s only going to get worse…

  4. Michael Harrington
    March 28, 2011 at 1:54 pm | #4

    I think Ms. Shroader said it best -”It has become a witch hunt to.” I stopped posting because I have been hunted and have been attacked. I have seen the lists turn from helpful information repositories to places where people lurk to further their own businesses, degrees and sad ends.

    I applaud your candor and courage in posting this. However the cynic in me says, it won’t one whit of difference.

  5. Andy Spruill
    March 28, 2011 at 5:00 pm | #5

    Hey Dave,

    Thanks for writing such a thought provoking article. Like some of the others who have responded, I too have pretty much stopped responding on listserv’s and mass groups. Invariably all it would lead to was snide comments and totally off-topic rants. Why? Because I had the audacity to put “Guidance Software” next to my name. Instead, I now share my experiences DIRECTLY with those who are willing and want to listen. I teach at a local state university, I travel around the country and speak at seminars and conferences, and I cautiously use Linked-In groups where I pretty much know everyone. I have found this to be far more beneficial to those looking for help, mainly due to the “face to face” nature of the dialouge, and more rewarding to myself as often I learn from this type of exchange as well.

    Anyway, you got my number Dave… don’t be afraid to call. ;-)

    Andy

  6. msvetlik
    March 28, 2011 at 10:10 pm | #6

    Yes, nice and provoking. But “fragmentation” is real state of current development in tis area. Digital forensic becomes popular, it IS important, too many people is involved in it – that is why it is fragmented, I think. That is why “culture” of involved people is -kindly- “strange” (but the same as in general population…).
    My experience in digital forensic development is here (http://msvetlik.wordpress.com/2011/03/28/is-there-a-chaos-in-digital-forensic/) – similar to yours, I think.

    Nice!
    Marian

  7. March 28, 2011 at 10:40 pm | #7

    Dave,

    Great post. I’ve seen it referenced quite a bit since you posted it, and one thing I’m seeing is…well…fragmentation. On the one hand, there are those who seem to be following what you’re saying; those such as Amber, et al. I have to say, I agree with what you, and others who have commented, have said.

    I also agree with your “Emperor” reference. Too many times, something will get posted without being “questioned”…and by that, I don’t mean flamed. I mean, no critical thought is put into comments and responses. Consider that the person who wrote the post has different experiences and background, and perhaps sees a different segment of “the business” due to the business model or practice under which they work.

    I’ve seen a good deal of the “fragmentation” to which you’re referring. Too many go to the popular lists looking for the easy answer, one that doesn’t require critical thinking or examination, one that only requires the press of a button, and “if you’re not going to simply give me what I want, then just go away, thank you very much”. There are those who, for various reasons, continue to explore and discuss, but do so now in much smaller, retracted communities.

    And then there are those who seem to think that the “fragmentation” you’re referring to is about e-discovery vs forensics vs IR. Correct me if I’m wrong, but I didn’t see your comments referring to specialization (or “specialisms”) in the field.

    • msvetlik
      March 28, 2011 at 10:56 pm | #8

      And then there are those who seem to think that the “fragmentation” you’re referring to is about e-discovery vs forensics vs IR. Correct me if I’m wrong, but I didn’t see your comments referring to specialization (or “specialisms”) in the field.

      There are variouse “fragmentations” – as minimum as social and professional… Socoial, because a lot of people is involved in (various specifics of) digital forensics. This brings variouse “culture” of people involved.
      Professional, because digital forensic is now extremely wide area (DF, IR, e-Discovery, more, disk analysis, network analysis, live forensic, mobile forensic, ….)

      • March 29, 2011 at 12:41 am | #9

        msvetlik,

        Yes, thank you, I’m aware of that…what I was trying to get was what David had intended, not what others assumed he’d intended…

    • March 28, 2011 at 10:58 pm | #10

      Harlan,

      Thank you for your insight and contribution on this thread. You’re quite correct, I wasn’t referring to specialization. In fact, I’d argue that the similarities between IR, ediscovery, and forensics are in some ways greater than the differences. They share a common foundation, and also common goals. Practitioners in one area have much to learn from practitioners in other areas. The specializations will benefit from cross-pollination and the practitioners skill set and knowledge base will expand, increasing their capabilities and marketability.

      -David

  8. March 29, 2011 at 12:40 am | #11

    Dave,

    integriography :
    Harlan,
    Thank you for your insight and contribution on this thread. You’re quite correct, I wasn’t referring to specialization.
    -David

    Thanks for the clarification. Kind of funny how the discussion of “fragmentation” itself led to fragmentation, of sorts…

    Again, thoughtful and insightful post. Keep ‘em coming!

  9. Matt Ruddell
    March 29, 2011 at 1:24 pm | #12

    Wonderful and insightful post sir. I like you ventured into this field about five years ago and have seen very disturbing changes in that relatively short time. I can only really comment on my own situation which is terribly frustrating…

    As an analyst in a crime lab doing digital forensics my case load has increased exponentially. Hard drives are bigger, people have more electronic devices which can be analyzed, and our laboratory resources are less (including but not limited to pay). This leads me to have choices to make: Do I complete my required case work with the knowledge and tools I currently possess, or do I wade through the list-serves and forums for that one little piece of information which may make me a better analyst? Do I finish up that six month old case or learn/test/validate this new cool tool? I have not the time or resources to do both.

