As a person who lives and breathes technology, it is often difficult to gain perspective into the world outside of the field. I’m sure that most of you would agree when I say that it’s very easy to forget that we geeks live in a world of our own.
Unfortunately, a large portion of the professional world is still filled with technophobes and Luddites. When talking with these people, it is not uncommon to be accused of using “geek-speak” or “techno-babble”. I’ve seen this so often that I’ve lost track of the number of times where I got the “deer in the headlights” look halfway through a conversation.
However, on the flip side, you’ll find that I myself am equally as unforgiving on various topics. If someone comes up to me and starts to spout off some nonsense on the finer points of HKSAR Ordinance Chapter 308 Sec 4, you’ll quickly see my eyes glaze over with a slob of drool slowly crawling out the corner of my mouth.
So what happens when you gather up a bunch of businessmen, I.T. professionals and lawyers in a conference for two days to talk about computer forensics and e-discovery?
The results are nothing, if not interesting…
Before I go on, I would first like to encourage anyone who is a student to try to sneak into these conferences for free (as I did). It’s definitely an eye-opening experience.
As a student (or even a professional), I wouldn’t pay a dime to go to a conference like this. Contrary to popular belief, these conferences are not there for you to learn. In fact, these kinds of conferences are really only good for a) advertising, b) ego-stroking c) networking, and d) okay, maybe you learn a little, but what can you possibly learn in two days with items a), b) and c) in the way?
When you go to a conference like this, you’ll first notice a large poster where half of the actual poster space is filled with the sponsor’s name. Well, aside for the poster space, these companies shell out insane amounts of money so that they can arrange for one of their representatives to speak as one of the conference’s “distinguished speakers”.
Now, as a “distinguished speakers” representing a large multinational corporation who is attempting to sell you a seemingly amazing product to your large multinational corporation; do you seriously think he’s going to tell you everything there is to know about computer forensics and e-discovery?
Absolutely not.
He’s going to dance around the subject, complain about the difficulties in management, data appropriations, etc. etc.. He’ll gently fill in the blanks by telling you that, coincidentally, Company A is perfectly suited for the job.
Geez, well there goes 50% of the talks.
As for the networking opportunities, it definitely helps to be a student in a situation like this. As a student, your profession is purely non-confrontational. You’re neither a potential competitor or client, so anyone who talks to you will instantly let their guard down (that or they’ll outright ignore you, but that only happened when I was talking to a sponsor).
As a student, you’ll also act as a great conversational centerpiece. It’s highly unusual for students to attend expensive and meaningless conferences such as these, so you’ll get lots of questions and get some conversation going.
Plus, you’re there to learn, right?
Well, learn I did, but not a lot about the topics that were advertised.
The conference material itself wasn’t necessarily groundbreaking. The legal topics were too technical for my tastes (but not technical enough for the lawyers), and the geek topics were too shallow (and yet they snore-inducing for the entire room, so I guess you could say that we were united on that front).
All was not lost, however, as I was able to reach certain revelations while I sat through the various talks. First,
Computer Forensics Is Essentially Useless (if used against geeks)
Okay, maybe “useless” is a strong term; but judging from the current methods that were described in the various talks, anyone who is even slightly competent at using a computer could bypass their “analysis”.
So, let’s look at the tools and tricks of the trade.
If it’s an online web attack, they’ll have various resources at their disposal (even more if they’re the police) to track down the source of origin of the attack. But any criminally minded person can hide their traffic through proxies or onion routers like Tor.
Okay, so let’s look beyond that possibility and look at the person’s computer. Well, what most computer forensics professionals do is grab the entire hard disk and make a deep copy (bit-by-bit copy) of the entire disk. That way, they can check for incriminating files, browsing history, e-mails (which are big deal apparently) and IMs.
Well, the criminally-inclined would first encrypt their hard drive at the bit-level, so there goes any chance at pulling data off the drive.
All modern browsers (Chrome, Firefox 3.5, and IE 
have private browsing modes where nothing is saved onto disk. I know for a fact that Firefox’s 3.5 Private Browsing mode will force all data to exist in memory only. Nothing is written to disk.
As for deletions, well there are many programs out there that will do “full” deletions on files. Or when in doubt, just autonuke it.
And then there’s the problem of platform. A lot of the Computer Forensics professionals out there use “EnCase“, a.k.a. Computer Forensics for Dumb-Dumbs. The problem with that is that its Windows only. Use a Mac or a *nix box and they’ll be scared shitless.
Then there’s also the fact that EnCase is a closed-source program. Over time, it has become an essential forensics tool for discovering evidence in court cases. However, because it’s a close-source program, there really is no way to know if the program is actually working, or if it’s just generating random data. Similar arguments have been used in the United States in against breathalyzers in DUI cases.
And finally, the conference speakers were actively promoting the idea of using md5 hash values as an essential verifier of data integrity when performing on-site data copy and analysis. This didn’t jive with me very well as I seemed to recall various hacks involving rare md5 collisions. A quick wiki search on the subject revealed that the problems with md5 hashing are considerable.
Yet, even with all of these issues at hand, the work of the computer forensics professional is nonetheless an honorable one. They’re the guys who catch the crooks, the liars, the phishers, and the kiddie porn dealers. To you sir, I salute you; not only for your persistence, but also for putting up with ignorant lawyers. Which brings me to my next point,
Technology Grows Exponentially, People’s Attitudes Do Not
Even with the advancement of various hardware and software technologies, people remain as arrogant and ignorant as ever.
The idea that all geeks “cannot communicate” and are “basement coders” is an idea that has been persistent throughout the 90s and 00s. I even get that sometimes from various acquaintances. But I seriously did not expect that attitude in a conference whose entire existence is based on the idea that more technology is the solution to their problems.
The main argument posed by the lawyers and businessmen in the room was that I.T. professionals make bad expert witnesses because once they start “technobabbling”; they confuse the judge and the lawyers.
I call bullshit on this one.
For one thing, I really don’t know how long the “professional elite” plan to stick their head in the sand. Technology is a fact of life. It moves fast, and you have got to keep up if you’re expected to use these technologies. Using the “its technobabble to me” excuse no longer cuts it. When people’s money and lives are on the line, you’d better damn well learn something about it before you walk into that courtroom.
It especially scares me that I’m hearing these kinds of comments from lawyers who handle digital crimes; and from businessmen who act as vendors for e-discovery platforms. I’ve got their businesscards, so I know who I won’t be calling in the event of an emergency.
But all was not lost, because immediately after that comment was made, 3 or 4 hands shot up in a surprisingly civil outcry. These people were either I.T. professionals who became lawyers/arbitrators, or businessmen who promoted the fact I.T. professionals can be articulate.
In that respect, I believe that our honor was sufficiently defended.