A student asked me an interesting question today, regarding what I foresee in the field of computer forensics in the coming years: 5, 10, & 50. Here's the question, my answer - and, dear reader, I’d love to hear your comments.

Mr. Burgess,

I would like to thank you again for taking the time to speak with me.  I would like to ask you another question if you don't mind, it is regarding the future challenges and/or issues in the field of computer forensics.  In your expert opinion, how do you see it 5, 10, and 50 years from now?  I am looking forward to your response.

My response:

An interesting question!

First, let me say that I don't have an expert opinion about the future, just a personal and educated one. In my profession, I can only really have an expert opinion about stuff I've worked on and so can't have one about the future until I get my time machine fixed!

As for 5 years from now, I see three things continuing to advance at a rapid clip:

1: Hardware -The size of storage media & memory and the speed of processors.

I expect that in 5 years, computers will come standard with 5TB or more of storage and that portable media like flash drives will carry something like 250GB of data - what the average hard drive was holding one or two years ago. In 5 years, computers will probably be 7 or 8 times faster. So these things will hold lots and lots more data and people will fill them up with lots & lots more data.Therefore, each computer forensics job will require sorting through and analyzing many times more data than today.

2: Computer Forensic Tools - The capabilities, automated nature and cost of computer forensic tools.

I expect that in 5 years, computer forensic tools will be about 5 times as fast, and twice as sophisticated. That means that even with all the additional data, the average, non-automated job will take about the same effort as it does now.

However, a lot of automated tools for collection and initial processing are starting to be released. These tools can be used by less-trained people, so it may be that data collection and preliminary processing will be faster due to automation.

I expect that the cost of computer forensic tools will not go down in relative terms. However, more Open Source forensic tools will be available for free for those willing to learn to use them.

3: Bad guys - Anti-forensics tools & schemes, sophistication of hackers

There's always a race between how harmful software and cyber-marauders can be and the defenses against them. There is also software constantly being developed to stump investigation by erasing or scrambling traces of wrongdoing. This trend will continue to accelerate and there will continue to be an uneasy balance between the two sides, with lots of collateral damage. In most cases, people will continue to forget to hide or cover all of their tracks and there will still usually be evidence to find.

Ten Years.

Ten years from now is much harder to predict. 

The field itself is not too much older than that. 

Everything I said for the 5-year time frame will continue to be somewhat true. 

Tiny storage devices weighing an ounce will hold multiple Terabytes of data; hard drives or their replacements will hold Petabytes and both kinds of devices will be very affordable.

Computers themselves may be quite different than what we are used to, will probably understand human speech well and will probably be quite intelligent, speeding up the ability to use them. 

Because computers will be so smart, the role of the computer forensics examiner may change. Testifying experts will need to have an even more sophisticated knowledge of the software /hardware /wetware interactions and may have to specialize further.  

Malware may have gotten the upper hand by then, or may not have - it is very hard to say.

Fifty Years.

Just about impossible for me to say sitting where I am right now. Computers will be much smarter than humans by then. If human computer forensics experts still testify in court, they'll be computer augmented, but then again, we probably all will be.

Whatever replaces hard drives on your local device (if we have local devices) will store half a Zettabyte or more. We'll be carrying around 5 Exabytes in our pockets or dental fillings. That's if all storage isn't in the Cloud and is essentially unlimited. Although from where I sit, a Petabyte seems pretty limitless.

Fifty years from now, our adversarial legal system may not have changed much. On the other hand the capabilities of humans, computers, and hybrids of the two may be near unrecognizable, but still inevitable.

Best Regards,

Steve Burgess

As if regular viruses were not enough, hackers are now literally holding their victims' data hostage.Ransomware works by encrypting the user's data and then demanding payment toprovide the decryption key.

The latest, which CA, Inc calls"Win32/RansomSMS.AH," is bundled inside an application called"uFast Download Manager." CA announced the discovery of the hack on November 30, 2009. The bundled software installs itself without input by the user and springs a message on the unsuspecting victim. The uninstaller included with the Ransomware does not function. The message appears in a semi-opaque window and is in Russian. The approximate English translation reads:

   Internet access is blocked due to violation of the

   license agreement schedules of uFast Download Manager

   You must activate your copy

   Get a registration code by sending an SMS with the following

   code fw0004199 to number 7122

   In response you will receive an activation message.

   Enter the activation message received from the SMS response  ________

CA has made available an activation code that unencrypts the affected user files.

Earlier this year Kaspersky Labs identified similar ransomware, called "Gpcode.ak" This nasty malware performs 1024-bit encryption on the user's data and demands money for the decryption code. It adds the extension "._CRYPT" to the affected files, and puts a text file named "!_READ_ME_!.txt " in the same folder as the encrypted user files. The readme file includes the following text:

   Your files are encrypted with RSA-1024 algorithm.

   To recovery your files you need to buy our decryptor.

   To buy decrypting tool contact us at: ********@yahoo.com

A previous version of Gpcode wasr eleased two years before. It sported 660-bit encryption. This earlier version's encryption has been cracked, but the more recent 1024-bit encryption scheme apparently has not been. Fortunately, the "ak" version of Gpcodemakes a copy of the file, encrypts it, then deletes the original file. The unencrypted but deleted files may be recoverable.