    I have no idea how to fix this, but I know it is a real problem. The list serves and forums used to be much more helpful, with real insight and tools and techniques that have been tested and validated (with results included in the posts). Even after almost five years I still feel like a newbie in some respects…

  10. F. McClain
    March 30, 2011 at 5:47 pm | #13

    Thanks for the thoughtful post. I am a relative newcomer to forensics as well, but I’ve seen the same thing play out in the online world of security. I think it is virtually inevitable, and probably a direct result of human nature.

    I have been involved for many years with a security forum; first to get some assistance, then to provide assistance to others, and finally as a moderator. Over the last couple of years, it seems more and more that moderators’ primary role is to stop flame wars; where previously it was provide guidance, smooth ruffled feathers, and generally help and support the community.

    Over the same time frame I’ve seen the same sort of development on other security forums. I think you’re absolutely right, that as new blood joins the community, the community dynamic changes. As forensics becomes more mainstream, there is probably more of a likelihood for negativity. Certainly with more forensicators, there’s more competition for jobs and so on, people feel the need to stand out or make a name for themselves, and thus posts tend to take on a “look at me and how wonderful I am” flavor.

    I think one thing that may differentiate forensics from other venues is the fact that we work in the legal world. It’s not just about looking foolish … If we post (or answer) a question, there is a possibility that some ‘gun for hire’ on the other side of a case may see and attempt to use that against us. And we all know such individuals exist and walk the same streets we do.

    Thanks again (for the post and the blog),

    Frank

  11. April 2, 2011 at 3:10 am | #14

    Thoughtful article, Dave.

    I attribute some of the splintering and fracturing to a coupla things:

    1. We really have no common, agreed-upon standards, training, or professional concepts and guidelines in this industry. I have been doing computer forensics since 1991, when we had no EnCase or FTK, but did all our forensics at a DOS prompt. I have seen lots of change, as many of you have, but we still have not gotten our act together as a profession. So everyone promotes their own piece of the pie, their niche, their notion of what is proper, state-of-the-art, legally acceptable, and professionally palatable.

    2. You see so many blogs and websites and listservs and organizations because everyone is trying to make a living, and no one out there is hiring each of us. We all have to make our own way. Which means we must aggressively promote our own approach or brand or solution – Hire me, I live wherever, I am as near as USPS, FEDEX, or UPS. I have a business that needs regular injections of funding, and a family that must be fed. I am as good or better than the next guy you are thinking of hiring.

    3. We do meet at conferences and train together, communicate and network, but in a profession where we have lots of solo practitioners, corporate examiners, law enforcement and governmental examiners, and contractors, we are all so different and so tainted, if you will, by our own experience. One person’s ideal solution is anathema to the way the others do business. So we lock our intellectual horns and contest for the turf of ultimate wisdom in the field of computer forensics. We have to meet each other in court on opposite sides, there offering our differing interpretations of the very same evidence we both have found, each being intellectually honest, but seeing things differently.

    So, fractured and splintered? Yes. It has always been; will always be.

    Having said all this, we have much we can point to as common ground, and ways we can solidify our profession so that we reach a more stable, even playing field with greater cooperation, sharing, and common understanding.

    Shall we go there, group?

    Regards…Dave…

  12. Marian
    April 4, 2011 at 6:15 am | #15

    Dave Pettinari :
    1. We really have no common, agreed-upon standards, training, or professional concepts and guidelines in this industry…
    2. …we must aggressively promote our own approach or brand or solution – Hire me, I live wherever, I am as near as USPS, FEDEX, or UPS. I have a business that needs regular injections of funding, and a family that must be fed. I am as good or better than the next guy you are thinking of hiring.
    3. … One person’s ideal solution is anathema to the way the others do business. So we lock our intellectual horns and contest for the turf of ultimate wisdom in the field of computer forensics. We have to meet each other in court on opposite sides, there offering our differing interpretations of the very same evidence we both have found, each being intellectually honest, but seeing things differently.
    So, fractured and splintered? Yes. It has always been; will always be…
    Having said all this, we have much we can point to as common ground, and ways we can solidify our profession so that we reach a more stable, even playing field with greater cooperation, sharing, and common understanding.
    Shall we go there, group?
    Regards…Dave…

    I fully agree with Dave. Two crucial point were said:
    1. What we lack is a reliable scientific basis, serious scientific knowledge and the definition of the basics of digital forensic science.
    2. Digital forensic changed from “mission” to business with all positives and negatives of it.

    We have much we can point as common ground… Yes, I agree, Dave!

    Marian Svetlik

  13. July 28, 2011 at 10:16 pm | #16

    The community of F3 (www.f3.org.uk) (not mentioned) has tried, and in part has succeeded, to keep those passionate about sharing digital forensics knowledge together, as a community, despite the exponential growth of the industry in recent years.

    Several of the committee have no direct professional gain by their involvement in F3 – they try to help people to try and reduce the number of occasions where criminals use digital technology successfully to commit and offence.

    I tried hard to get the F3 site to act as a hub of digital forensics knowledge, but unfortunately our website came too late (2005) when the fragmantation you speak of had already largely taken hold, and other forum sites had by then taken off.

    F3 remains committed though to the aim of having good guys and girls sharing what they know. Not for financial reward but for the good of sharing.

  1. March 28, 2011 at 9:47 pm | #1
  2. February 9, 2012 at 3:20 pm | #2
  3. April 3, 2012 at 1:54 am | #3

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 35 other followers

%d bloggers like this: