It is not the tool, but the examiner that does the forensics.
Sep 20, 2022I made a meme.
I tweeted a simple meme and it created good discussion in which I gained more than expected by reading the perspectives of so many. The civility in the thread was awesome, which I attribute to cool people in this cool DFIR field.
— DFIR Training (@DFIRTraining) September 3, 2022
The point of the meme
The intended point of the meme was only to show that “Examiners make the decisions on what is evidence and what is not evidence. Software is just a tool used in the process of conducting forensics.”
Software is a tool and tools are important (instrumental!)
I was not implying that software is unimportant or not as important as putting human eyes on data. I know that it is quite the opposite.
Software is the only way that forensics can be done.
Software presents data in a readable format.
Software can be used at scale in taking massive amounts of data, culling unnecessary data, and presenting only the potentially relevant data that an examiner needs for analysis.
But with that….
Software doesn’t testify.
Software cannot testify even if it wanted (at least not yet!)
Software can’t be cross examined either.
A ‘forensic’ analysis technically is for courts. But a forensic process (the same processes used in legal cases) can be used outside of legal cases. Since any electronic data analysis could become part of a legal case, having the same processes and procedures ensures evidence will be preserved for admissibility in court.
So, in effect, “I did a forensic analysis” means that guidelines, processes, and procedures were followed that meets or exceeds court evidence admissibility rules. Until AI is developed to the point of acting 100% on its own, “you” are the one doing forensics by using the software.
forensic – Cornell Law School
Forensic means used in or suitable to courts of justice. The term comes from the Latin forensis, meaning “public” and forum, meaning “court.”
Forensic may also refer to something of, relating to, or involving the scientific methods used for investigating crimes. This is also sometimes termed forensic science. -Cornell Law School
forensic – Merriam-Webster
1: belonging to, used in, or suitable to courts of judicature or to public discussion and debate
3: relating to or dealing with the application of scientific knowledge to legal problems
The point
It is not the tool. It is not the data. It is not the certifications. It is not the degree. It is not the organization. It is the PERSON that does the analysis that makes all the difference.
The person (analyst) chooses one or many of multiple forensic tools to do forensics. The analyst drives the investigative direction, follows clues and leads, corroborates evidence, makes inferences, and connects the dots to paint a picture of what happened.
My intention of the meme was to let you know that
--You can become a top forensic analyst.
--You don’t need “elite” schools or training.
--You need to learn the trade and employ the right tools.
--That it is you that works a case using tools, and not the tools that work a case.
Want a reminder?
Here's a sticker:
https://www.teepublic.com/sticker/35051515-not-the-tool-that-does-the-forensics?store_id=240860
