Created: Aug 7, 2004
Updated: June 7, 2005
Author: Mike Andrew

John Steinbeck's novel, "Of Mice and Men," is a classic story of how tragedy can come from the best of intentions. The focus of the tragedy is Lennie, a well meaning giant of a man who is mentally handicapped and as gentle as a mouse. In the story he accidentally kills someone because he isn't careful enough about his great strength. It isn't his fault really, he just doesn't know any better. The other main character is Lennie's companion, George. He is much more aware than Lennie and does his best to keep Lennie out of trouble. Now, you are probably asking yourself what this could possibly have to do with computer forensics. The answer is that the story is a good analogy for what's going on today in the field. Two basic approaches have emerged in the science and practice of forensic computing. Appropriately, we will call these two approaches the "mice" approach, and the "man" approach.

The most visible approach seen currently is the "mice" approach. Please understand that this term is purely descriptive, not disparaging. "Mice" stands for computer mouse - meaning forensic professionals who prefer to point-and-click their way through an analysis, trusting their favorite software tool to find data they feel is authoritative. They were taught the tool, and trust the tool implicitly and explicitly. This is perfectly understandable because there are some very good tools available. However, it is not the quality of a particular tool that makes a mouse, it is really the examiner's approach to computer forensics.

There can be many factors that go into the making of a mouse. Sometimes an analyst is forced into becoming a mouse because the work load is large and time is short. Other people become mice because that is all they know. They were told that to succeed they had to learn a particular tool - after all, everyone uses that tool, and it's even been proven in court. When they want to know more about conducting an analysis, they take an "advanced" course in the tool that they learned. And unfortunately, some people become mice because their philosophical approach to forensics is to do the minimum. We prefer to think that this type is rare.

As an alternative to being a mouse, a different standard for conducting forensic investigations has emerged. We will call this other approach the "Man" approach - that's man with a period, as in short for manual. Being a "Man" means the analyst believes it is necessary to know exactly what the software tools are doing behind the scenes - how the software tools work. They know how tools work because they know how to manually duplicate what the software does. This does not mean that they don't use software tools (as we said, there are some very good tools available), it simply means that they know what the strengths and weaknesses of the tools are. They make it a point to know. A man follows the old adage "trust, but verify."

There is only one factor that goes into becoming a man - a deep and compelling need to determine how, and why, things work the way they do. First and foremost, a man is a purist. To a purist, the computing processes that create and store data represent a frontier of discovery that must be explored and mapped. A man recognizes that all things are interconnected in a modern computing environment, so he or she brings knowledge of other disciplines such as networking, information security, and software programming to bear in the process of forensic analysis. They are not satisfied with taking someone else's word about how to interpret what they see during a forensic examination. They feel obligated to prove it for themselves, so they can look someone in the eye and say, "I know because I've done it at least once." And finally, a man realizes that becoming a man is a lifelong process - when you stop learning you stop trying to be as good as you can be.

So which of the above approaches is the best one to use? This question is far from academic for those who require forensic services. Attorneys and other end users of these services know that one issue reigns supreme over all others in forensic analysis - proper interpretation of data that was found. Attorneys can't be overly concerned about the technical aspects of analysis. That's not their job. Their job is to be immersed in how the forensic process plugs into the legal framework. They are concerned with names like Daubert, Frye, Rowe, and Zubulake. Interpretation of the results is left to the forensic expert, and rightly so. After all, isn't that what an expert is for? So in light of the issue of interpretation, let's compare the two approaches.

For the sake of discussion, we'll assume everyone agrees with the idea that interpretation of any complex situation is based on the observer's overall knowledge about what's going on. That just makes sense, right? When faced with the complex situation of a forensic analysis, a mouse says "My tools have found all the secret files in all the secret places, and this report shows what happened." To this, a man would reply "Don't tell me your tools found all the secret files. With proper setup, in five minutes I can create data that those tools won't even know is there. I know, because I've done it." A mouse believes that if the tool he uses finds certain keywords in a certain file, then the achievement of simply finding the keywords in that place is conclusive. A man knows that software is incapable of total interpretation, and that deeper knowledge must be used to determine exactly how the keyword data was created. Do you think this is oversimplified and exaggerated? On the contrary, there are many examples of this kind of misplaced confidence.

We were recently involved for the defense in a civil case where the analysts for the prosecution were using a well known software tool. They registered keyword hits in a certain file. They filed a report that they said was conclusive - the individual in question was guilty. The only problem was, they were incorrect. We were able to show that the keyword hits were not a result of the individual doing what he was accused of. The tool extracted them from a database of search terms that had been created by spyware on the suspect's computer. We proved that if he had engaged in the activity, the keywords would have appeared in a different manner.

In the case above, the tool used by the other analysts worked perfectly. They just lacked the deeper knowledge about computing processes needed to properly interpret what they were seeing. At this point, you might think to yourself, "Well, that's alright then…just an inexperienced mouse that didn't know any better, and the truth won out in the end." However, there's more to this story. Due to an initial misunderstanding about the nature of the case, a second Mouse got involved for the prosecution early on, and stayed involved. That's mouse with a capital "M" - the sort of mouse that has initials instead of a name. They approved the report that declared the individual was guilty. It's always good to remember that mice can come in all sizes.

We don't want to give the impression that defining a computer forensic professional as a mouse or a man is cut and dried. Like most things, there are many shades of grey in between. Remember, what makes a true man is additional knowledge they bring to the analysis about how data is created, transmitted, and stored. These skills are developed by educating themselves about networking, information security, and other technology disciplines. Being a "manual" doesn't mean that the analyst does everything the slow way, it means that they take the time to be absolutely sure they know exactly how something happened.

We also don't want to give the impression that every computer forensic investigation requires a technological super-man to conduct a proper analysis. Not every case is about finding information the terrorists disguised using Steganography, or finding the Swiss bank account number the tech-savvy embezzler encrypted and hid in slack space. Thankfully, these types of cases are not the rule. There may even be some types of cases where a thorough analysis can be done using the pure mouse approach. Maybe. But then again, how can you be certain that your evidence is conclusive if you don't know all the places to look, or what you're really looking at?

In Steinbeck's story, the strength of an ignorant but well meaning individual caused great damage and pain to others. Computer forensics is a presence in two very different worlds - on the one hand it is purely technical, and on the other it can have enormous legal impact on people's lives. Through ignorance, forensic analysts can potentially cause great damage no matter how well intentioned and ethical they may be. We do not suggest that all those who focus on simply mastering a tool are not capable. However, we respectfully offer this solemn caution to attorneys and other end users, and those who want to learn forensics - if you prefer people who are only comfortable playing with mice, someday you're going to run into a real man.

Mike Andrew - VP CyberSecurity Institute