No, the blog isn’t dead, it was just resting for a period of time (admittedly a long one) while I was trying to put some semblance of an order to a rapidly-galloping-uncontrollably-away PhD.

So, after about a year of working frantically at various issues, solving (or attempting to solve) problems that should not have existed had I yelled when I needed to yell, changing supervisors and departments in exactly the middle of my PhD, gathering data that needed gathering (My most sincere thanks to Zapotek of segfault.gr for his assistance in this!), teaching a lovely and amazingly smart and perceptive bunch of 3rd & 2nd year BSc Digital Forensics students, getting taught the Forensic Way by some amazing Forensic Science lecturers, and making drastic changes to my PhD’s structure, content, design and implementation details, I’m finally where I should be!

So, with a PhD software prototype FINALLY written and evaluated, proceeding to the actual implementation of my PhD’s full software (more on that later, both here and in publications to be written), I now am starting to once again have the time and the disposition to concentrate on my pet projects, such as keeping this blog moving forward.

Stories and comments on stories exist and are in the process of being thought through and further investigated, so keep checking back, cause they’ll start cropping up over the next few days (worst case scenario: 1-2 weeks) once more!

Until then, stay safe out there and keep digitally forensicating!!

DarkSYN

So, summer holidays: Sun, Sea, other-things-beginning-with-the-S-letter and some interesting bits of news from Greece.

For the interesting bit of news now: According to information published in the Eleftherotypia newspaper, data contained on hard drives NOT connected to the internet are now NOT considered to be personal information and therefore are NOT protected by the Greek equivalent of the Data Protection Act.

Mr Karoutsos, assistant judge of the high court of Greece, and responsible for the introduction of the above law, further states that (translated) “the hard drive of a computer, components and parts [of a computer] as well as electronic sound evidence found on a computer are not considered to be communication mediums”. (Article in the Greek language: http://www.enet.gr/online/online_text/c=112,id=90609728)

So, what can one make of this law, then? A deliberate violation of the constitutional free speech rights, or someone’s stupid idea based on lack of proper advice on technology issues? Or both?

First of all, exactly HOW can one ascertain without the shadow of doubt (Greece has a non-adversarial justice system), or even with an error margin lower than 50%, that a storage medium has not been at any point in its lifetime connected to the internet or to a Local Area Network that is itself connected to the Internet?

Given that all motherboards nowadays contain either a network card or a modem+network card (laptops) by default, how do we determine it has not been used, automatically placing the hard-drive within the bounds of the DPA?

And what of USB drives and memory cards? If the digital camera (with the memory card inside) is connected at any point in time to a computer (thereby automatically mounting itself as a seperate DISK DRIVE) that has been at any point in time connected to the Internet itself, the memory card is itself “tainted” and thereby it too falls within the bounds of the DPA. USB drives are even worse as there can be NO conclusive proof that they have not been used on an Internet-connected computer.

And, of course, there is that further statement of Mr. Karoutsos….the one I quoted… Ummm, as I recall, every standard high-school textbook on Computing clearly explains how the different components of a computer “communicate”, not to mention the definition of a hard-drive, its relationship to the software called an Operating System and its role as both a transient and non-transient storage of information as a result of the act of communication.

Thus, exactly HOW does one PROVE a storage medium has NEVER been connected to the Internet?

To some degree I understand a bit of what they are trying to achieve, here, and I commend them on wanting to achieve it, given the CP cases that have cropped up and all.

What I do NOT understand and therefore DO NOT commend or condone is their use of such twisted logic resulting from their lack of knowledge of technology!

It continued with the same PhD research student, a year later, doing a PhD in Digital Forensics & Network Security, fully commiting himself to the change from Network Security to Digital Forensics, a change that, he was told, was going to be difficult as Network Security and Digital Forensics crowds don’t mix. The courageous (insert_laugh_here) student hoped, however, to use and integrate both schools of thought to better himself and his knowledge.

And here we are. The PhD research student survived thus far, started publishing papers and doing presentations on Digital Forensics. The PhD is going very well, the research student is hale and hearty and the world continues revolving around itself and the sun.

And this blog is where the PhD research student who moved from Network Security to Digital Forensics wishes to speak his mind (within limits (0<x<1 for the Bayesians out there)) about the funny and sad, strange, weird, “tales from the crypt”-like scary and downright ludicrous things he finds in his journey to become a Digital Forensic AND Network Security scientist/researcher/investigator.

The title, GrayHat Forensics, denotes the blogged journey of this gray-hat network security researcher in the world of cyber-crime, fraud, courtrooms, and infinite cups of coffee while waiting for bespoke digital forensics toolkits to finish doing an index search! Enjoy!!