Confidence is something you have to develop, not just in yourself but also in the tools you use.  When electricity was new there was a lack of confidence in it (let alone whether we should use AC or DC!), but decades later we rarely think about it.  Similarly, most of us will get on a bus or in a car and don’t panic that the vehicle will explode.

So, how and why is confidence important in IT?

Confidence for forensics

Confidence is especially important when it comes to Digital Forensics.  As a forensic practitioner, your job is to find the truth and a timeline of events.  You may be asked to give evidence to your boss, or even in court, so you need to be confident that what you say is truly accurate.

A common request I’ve received is for a simple web browsing report - these have been known to end people’s careers so it’s clearly important the information reported is accurate.  Before we can report on what’s been requested, we need to ensure we understand the logs we’re examining.  Reports are often technical, so we need to be able to answer questions from non-technical colleagues accurately, and in a way they understand.  Testing is a good way to validate that the log is telling the truth - is our test browsing correctly shown?  Is there data included from other users?  Once we’re happy the log is accurate the process of reporting on someone else’s activity can begin, with confidence.

In more complex scenarios, a forensic practitioner will need to report on the contents of a disk - immediately we need to be careful that we don’t inadvertently corrupt the evidence.  After taking an image of the media (and a copy of the image) we can set about using tools to examine the data.  Again, it’s crucial to be accurate so validation of the tool is important.  Ideally, we should re-validate our tools after each new version, always testing against a known image.

Failure to be able to demonstrate confidence in both practice and tools could result in an inappropriate jail term for the defendant (or being held in contempt of court yourself).

It's worth noting that's it's often not possible for a digital forensic practitioner to say "these actions were definitely performed by Bob Smith".  We are likely able to say Bob's account performed an action but placing Bob at the keyboard with certainty is often not an option.  This is an important caveat I always highlight in my reports, especially where there's a culture of users leaving their computers unlocked and unattended.

Confidence for diagnostics

Another time to have confidence is in our diagnostic tools.  An example from my own work is around Memtest86+, which tests RAM for errors.  After my third RAM module, tested in 2 different computers, came up with errors it was beginning to look likely there was an issue with the tool.  Sure enough, switching to an earlier version showed there were no errors.  Essentially I’d put the tool through re-validation (albeit unintentionally).

Summary

As you can probably tell, I perform a lot more forensics these days than end-user computer diagnostics, but ultimately it's still true that there's a need for confidence in what's happening.  Our bosses need to similarly have confidence in the work that we do, lest our work-lives would become somewhat mundane!

This is an edited version of a guest post I made for the Canterbury Christ Church University Computing Blog in May 2017.  You can also read the original.

Banner image from OpenClipart by skotan.