Research Paper on "Digital Evidence Forensics and the Law"

>

In essence, computer or digital forensics has to provide two important tasks. The first is to be technically capable and robust to meet the needs of the complete recovery of data and information; secondly it must "… meet the legal requirement of conducting these examinations in a manner that is entirely consistent with the rules of evidence" (Noblett And Feldman). Furthermore, "An informal and ad hoc approach to computer forensics will not likely meet the mandates of the judicial system" (Noblett And Feldman). It is for this reason that a more formal sense of process and methodology was seen as being an increasingly important part of this developing field of expertise.

In other words, the discussion of various methods involved in computer and digital forensics revolves around the central issue of developing standards of examination and legal process. It was to this end that in 1993 an international conference was hosted by the FBI, which led to agreement that "...standards for computer forensic science were both lacking and necessary"(Noblett And Feldman). This was to lead to further conferences and to the creation of the International Organization on Computer Evidence (Noblett And Feldman). This brief background foreshadows the following discussion of two central methodologies.

2. Models and Methodologies

There are a number of methodological aspects involved in digital forensics which are essential to the investigative as well as the legal process. The basic methodology that is used in forensic investigations includes the following three foundational facets. These are; the acquisition of evidence while ensuring that the source is not damaged or altered; integrity and authentication of forensic evidence and comparison with the source; and analyse of data without any alteration of the data source ( Sansurooah, 2006). There are however variations on these themes that will be discussed and compared in the sections below.

2.1. Carrier's Methodology

The first methodology under consideration in this paper is promulgated by Carrier (2005). Carrier posited an integrated digital investigation process, which consisted of five phases; a readiness phase, deployment phase, physical crime scene investigation phase, a cyber crime scene investigation phase and review phase. However critics note that this methodological procedure does not include various factors that influence evidence compilation and comparison; for example, it is asserted by pundits that this methodology does not include a process for classifying cyber crime or for psychological profiling investigation methods, among others (Shin, 2011). These are aspects that will be more fully explored in subsequent sections of this paper.

Carrier (2006) makes the following important conceptual distinctions. He refers to the difference between digital investigation and digital forensic investigation. This distinction is important as it has a bearing on the digital forensics methodologies that are deemed to be more effective and appropriate. A digital investigation, in Carrier's terms, is a "…process to answer questions about digital states and events" (Carrier, 2006). A basic example of a digital investigation is searching for a file on a computer. As Carrier states "…In general, digital investigations may try to answer questions such as "does file X exist?," "was program Y run?," or "was the user Z. account compromised?" (Carrier, 2006).

On the other hand a digital forensic investigation is considered as being a special case of a digital investigation where"… the procedures and techniques that are used will allow the results to be entered into a court of law" (Carrier, 2006). This is a more complex and complicated process in a sense and goes beyond a digital investigation per se. In addition it must take into account legal issues relating to court admissibility as well as legal verification processes, viability, cost factors etc. It is important to remember in this regard that the term 'forensics' means "...to bring to the court" and that "Forensics deals primarily with the recovery and analysis of latent evidence"(Carrier, 2006).

In essence, this distinction emphasises the importance of a comprehensive and inclusive methodological process that includes both the concept of digital investigation and digital forensic investigation. This distinction is also evident in Carrier's definition of digital evidence. Digital evidence is "…data that supports or refutes a hypothesis that was formulated during the investigation. This is a general notion of evidence and may include data that may not be court admissible because it was not properly or legally acquired" (Carrier, 2006).

Carrier's methodology is based on the physical crime scene investigation process. This process included three main phases, which are; system preservation, evidence searching, and event reconstruction which do not necessarily have to occur in that order ( Carrier, 2005).

Figure 1.

( Source: http://dubeiko.com/development/FileSystems/BOOKS/FileSystemAnalysis.pdf)

Within this basic framework there is also a distinction made between live and dead analysis. This refers to a live analyse where "…you use the operating system or other resources of the system being investigated to find evidence"( Carrier, 2005). A dead analysis on the other hand refers to "…when you are running trusted applications in a trusted operating system to find evidence"( Carrier, 2005). The difference between the two lies in the greater risk involved in the live analysis.

This basic framework is extended by Carrier in his PICL Procedure, which refers to preservation, isolation, correlation, and logging. In this system of the first concern is the preservation of the state of the digital crime scene.

As carrier puts it;

The motivation behind this guideline is that you do not want to modify any data that could have been evidence, and you do not want to be in a courtroom where the other side tries to convince the jury that you may have overwritten exculpatory evidence.

(Carrier, 2005)

Carrier also acknowledges that different variables and factors that affect this stage and notes that,

The actions that are taken in this phase vary depending on the legal, business, or operational requirements of the investigation For example, legal requirements may cause you to unplug the system and make a full copy of all data. On the other extreme could be a case involving a spyware infection & #8230;.

(Carrier, 2005)

The isolation guideline is intended to "...Isolate the analysis environment from both the suspect data and the outside world"(Carrier, 2005). This refers to isolation from the suspect data that may corrupt the data and jeopardize the forensic process. Carrier also notes that this phase is difficult when undertaking live analysis.

The third aspect or guideline is the correlation of data with various independent sources. One of the purposes of this method is to reduce the risk of forged data. An example of correlation that Carrier provides is as follows; "...timestamps can be easily changed in most systems. Therefore, if time is very important in your investigation, you should try to find log entries, network traffic, or other events that can confirm the file activity times"(Carrier, 2005).

Logging in this methodology refers to the process of documenting all relevant actions. This process helps to keep track of activities such as searches and to keep a thorough record of results. This phase is also intended to reduce the overwriting of evidence.

The evidence research phase as described by Carrier (2005) is the phase that initiates a search for data that "...support or refute hypotheses about the incident" (Carrier, 2005). This process is described as follows:

We define the general characteristics of the object for which we are searching and then look for that object in a collection of data. For example, if we want all files with the JPG extension, we will look at each file name and identify the ones that end with the characters JPG.

(Carrier, 2005)

The last phase of Carrier's methodology is the Event… READ MORE