What is Digital Forensics?

2.1 Definition of Digital Forensics

• Overview: Cyber crimes now encompass a wide array of digital technology; hence, digital forensics is expansive and can be divided into two main categories:

  • Computer Forensics

  • Network Forensics

2.1.1 Computer Forensics

• Early Definition: According to Noblett, computer forensics is defined as "acquiring, preserving, retrieving, and presenting data that has been processed electronically and stored on computer media."

• Extended Definition:

  • Many experts believe the definition of computer forensics should be broadened to encompass:

  • Collection

  • Examination

  • Analysis

  • Presentation of digital evidence.

• Legal Contexts: In a legal case, computers may serve different roles:

  • As a target for information theft, fraud, or denial of service attacks (DoS).

  • As a perpetrator of crimes against:

  • Other computer entities

  • Non-computer entities (e.g., falsifying documents).

  • As a medium for illegal storage or copying of documents (e.g., child pornography).

• Forensic Tools: There is a need for specialized forensic tools for the extraction, analysis, and presentation of digital data evidence related to crimes involving computers.

2.1.2 Network Forensics

• Context of Growth: Increasing online activities (e.g., communication via text messaging, e-mail, cloud storage) in the corporate world necessitate network forensics.

• Criminal Motivation: The rise in online services correlates with increased criminal activity, prompting the integration of network forensics for:

  • Analyzing defendant or litigant computer systems

  • Gathering court-usable evidence

  • Recovering data post hardware/software failure

  • Analyzing systems post-security breaches

  • Collecting live network packets to monitor and prevent malicious actions

  • Understanding network vulnerabilities to prevent exploits.

• Difference from Computer Forensics:

  • Unlike computer forensics that deals predominantly with non-volatile memory, network forensics captures and analyzes dynamic, volatile data.

• Monitoring Systems: According to Simson Garfinkel, monitoring networks can be categorized into two systems:

  • "Catch-it-as-you-can" systems that continuously monitor and store data, demanding substantial physical resources for intrusion detection.

  • "Stop, look and listen" systems, which capture only necessary packets in minimal storage with selected results directed to disk.

• Types of Attacks:

  • Denial of Service (DoS)

  • Probing

  • Unauthorized super user access

  • Unauthorized remote access

• Forensic Tools: Capturing and recording information in networks requires specialized tools to determine incidents' causes and methodologies.

2.2 Objectives of Digital Forensics

• Use Cases: Digital forensics aids law enforcement investigations in various crimes including but not limited to:

  • Child pornography

  • Murder

  • Fraud

  • Espionage

  • Stalking.

• Commercial Sector: Companies engage in digital forensics for cases like:

  • Intellectual property theft

  • Fraud

  • Bankruptcy

  • Regulatory compliance

  • Employee disputes

  • Misuse of digital devices.

• Case Integrity: Digital forensics must focus on the presentation of legally acceptable evidence, adhering to strict guidelines and processes to ensure integrity.

• Preservation Protocols: Forensic practitioners should isolate devices, create identical copies, and systematically search for hidden evidence while avoiding alterations to the original data.

• Audit Trails: The audit trail must be transparent and reproducible by third parties for legal validation.

• Protection of Evidence: John Vacca stresses the critical need to safeguard digital evidence from damage, destruction, or compromise during investigations. Factors include:

  • Minimizing operational disruptions

  • Respecting attorney-client confidentiality during investigations

  • Establishing and maintaining an unbroken chain of custody.

• Types of Proceedings: The objectives of digital forensics are utilized in:

  • Criminal prosecutors investigating digital crimes

  • Civil litigations involving personal and business records connected to criminal activities (e.g., fraud, harassment)

  • Insurance investigations in arson or compensation claims

  • Law enforcement support pre-search and post-evidence seizure

  • Personal cases requiring assistance from digital forensics experts.

• Challenges:

  • Volatile nature of digital data leads to changes before evidence can be processed.

  • Invisible digital information necessitates proper procedures.

  • Collecting evidence can inadvertently alter data, making the need for up-to-date digital forensic standards urgent.

• Requirements for Legal Recognition of Evidence:

  • Evidence must be authentic, accurate, complete, persuasive in court, and compliant with current laws.

• Main Objectives:

  • Proper investigation and prosecution of digital evidence cases

  • Preservation of seized digital evidence integrity

  • Providing expert testimony in court

  • Education and training for sectors involved.

2.3 The Digital Forensics Process

• Evidence Handling: The process includes preserving, collecting, validating, identifying, interpreting, and presenting digital evidence, requiring strategic approaches to meet legal standards in trials.

• Criteria for Credibility:

  • Authenticity

  • Integrity

  • Reproducibility of digital evidence.

• Procedural Standards: Ongoing efforts to develop procedural standards are central to digital forensic examinations.

2.3.1 The Forensic Process Model

• Phases of the Forensic Process: According to "Electronic Crime Scene Investigation: A Guide for First Responders" by the US Department of Justice, the forensic process consists of four main stages:

  1. Collection: Includes searching, recognizing, collecting, and documenting electronic evidence that could be lost without precautions.

  2. Examination: Making evidence visible and documenting its state, content, and significance, while searching for hidden or obscured evidence.