Health Net, a $15 Billion health insurance company with more than six and a half million clients somehow let data for more than 20% of that number slip from its control about six months ago - possibly in May, 2009 - and only informed the government and the public about it this week. 

A portable external hard disk in Health Net's Northeast HQ in Connecticut seems to have disappeared about six months ago. The company opted not to inform those potentially affected while it performed an internal review and conducted computer forensic reviews in order to find out what might have been on the missing hard drive.

What they discovered was that information including Social Security numbers. medical records and health information for about 1.5 million customers from Arizona, Connecticut, New Jersey and New York was on the drive. The data was in the form of images and was not encrypted. It went unmentioned whether the images included photographic images of client, x-rays, or simply imaged text or other such data. The data apparently dates from 2002 to May 2009.

Connecticut's Attorney General  Richard Blumenthal said, "Health Net's incomprehensible foot-dragging demonstrates shocking disregard for patients' financial security, as well as loss of their highly sensitive and confidential personal health information." AG Blumenthal and CT Insurance Commissioner Thomas Sullivan are both planning investigations into the incident and why it took so long for Health Net to come forth with the information. 

Sullivan is requiring the insurance company provide to contract credit protection services for the affected customers. Health Net has hired Debix to provide these services for a period of two years. Health Net is now in the process of sending letters to affected customers. 

It is notable that multiple articles on the subject report that Health Net's spokespeople say that the data is "in an image format that cannot be read without special software". They do not mention to what special software they are referring. The author notes that Microsoft Word documents, for instance, are also in a format that requires special software (most any word processing program) to read them. 

Health Net's statement is here  and you may read more on the story here.

While there are fairly clear rules governing electronic discovery in federal civil cases, not all states have set out such guidance in their own rules of civil procedure. Pennsylvania has gotten closer with findings in the case of Brooks v. Fratroll.

Plaintiff bought a $37,500 classic car through a website operated by the defendant. The plaintiff alleged that the car's Vehiicle Identification NUmber (VIN) had been forged and demanded access to a broad range of electronically stored information (ESI).

Pennsylvania civil law has little guidance on cases involving electronic evidence. The Judge in the case, Common Pleas Judge Bradford H. Charles, set forth five factors to guide decisions for ESI discovery requests. His findings will likely act as precedent in future PA civil cases.

Those five factors are: 

1) The scope of the request: are the requests too broad? In this case, the court found the ESI discovery requests to be overly broad as they included all metadata, all internet queries/transmissions/website/auction sites, all deleted files and all stored files.

2) Confidentiality/privacy: are there legitimate interests in maintaining privacy? The court found that the defendant's business documents unrelated to the case and personal communications ought to be allowed to remain private.

3) History of discovery: has the producing party given an adequate response to previous discovery requests? The court found that the defendant had not been adequately responsive.

4) Costs: would the producing parties costs be inordinately expensive? The court found that that the defendant would have to hire an expert of its own.

5) The type of case involved. This case, being a fraud case, suggested that plaintiff should have access to metadata, presumably in order to allow authentication - or demonstrate falsification - of the documents and materials produced.

Given the balance of factors in favor of and against allowing discovery requested, the judge told the plaintiff to come back with a more focused request.

You can read more about  the case here.

The New York State Supreme Court has sanctioned a real estate brokerage firm, The Corcoran Group, for willfully providing misleading information to a Brooklyn couple along the way to buying a $1.3 million apartment with many defects, and then damaging and/or failing to protect email evidence.

The couple, parents of two young children, was forced to move out of the apartment when it had severe flooding after each rainstorm. Mold in the rec room ensued. The couple is suing Corcaran for $5 million.

The violations Corocran, its IT Director and its lawyers were charged with included failing to stop routine document destruction, failure to produce potentially damaging electronically stored information (ESI), failure of counsel to tell Corcoran to stop deleting relevant ESI. Adding to the malfeasance, Corcoran preserved emails that were helpful to its case while destroying those that were damaging.

Court sanctions include informing the jury that its members could reasonably conclude that "at least some of the deleted e-mails were relevant to this litigation and favorable to the Plaintiffs" that at least one open house was canceled by the brokers due to heavy rain, and that plaintiffs were entitle to costs associated with reviewing the hard disks containing the evidence and fees for counsel to investigate and bring motions in favor of the sanctions and additional discovery. These fees were estimated by Jay B. Itkowitz, of prevailing law firm Itkowitz & Harwood at about $100,000

Manhattan Supreme Court Justice Charles E. Ramos noted that state courts in New York had not until now addressed attorney and party obligations to preserve ESI evidence, making this a landmark case for New York. The author notes that the Southern District has addressed such concerns and such guidance has made it into the Federal Rules of Civil Procedure (FRCP).

The short version:even before the case is finished, the judge awarded about $100,000 in costs to the plaintiff & informed the jury in advance of its decision about what bad guys the defendants are.

The moral? Spoil electronic evidence - pay substantial consequences.