My Road to Digital Forensics Excellence

Why “the malware made me do it” appeals so much to the juror.

Posted by Paul Bobby on October 4, 2010

Okay, provocative title.

I recently read through the excellent work by Richards J. Heuer, Jr, entitled “Psychology of Intelligence Analysis“. As the title suggests the goal of this paper is to produce an analytical workflow that is resistant to the intended and sometimes unintended failures of the cognitive process. Part III discusses the various cognitive biases that we are all prone to.

“Similarity of Cause and Effect”, page 132, describes the tendency of human beings to infer cause based on the properties of the effect. For example, “…large animals leave large tracks…” and “…heavy things make heavy noises…” The problem is that people “tend to reason in the same way under circumstances when this inference is not valid”. Political events have political causes, economic events have economic causes and that “little events cannot affect the course of history”.

The previous section in this paper, “Bias Favoring Perception of Centralized Direction”, discusses the tendency to “see actions as the intentional result of centralized direction and planning”. Oswald could not have acted alone…

These two biases, similarity of cause and effect, and centralized direction, is why conspiracy theories are so effective. The “Trojan Defense” is a tactic employed by the defense (and sometimes used within corporate investigations) as a way to infer cause from observed behavior. Heuer indicates in this paper that “intelligence analysts are more exposed than most people to hard evidence of real plots, coups, and conspiracies….”, and I believe this can be extended to the forensic analyst. Our day to day job exposes us to many of the behavioral patterns of individuals and we have a deep understanding of the computer artifacts involved.

To the juror however, presenting a mysterious rhetoric of conspiracy, through malware, appeals directly to the cognitive biases that Heuer warns against.

Note: I consider the entire document a must-read. For incident response and cyber intelligence analysis it provides real working tools to combat the often flawed thinking when trying to create a model that represents the adversary. We are so not working with script kiddies anymore – APT requires real thinking and real analysis. These concepts apply equally as well to the forensic analyst, whether law enforcement or corporate analyst, these tools can help you arrive at the appropriate conclusion, free from ‘past experience biases’ and other conundrums.

While there are smoking guns and hard facts to be found when conducting forensic analysis, quite often the conclusion must be inferred from a large set of forensic artifacts that ‘paint the picture’ of activity. It is this inference that is as weak or as strong as the thought process that produced it.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: