The simple definition of "forensic” is 1) ”relating to the use of scientific knowledge or methods in solving crimes” and 2) "relating to, used in, or suitable to a court of law.” The definition emphasizes three aspects of a problem that can be seen as in tension, not only with each other, but with the ways in which the computer security research community in particular (and the broader computer science community in general) operates. Despite the efforts in recent years to make computer security research "more scientific,” it is difficult to point to a body of ”scientific knowledge or methods” that are generally acknowledged and accepted by the computer security community much less a body that is generally accepted as suitable for use in solving crimes. The second part of the definition introduces additional complications. The rules regarding evidence suitable for use in a court of law have evolved over the centuries, primarily in connection with physical evidence collected in connection with a crime. In some cases, e.g. physical disk drives removed from a suspect’s machine, these rules are appropriate. In other cases, the evidence is mutable, captured at a distance from the crime scene of interest, easily fabricated, and difficult to provide with adequate provenance and chain of custody arguments. Coupled with the facts that relatively few computer scientists have any training in the law and even fewer judges, lawyers, and other members of the legal profession have any training in any form of science, much less computer science, the system is fraught with peril.
 
Computer security is not the only discipline in this situation. A 2009 study² by the National Academy of Science points out the general lack of science in the area known as Forensic Science. The report examines a number of traditional forensics areas ranging from DNA analysis which has a well established scientific basis to fingerprint analysis which has experts with great certainty but little in the way of an experimental scientific basis, to other established areas such as toolmark and firearms identification, fiber and hair analysis, etc., most of which lack adequate scientific underpinnings. Digital evidence is discussed, mostly in terms of evidence from seized machines, but the capture of live evidence, i.e. form network monitoring and traffic analysis is ignored. As a consequence of this report, NIST has recently funded significant research efforts in the forensics area.
 
In this talk, I will address some of the issues that confront the computer security community in developing effective forensic approaches that produce evidence meeting the needs identified by the NAS. While I cannot claim expertise as a forensics practitioner, I have been involved on the periphery of forensic efforts throughout my career and many of my experiences have provided insights into the issues at hand. The primary objective of the talk is to set the tone for the rest of the workshop and to help produce a mindset that will encourage useful progress.
 

Keynote Speaker Bio:

Dr. John McHugh is the Chief Analyst and Senior Principal at RedJack LLC, a network data analysis and security consulting company and is an Adjunct Professor of Computer Science at UNC. Before joining RedJack, he was a Canada Research Chair in Privacy and Security at Dalhousie University in Halifax, NS, and, earlier, senior member of the technical staff with the CERT Situational Awareness Team, where he did research in survivability, network security, and intrusion detection. Recently, he has been involved in the analysis of large scale network flow data using visual analytic techniques and has developed tools for characterizing host and network behavior.  Dr. McHugh received his PhD degree in computer science from the University of Texas at Austin. He has a MS degree in computer science from the University of Maryland, and a BS degree in physics from Duke University.