What's the Future of Computer Forensics?
Categories: computer forensics
Tags: the future storage computer forensics
A student asked me an interesting question today, regarding what I foresee in the field of computer forensics in the coming years: 5, 10, & 50. Here's the question, my answer - and, dear reader, I’d love to hear your comments.
Mr. Burgess,
I would like to thank you again for taking the time to speak with me. I would like to ask you another question if you don't mind, it is regarding the future challenges and/or issues in the field of computer forensics. In your expert opinion, how do you see it 5, 10, and 50 years from now? I am looking forward to your response.
My response:
An interesting question!
First, let me say that I don't have an expert opinion about the future, just a personal and educated one. In my profession, I can only really have an expert opinion about stuff I've worked on and so can't have one about the future until I get my time machine fixed!
As for 5 years from now, I see three things continuing to advance at a rapid clip:
1: Hardware -The size of storage media & memory and the speed of processors.
I expect that in 5 years, computers will come standard with 5TB or more of storage and that portable media like flash drives will carry something like 250GB of data - what the average hard drive was holding one or two years ago. In 5 years, computers will probably be 7 or 8 times faster. So these things will hold lots and lots more data and people will fill them up with lots & lots more data.Therefore, each computer forensics job will require sorting through and analyzing many times more data than today.
2: Computer Forensic Tools - The capabilities, automated nature and cost of computer forensic tools.
I expect that in 5 years, computer forensic tools will be about 5 times as fast, and twice as sophisticated. That means that even with all the additional data, the average, non-automated job will take about the same effort as it does now.
However, a lot of automated tools for collection and initial processing are starting to be released. These tools can be used by less-trained people, so it may be that data collection and preliminary processing will be faster due to automation.
I expect that the cost of computer forensic tools will not go down in relative terms. However, more Open Source forensic tools will be available for free for those willing to learn to use them.
3: Bad guys - Anti-forensics tools & schemes, sophistication of hackers
There's always a race between how harmful software and cyber-marauders can be and the defenses against them. There is also software constantly being developed to stump investigation by erasing or scrambling traces of wrongdoing. This trend will continue to accelerate and there will continue to be an uneasy balance between the two sides, with lots of collateral damage. In most cases, people will continue to forget to hide or cover all of their tracks and there will still usually be evidence to find.
Ten Years.
Ten years from now is much harder to predict.
The field itself is not too much older than that.
Everything I said for the 5-year time frame will continue to be somewhat true.
Tiny storage devices weighing an ounce will hold multiple Terabytes of data; hard drives or their replacements will hold Petabytes and both kinds of devices will be very affordable.
Computers themselves may be quite different than what we are used to, will probably understand human speech well and will probably be quite intelligent, speeding up the ability to use them.
Because computers will be so smart, the role of the computer forensics examiner may change. Testifying experts will need to have an even more sophisticated knowledge of the software /hardware /wetware interactions and may have to specialize further.
Malware may have gotten the upper hand by then, or may not have - it is very hard to say.
Fifty Years.
Just about impossible for me to say sitting where I am right now. Computers will be much smarter than humans by then. If human computer forensics experts still testify in court, they'll be computer augmented, but then again, we probably all will be.
Whatever replaces hard drives on your local device (if we have local devices) will store half a Zettabyte or more. We'll be carrying around 5 Exabytes in our pockets or dental fillings. That's if all storage isn't in the Cloud and is essentially unlimited. Although from where I sit, a Petabyte seems pretty limitless.
Fifty years from now, our adversarial legal system may not have changed much. On the other hand the capabilities of humans, computers, and hybrids of the two may be near unrecognizable, but still inevitable.
Best Regards,
Steve Burgess
Great article, Steve! I agree with most of what you said, but I don't agree with people having all that much more data. Sure, storage sizes will be enormous, but how many emails are people going to get over the time they keep the same computer? After all, people will hold on to their hardware for the same amount of time. That, to me, translates into about the same, maybe more data. If there is a big jump in the amount of data stored, I think it'll be mostly non-useful files (depending upon what you're looking for, of course) like movies, music, and pictures.
Huge caches of pictures and videos are, of course, a big deal in child exploitation investigations. I think a pretty compelling argument can be made that it isn't necessary to view each and every image/video because there's no greater penalty if you have, say, 1,000 images versus 1 million or 1 trillion images. (That being said, at the US federal level there are some charging decisions affected by the number of images, but again, the practicality of looking at a million or trillion images, documenting each, submitting each as evidence verges on the ridiculous.)
That's my two cents. Thanks again for the article. What do you see happening as far as computer forensics firms merging with e-discovery? Will there be happy marriages or will the two co-exist/compete?
Thanks!
Monique Ferraro
Reply to this
Monique, thanks for your thoughtful comments!
Regarding people having more data:
It doesn't make that much sense that people would have more data just because they have bigger hard drives, it's true. However, I've been doing data recoveries for 25 years and it seems that it is true. The average hard drive I see has gone from 10MB to 100GB, and over all that time, they seem to usually be from 1/2 to 2/3 full. Like people's spending seems to expand to fit their incomes, people's data seems to expand to fit their storage. A lot of it's photos & music. A lot of the photos could be actionable evidence. Not so much the music unless your are the RIAA or its ilk.
I agree with you that a million images don't need to be closely examined when a couple hundred will do. My concern is how effective antiforensics (or privacy) tools may become with ridding a person's computer of them.
Whether computer forensics firms and e-discovery firms merge is a question of great personal interest to me. I suppose it depends on how a company looks at its business model. A company may decide that its core competency is storage and documentation vs investigation. From this perspective, they're two very different business models and we'd expect to see more collaborations than mergers.
On the other hand, if a firm looks at the model as litigation support, it might be more likely to want to do both. I know e-discovery companies that dabble with computer forensics, and of course computer forensics involves more than a little e-discovery. I think we'll have a mix of both types of firms - one-stop shops and collaborating but divergent companies in each field.
Reply to this