In this Help Net Security interview, Amber Schroader, CEO at Paraben Corporation, discusses the challenges posed by the complexity of modern computer systems and networks on digital evidence collection.
Schroader talks about the impact of exponential data growth on forensic practices, the role of AI in optimizing investigations, and emphasizes the need for professionals to adapt to the changing dynamics of digital investigations, along with cross-education in related fields.
How has the complexity of modern computer systems and networks affected the process of digital evidence collection and analysis?
It has become much more challenging to get into all the nooks and crannies that can exist with data. Between changing encryption to different data artifacts that are proprietary and protected, today, examiners have a lot of barriers to overcome when it comes to doing an investigation.
With the exponential growth in data volume, how do digital forensic experts manage and analyze large datasets effectively?
This is a controversial area because the original requirement in digital forensics was that you needed to do a bitstream image of all hard drive data. As drives have increased and storage has grown, this has become more and more difficult.
For example, I purchased a small storage device with 16 TB of storage. For a forensic image to be done, it needs to have an identical storage level for the image and then a similar amount to process that image, index the data, etc.
Many organizations are not collecting a full bitstream of the data initially and are doing a triage of collection of the artifacts. I see it increasingly with the focus being on the artifact data, not the full image of the data. As data continues to grow and spread the storage to multiple connected devices, the logic side of this argument will probably be the winner.
How do legal and privacy concerns impact digital forensic investigations, and what measures can be taken to address these issues?
We have not seen a negative impact now, but part of that is because the public is not as informed about their privacy rights as they could be. We have seen a new wealth of data that was not accessible before that can be added to a digital investigation. The difference is that the data collected is done through the party’s consent and data collection from compliance sources.
Compliance sources are data gathered through a request to a provider company for a copy of all your data. These can be ingested into a forensic workflow as an additional data source. This data can be hugely valuable because it is not affected by a local storage device like it would be coming from something like a smartphone. What is most important for everyone to realize is that the data in any digital forensic investigation is designed to prove innocence or guilt so likely the more there is the better.
Can you discuss the role of AI in transforming digital forensics and its potential future applications?
With digital forensics, I don’t believe that AI will replace the need for an examiner, but we see what it can do to optimize the investigative process. A perfect example is the growing amount of data involved in an investigation.
It can be overwhelming to a person to think of sifting through terabytes of data. However, once you optimize those data sources, working with an AI can be like having a peer review of sorts so you can validate and look for additional findings by using some of the powers built into the AI engines.
What future trends do you foresee in digital forensics, and how should professionals prepare for these changes?
There are a few trends that everyone should keep an eye on. The first is the spread of the data, changing from being from computer to smartphone and expanding out to cloud and IoT. With the changes we have seen over the last couple of years and the rise of AI, I see a lot of data shifting as to its storage location. The cross-sharing of app data and just data, in general, has been streamlined, and our investigative scope is changing as well. With the privacy change you mentioned, access to this information will also change. This is a key area to keep an eye out for and ensure new technologies are incorporated into labs to deal with it.
The second is the general shift of digital forensics to be more digital investigations, with it touching closer and closer to neighboring fields. With DFIR and OSINT close neighboring fields, the data needed and the level of perspective from the data sources come much closer than before. This is where there is a greater need for cross-education and a combination of workflows to ensure the most extensive scope and perspective on the data is available with each investigation.