SANS Digital Forensics and Incident Response Blog

The Death of Computer Forensics (on Web2.0 Sites)

by Jack Bezalel

Computer Forensic?Computer Investigation?Forensic Cases?

It is always about some geek wearing old style clothes,

3-days beard (for a gentleman) OR undone hair (for a lady) , glazing eyes,

lots of half eaten pizza remains around, empty cans of beer scattered around

and a refrigerator that looks like the dump bucket.

And then a beautiful young client knocks on the door, asking for help

in an X-files type of investigation.

Our geek hero always knows how to get the critical data off the disks, camera

phone, printer, remote server, whatever.

Our hero knows how to break in, decrypt, analyze, summarize, save the client

in the last moment from a crashing car, and drink some more beer (or wine).

Computer Crime resolved. End of Forensic Case.

But these days information is much more in a new set of locations?

Facebook, linkedin, twitter, web hosting sites, and

a bunch of other social media sites and services.

"Well", our Hero says, as he swallows another pizza,

"it is all out there! All the information is there?anyone can look into web2.0 data?that's

the whole thing about Web2.0..."

Well?not sure about easy?that is why;

  • People can have many identities
  • Each Web 2.0 has a separate privacy policy
  • Each Web2.0 service maintains or backups data differently
  • It is easier to frame somebody innocent using Web2.0
  • Web 2.0 data changes, moves and morphs all the time
  • Web 2.0 data takes too much space to handle
  • There are traffic limitations in trying to extract data
  • Web 2.0 services are not stable in some cases
  • You are messing not only with the service provider?you could be messing with the community

And on top of all that .. imagine how a public persona Computer Crime investigation over

web2.0 properties would look like to the Web2.0 community and providers?they

might see it as a major risk to their own well being and existence?

Nevertheless, Web 2.0 Computer Forensics use against Computer Crime is a field

all of us should look into more carefully.

So what's your take on this?

(based on my article on my blog at the IT Master Mind blog )

Jack Bezalel, GCFA #471, has roughly 25 years of successful experience running all IT operations supporting leading products development, marketing, sales, operations groups. He specializes in the complete life cycle for hundreds of Unix systems (Linux - Redhat/SuSE & more, Solaris, HPUX, AIX and more), Windows platforms and Novell.


Posted March 23, 2009 at 8:44 AM | Permalink | Reply


Investigation into online boards (USENET, bulletin boards, forums, etc.) was the predecessor to doing the same in the Web 2.0 world. Most people in forensics today may not have been involved back when that was more common (mid 90s to the maybe the middle of this decade), but the concerns were similar. When people know they are being monitored/investigated their behavior surely changes. This has to be even more the case with social networking and Web 2.0 collaborate sites, which represent a much closer knit and synchronized collective of individuals.
This is some pretty novel stuff, recent reports of terrorist extremists potentially using sites like Twitter have already surfaced ( and it makes perfect sense.
Remember there are two elements of this that affect our field very differently. One is that the intelligence side of things, focusing on gathering Web2.0 information (and other) to proactively prevent events, while the forensics side of the house might be interested in this information after-the-fact. And the experience is very different between the two. The UK now has laws requiring ISPs to retain data, and they've announced the desire to track and record and preserve years of social networking site data. Without going into the practicalities of such a move, it does probably indicate a trend that will continue ever onward: the mass collection and processing of endless amounts of public Internet information for not only proactive intelligence review but for most-mortem.
A human resources department may not always be able to see what you posted to Facebook five years ago, but the government certainly will. If you're a terrorist (or perhaps just a social activist) you're sure to have anything and everything you ever post to these sites recorded for future posterity.
We used to take such interest in the fact that the FBI (in past years) would keep detailed files on people like Martin Luther King Jr, Elvis, and even Hollywood screenwriters. Nowadays, people prepare their own files and upload to their favorite site''.

Posted April 1, 2009 at 2:40 PM | Permalink | Reply


The "beauty" of computer forencics is that for the most part they are not so much internal incident response as the are court mandated and REQUIRED Electronic Discovery.
The fact that it is difficult and time consuming just means that the people who have the skills and availability will find themselves with a lot of billable hours in the event that Discoverable Data is located in a Web 2.0 resource.
What we need to see in the space is Web 2.0 providers integrating discovery systems on their back-end. This will save them much headache as well when the Feds mandate that they hand over all data pertaining to X Y or Z.
Many companies have started implementing internal discovery systems as an insurance policy against a Discovery Audit. The owness of Discovery lays with the discoverable party and Discovery experts are expensive.