Digital evidence forensics and the law

Forensics

Digital evidence/forensics and the law.

Digital Forensics

"How does Carrier's (2005) digital forensics process of preservation, isolation, correlation and logging (PICL) compare to the United States Department of Justice's (USDOJ) digital forensic analysis methodology? These methodologies will be compared on the basis of multiple criteria, including their ability to maintain evidence integrity, management of lead information, ability to apply context to evidence presented, and realization of the return on investment in the forensics process."

Computers and digital tools and resources have been used by criminals to increase crime. In response, different methods and resources have also been successfully used to combat this type of crime. Central to this usage is the field of digital forensics. As one study on this subject notes," In an effort to fight this new crime wave, law enforcement agencies, financial institutions, and investment firms are incorporating computer forensics into their infrastructure" (Forensic Examination of Digital Evidence: A Guide for Law Enforcement, 2004).

This is a relatively new field. In 2003 digital evidence was recognized as an acknowledged and fully fledged forensic discipline by the American Society of Crime Laboratory Directors -- Laboratory Accreditation Board (ASCLD -- LAB (Carrier, 2005). This led to the formation of the Computer Forensic Educator's Working Group, which was formed "…to assist educators in developing programs in this field" (Carrier, 2005). There are now numerous colleges and institutions that provide research and programs in this field.

In essence, computer or digital forensics has to provide two important tasks. The first is to be technically capable and robust to meet the needs of the complete recovery of data and information; secondly it must "… meet the legal requirement of conducting these examinations in a manner that is entirely consistent with the rules of evidence" (Noblett And Feldman). Furthermore, "An informal and ad hoc approach to computer forensics will not likely meet the mandates of the judicial system" (Noblett And Feldman). It is for this reason that a more formal sense of process and methodology was seen as being an increasingly important part of this developing field of expertise.

In other words, the discussion of various methods involved in computer and digital forensics revolves around the central issue of developing standards of examination and legal process. It was to this end that in 1993 an international conference was hosted by the FBI, which led to agreement that "...standards for computer forensic science were both lacking and necessary"(Noblett And Feldman). This was to lead to further conferences and to the creation of the International Organization on Computer Evidence (Noblett And Feldman). This brief background foreshadows the following discussion of two central methodologies.

2. Models and Methodologies

There are a number of methodological aspects involved in digital forensics which are essential to the investigative as well as the legal process. The basic methodology that is used in forensic investigations includes the following three foundational facets. These are; the acquisition of evidence while ensuring that the source is not damaged or altered; integrity and authentication of forensic evidence and comparison with the source; and analyse of data without any alteration of the data source ( Sansurooah, 2006). There are however variations on these themes that will be discussed and compared in the sections below.

2.1. Carrier's Methodology

The first methodology under consideration in this paper is promulgated by Carrier (2005). Carrier posited an integrated digital investigation process, which consisted of five phases; a readiness phase, deployment phase, physical crime scene investigation phase, a cyber crime scene investigation phase and review phase. However critics note that this methodological procedure does not include various factors that influence evidence compilation and comparison; for example, it is asserted by pundits that this methodology does not include a process for classifying cyber crime or for psychological profiling investigation methods, among others (Shin, 2011). These are aspects that will be more fully explored in subsequent sections of this paper.

Carrier (2006) makes the following important conceptual distinctions. He refers to the difference between digital investigation and digital forensic investigation. This distinction is important as it has a bearing on the digital forensics methodologies that are deemed to be more effective and appropriate. A digital investigation, in Carrier's terms, is a "…process to answer questions about digital states and events" (Carrier, 2006). A basic example of a digital investigation is searching for a file on a computer. As Carrier states "…In general, digital investigations may try to answer questions such as "does file X exist?," "was program Y run?," or "was the user Z. account compromised?" (Carrier, 2006).

On the other hand a digital forensic investigation is considered as being a special case of a digital investigation where"… the procedures and techniques that are used will allow the results to be entered into a court of law" (Carrier, 2006). This is a more complex and complicated process in a sense and goes beyond a digital investigation per se. In addition it must take into account legal issues relating to court admissibility as well as legal verification processes, viability, cost factors etc. It is important to remember in this regard that the term 'forensics' means "...to bring to the court" and that "Forensics deals primarily with the recovery and analysis of latent evidence"(Carrier, 2006).

In essence, this distinction emphasises the importance of a comprehensive and inclusive methodological process that includes both the concept of digital investigation and digital forensic investigation. This distinction is also evident in Carrier's definition of digital evidence. Digital evidence is "…data that supports or refutes a hypothesis that was formulated during the investigation. This is a general notion of evidence and may include data that may not be court admissible because it was not properly or legally acquired" (Carrier, 2006).

Carrier's methodology is based on the physical crime scene investigation process. This process included three main phases, which are; system preservation, evidence searching, and event reconstruction which do not necessarily have to occur in that order ( Carrier, 2005).

Figure 1.

( Source: http://dubeiko.com/development/FileSystems/BOOKS/FileSystemAnalysis.pdf)

Within this basic framework there is also a distinction made between live and dead analysis. This refers to a live analyse where "…you use the operating system or other resources of the system being investigated to find evidence"( Carrier, 2005). A dead analysis on the other hand refers to "…when you are running trusted applications in a trusted operating system to find evidence"( Carrier, 2005). The difference between the two lies in the greater risk involved in the live analysis.

