Foreword
My great-grandfather was a furniture maker. I am writing this on his table, sitting in his chair. His world was one of craft, “the skilled practice of a practical occupation.”1 He made furniture late in life that was in superficial respects the same as that which he made earlier, but one can see his craft advance.
1. “WordNet Search—3.1,” Princeton University, 2011. http://wordnetweb.princeton.edu/perl/webwn.
Cybersecurity’s hallmark is its rate of change, both swift incremental change and the intermittent surprise. In the lingo of mathematics, the cybersecurity workfactor is the integral of a brisk flux of step functions punctuated by impulses. My ancestor refined his craft without having to address a change in walnut or steel or linseed. The refinement of craft in cybersecurity is not so easy.
Forensics might at first seem to be a simple effort to explain the past, and thus an affectation. It is not, and the reason is complexity. Complexity is cumulative and, as the authors say at the outset, enough has accumulated that it is impossible to know everything about even a de minimus network. Forensics’ purpose, then, is to discover meaningful facts in and about the network and the infrastructure that were not previously known. Only after those facts are known is there any real opportunity to improve the future.
Forensics is a craft. Diligence can and does improve its practice. The process of forensic discovery is dominated by ruling out potential explanations for the events under study. Like sculpture, where the aim is to chip away all the stone that doesn’t look like an elephant, forensics chips away all the ways in which what was observed didn’t happen. In the terms popularized by EF Schumacher, forensics is a convergent problem where cybersecurity is a divergent one; in other words, as more effort is put into forensics, the solution set tends to converge to one answer, an outcome that does not obtain for the general cybersecurity problem.
Perhaps we should say that forensics is not a security discipline but rather an insecurity discipline. Security is about potential events, consistent with Peter Bernstein’s definition: “Risk is simply that more things can happen than will.” Forensics does not have to induce all the possibilities that accumulated complexity can concoct, but rather to deduce the path by which some part of the observable world came to be as it is. Whereas, in general, cybersecurity the offense has a permanent structural advantage, in forensics it is the defense that has superiority.
That forensics is a craft and that forensics holds an innate strategic advantage are factual generalities. For you, the current or potential practitioner, the challenge is to hone your craft to where that strategic advantage is yours—not just theoretically but in operational reality. For that you need this book.
It is the duty of teachers to be surpassed by their students, but it is also the duty of the student to surpass their teacher. The teachers you have before you are very good; surpassing them will be nontrivial. In the end, a surpassing craft requires knowing what parts of your then current toolbox are eternal and which are subject to the obsolescence that comes with progress. It is likewise expeditious to know what it is that you don’t know. For that, this book’s breadth is directly useful.
Because every forensics investigation is, in principle, different, the tools that will be needed for one study may well be a different set from those needed for another study. The best mechanics have all the specialized tools they can need, but may use a few tools far more than others. A collection of tools is only so good as your knowledge of it as a collection of tools, not necessarily that you’ve used each tool within the last week. Nicholas Taleb described the library of Umberto Eco as an anti-library that “. . . should contain as much of what you do not know as your financial means, mortgage rates, and the real-estate market allows you to put there.”
You, dear reader, hold just such an anti-library of forensics in your hand. Be grateful, and study hard.
Daniel E. Geer, Jr., Sc.D.