  3. Analysis: Evaluating the examination results for their significance and probative value to the case.

  4. Documentation: Finalizing the examination process, detailing relevant data and procedures for court use; documentation must be meticulously stored for future use.

• General Principles:

  • Evidence should not be altered.

  • Examiners should be professionally trained.

  • Evidence handling (examination, storage, transfer) must be properly documented and available for review.

2.3.2 The Enhanced Digital Investigation Process Model (EIDIP)

• Phases of EIDIP: Derived from Brian Carrier and Eugene Spafford's model, the EIDIP comprises five phases:

  1. Readiness Phase: Ensuring operations and infrastructure support forensic investigation.

  • Subdivided into operations readiness (training personnel) and infrastructure readiness (technical endurance).

  1. Deployment Phase: Involves detecting and confirming incidents, investigating crime scenes, seizing evidence, and submitting it to legal entities.

  2. Traceback Phase: Tracing physical scenes of crime and identifying suspect devices based on found digital clues.

  3. Dynamite Phase: Aims at collecting and analyzing evidence from primary crime scenes to reconstruct crimes and communicate findings to legal entities.

  4. Review Phase: Involves reviewing the forensic investigation processes and identifying areas for improvement.

• Focus on Preparedness: The enhanced model emphasizes forensic readiness before incidents occur, suitable for cybercrime investigations.

2.3.3 Digital Forensics as a Service (DFaaS)

• Impact of Cloud Computing: Increasingly popular yet challenging; poses complexities for forensic examinations but offers potential for improved efficiency and on-demand processes.

• Operational Strategy: In the Netherlands, a strategy called DFaaS, employing standardized forensic software like Xiraf, was proposed:

  • Step 1: Collection and authentication of digital evidence.

  • Step 2: Evidence is copied to central storage for examination.

  • Step 3: Local examination and posting of results to a central database for further analysis.

• Facilitated Communication: The system allows direct queries from criminal detectives to forensic investigators, maximizing expertise and timely responses.

• Factors for Success:

  • Resource Management: Coordinating personnel requirements.

  • Question Handling: Querying allows better hypotheses development.

  • Time Frame Adaptations: Scalability based on department size and operational needs.

  • Collaboration: Facilitating communication among investigators.

  • Research & Development: Emphasizing integration of new technologies into DFaaS.

2.4 Digital Forensics and the Legal System

• Legal Influence: Heavily influenced by legal requirements and regulatory changes, addressing conflicts between privacy rights and law enforcement procedures.

• Disclosures & Fair Trials: Highlights concerns regarding the timing and manner of disclosures in trials, as cited by Angela Rafferty, QC.

2.4.1 Case Study I: Abstract Legal Challenges in America

• Legal Structure: Based on K. Nance and D. J. Ryan's hierarchical breakdown of legal issues in digital forensics:

  • Constitutional Law: Challenges with privacy and freedom of speech in the digital age and their implications for forensic practices.

  • Cybercrime: Legislative efforts to regulate cyber activities while not stifling ethical hacking.

  • Criminal Procedure: Relevance of constitutional amendments and the challenges posed by cloud computing and technology advancement.

  • Property Law: Addresses patents, trademarks, licenses, and digital assets.

  • Contract Law: Protecting consumers in cyberspace.

  • Tort Law: Challenges in regulating civil actions arising from internet communications.

  • Evidence Law: Discusses the fragility and transience of digital evidence and challenges faced in keeping up with technological advancements.

2.4.2 Case Study II: Concrete Legal Requirements in Germany

• Legal Foundation: German law is based on the Basic Law (Grundgesetz) regulating person-state relations (public law), and relations between legal entities (criminal law).

• Criminal Law Implications:

  • Section 202: Violations related to unauthorized data access.

  • Section 202a: Data espionage and its implications for forensic professionals operating without permission.

  • Section 202c: Preparatory acts for data espionage, affecting legality of forensic tools.

• Privacy Standards: High legal standards regarding personal privacy, affecting examination permissions involving personal and business data.

• Data Tampering Concerns: Section 303a outlines legal consequences for altering data, emphasizing the need for examination copies.

• Permissions for Forensic Actions: It is essential to obtain a. blank permission for any digital forensic action undertaken.

2.5 The Digital Forensics Professional

• Skill Requirements: Digital forensics professionals must possess a specialized skill set that includes:

  • Analytical Thinking: Ability to recognize patterns, gather information effectively, and solve complex problems.

  • Computer Science Knowledge: A background in this field aids transitions into digital forensics, enhancing understanding of programming and IT security.

  • Legal Knowledge: Familiarity with evidence law and legal procedures is crucial for successfully navigating digital forensics investigations.

  • Organizational & Communication Skills: Essential for documenting evidence and collaborating effectively with teams and stakeholders.

2.6 Digital Forensics vs Classical Forensics

• Distinct Challenges: The rapidly evolving nature of technology in digital forensics contrasts with the relatively static nature of classical forensics.

• Longevity of Methods: Classical forensic tests remain relevant over time, while digital forensic tests must continually adapt to new technologies, illustrating the need for ongoing scientific validation.