“Digital forensics is at a time of crisis and a time of opportunity.”
This remark from Eoghan Casey, lead cybersecurity engineer at the MITRE Corp., highlighted the overarching themes presented at the first day of the National Institute of Standards and Technology forensics conference Wednesday.
Throughout the morning, a number of NIST scientists, engineers and program managers poured over the ways the agency is helping law enforcement enhance investigations tied to recovering data from digital devices or improving the accuracy of biometrics.
One of the biggest tools NIST offers law enforcement is a vast library of computer software that allows experts to identify computer files by name, size, manufacturer and cryptologic hashes. Known as the
National Software Reference Library, the database has information on a massive amount of software, ranging from mainstream operating systems and Web browsers like Microsoft Windows and Google Chrome to enterprise software from IBM and Oracle and classic PC games like Wolfenstein 3D and Duke Nukem Forever.
Doug White, a computer scientist at NIST, explained how this library serves as a way for investigators to identify software on damaged or compromised machines or figure out if it has been manipulated in some way.
“While you can’t reproduce a file from its mathematical fingerprint, it can be used for identification purposes,” White said.
White highlighted a number of advancements NIST has been making to NSRL, including the addition of “download-only” software, such as mobile apps, into the library. He also highlighted the virtual machine layer built into the next generation of NSRL, which allows researchers to bolster their library with data by investigating the forensics of the entire software lifecycle.
“We can take all disk images and media images that are in the virtual library and spin them up on virtual machines,” White said. “Any particular operating system or disk image, any particular piece of software, we can then publish the data about the files that we find.”
While NIST has a massive library to use when dealing with computer forensics, it is constantly evolving with the proliferation of mobile devices. When law enforcement is tasked with investigating a mobile device, there is a growing number of operating systems, memory additions and content variations that need to be accounted for. And that’s only if the contents of the device can be accessed.
In order to establish the best way for law enforcement to handle mobile device investigations, NIST recently
produced a guide that outlines procedures for the validation, preservation, acquisition, examination, analysis and reporting of digital information.
Rick Ayers, a computer forensic scientist at NIST, described a number of ways mobile forensics investigations are challenging and what direction the guide can offer.
“What do you do when you find a phone in caustic material? What do you do if you find it in a toilet?” Ayers said. “If you are trying to get mobile device back to the laboratory and you are not going to do the on-site process, if you remove that battery, you could activate the deactivation device.”
In addition to the guide, Ayers said NIST’s
Computer Forensics Tool Testing team would be examining a number of mobile forensics tools in the coming months that will help investigators work with 20 different devices across GSM and CDMA networks.
While a good portion of the talks were dedicated to digital forensics, NIST scientists also highlighted technological advancements in human forensics, particularly biometrics. Elham Tabassi, an electrical engineer at NIST, gave an overview of the agency’s
Statistical Friction Ridge Analysis program, which aims to develop a measure of the uncertainty related to fingerprint analysis.
While fingerprints are often used as evidence in cases, lawyers and law experts have been questioning forensic examiner’s bias for years. A
paper produced by NIST discusses some of these questions surrounding human error, including how an examiner’s decision can be affected by the level of expertise, bias after exposure to additional information of the case, or workload that hampers focus and attention to detail. Tabassi outlined how these errors can have huge implications, using the example of Brandon Mayfield, an American lawyer who was erroneously linked to the 2004 bombing of a Madrid train station due to a fingerprint misidentification.
The resulting work from the program will be used to create universal vocabulary for explaining fingerprint analysis uncertainty in court as well as further research into better biometric discoveries.
For more information on the conference, visit NIST’s