This basic framework is extended by Carrier in his PICL Procedure, which refers to preservation, isolation, correlation, and logging. In this system of the first concern is the preservation of the state of the digital crime scene.

As carrier puts it;

The motivation behind this guideline is that you do not want to modify any data that could have been evidence, and you do not want to be in a courtroom where the other side tries to convince the jury that you may have overwritten exculpatory evidence.

(Carrier, 2005)

Carrier also acknowledges that different variables and factors that affect this stage and notes that,

The actions that are taken in this phase vary depending on the legal, business, or operational requirements of the investigation For example, legal requirements may cause you to unplug the system and make a full copy of all data. On the other extreme could be a case involving a spyware infection & #8230;.

(Carrier, 2005)

The isolation guideline is intended to "...Isolate the analysis environment from both the suspect data and the outside world"(Carrier, 2005). This refers to isolation from the suspect data that may corrupt the data and jeopardize the forensic process. Carrier also notes that this phase is difficult when undertaking live analysis.

The third aspect or guideline is the correlation of data with various independent sources. One of the purposes of this method is to reduce the risk of forged data. An example of correlation that Carrier provides is as follows; "...timestamps can be easily changed in most systems. Therefore, if time is very important in your investigation, you should try to find log entries, network traffic, or other events that can confirm the file activity times"(Carrier, 2005).

Logging in this methodology refers to the process of documenting all relevant actions. This process helps to keep track of activities such as searches and to keep a thorough record of results. This phase is also intended to reduce the overwriting of evidence.

The evidence research phase as described by Carrier (2005) is the phase that initiates a search for data that "...support or refute hypotheses about the incident" (Carrier, 2005). This process is described as follows:

We define the general characteristics of the object for which we are searching and then look for that object in a collection of data. For example, if we want all files with the JPG extension, we will look at each file name and identify the ones that end with the characters JPG.

(Carrier, 2005)

The last phase of Carrier's methodology is the Event Reconstruction Phase. This phase is described by Carrier as the phase where we "...use the evidence that we found and determine what events occurred in the system" (Carrier, 2005).

2.2. The United States Department of Justice's (USDOJ) digital forensic analysis methodology

The second methodology under review in this paper has been put forward by the United States Department of Justice. This consists of four basic phases: collection, examination, analysis and reporting (Shin, 2011). More specifically, stages of this digital forensic methodology are comprised of the following central aspects. Firstly, there is the obtaining of the data, followed by the forensic request; the preparation and extraction phases; identification and finally analysis and forensic reporting leading to case level analysis (DIGITAL FORENSIC ANALYSIS METHODOLOGY).

The preparation and extraction phase is characterized by the examiner's question as to whether there is sufficient information to proceed and to ensure that there is sufficient data available to answer the request or requests that might be made in the investigation (Carroll et al.). The duplication of forensic data is also part of this process, as well as the verification of its integrity. This process assumes that "....law enforcement has already obtained the data through appropriate legal process and created a forensic image" ( Carroll et al.). After verification and integrity testing, the process of extracting the data is begun.

The identification process refers to the rigorous identification of the forensic evidence in terms in the extracted data list. However, if the forensic examiner encounters incriminating items of evidence which are outside the original search warrant, the recommendation is that activity is halted and the authorities notified. (Carroll et al.). An example given is: "law enforcement might seize a computer for evidence of tax fraud, but the examiner may find an image of child pornography" (Carroll et al.). This is an important aspect as it indicates that this methodology is extremely flexible and takes into account context and content outside the initial prescribed parameters.

The analysis phase is all important to the forensic process. In this phase, "...examiners connect all the dots and paint a complete picture for the requester"(Carroll et al.). Part of this process is the correlating of relevant data with questions such as what was the original and other relevant questions that provide insight into the investigation. This phase has been critiqued in this methodology as being "... improperly defined and ambiguous" ( Shin, 2011).

3. Comparisons and Evaluations

Carrier's model or methodology plays considerable attention to data integrity. This is evident for instance the correlation process where data is correlated with various outside sourced in order to prevent forgery or inaccurate forensic data.

If we compare these two methodologies in terms of heading such as evidence integrity, management of lead information and evidential context, we find that

Carrier's Methodology is useful from a number of perspectives. Carrier places emphasis on the initial investigatory process and the identification and verification of data. As Carrier states in an article entitled Defining Digital Forensic Examination and Analysis Tools Using Abstraction Layers (2002), " As with any investigation, to find the truth one must identify data that: Verifies existing data and theories (Inculpatory Evidence), Contradicts existing data and theories (Exculpatory Evidence)" ( Carrier, 2002). This focuses on identification and analyse in this methodological model.

The United States Department of Justice's digital forensic analysis methodology is more broadly designed and seems to be more focused on procedural details and protocols and also tends to be more meticulous in terms of guidelines. This is evident in some degree in the preparation and extraction phase of the methodology. It could be argued that this methodology is therefore more effective and integrated in terms of management of information.