This module is a resource for lecturers
Standards and best practices for digital forensics
The International Organization for Standardization (ISO), an international non-governmental organization, and the International Electrotechnical Commission (IEC), an international not-for-profit organization, develop and publish international standards to harmonize practices between countries. In 2012, the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) published international standards for digital evidence handling (ISO/IEC 27037 Guidelines for Identification, Collection, Acquisition, and Preservation of Digital Evidence). These guidelines included only the initial handling of digital evidence. The proposed four phases for digital evidence handling are as follows:
Identification. This phase includes the search for and recognition of relevant evidence, as well as its documentation. In this phase, the priorities for evidence collection are identified based on the value and volatility of evidence (see Module 6 on Practical Aspects of Cybercrime Investigations and Digital Forensics for further information).
Collection. This phase involves the collection of all digital devices that could potentially contain data of evidentiary value. These devices are then transported back to a forensic laboratory or other facility for acquisition and analysis of digital evidence. This process is known as static acquisition. However, there are cases in which static acquisition is unfeasible. In such situations, live acquisition of data is conducted. Let us consider, for example, the systems of critical infrastructures (i.e., industrial control systems). These systems cannot be powered down as they provide critical services. For this reason, live acquisitions are conducted that collect volatile data and non-volatile data from live running systems. These live acquisitions, however, can interfere with the normal functions of the industrial control system (e.g., by slowing down services) (see Module 6 on Practical Aspects of Cybercrime Investigations and Digital Forensics for further information).
Before conducting a live acquisition, data acquisition priorities should be identified in terms of data accessibility, as well as the value and volatility of the data.
Acquisition. Digital evidence is obtained without compromising the integrity of the data. This was highlighted by the United Kingdom National Police Chiefs Council (NPCC), formerly known as the United Kingdom Association of Chief Police Officers, as an important principle of digital forensics practice (i.e., Principle 1: "No action taken by law enforcement agencies, persons employed within those agencies or their agents should change data which may subsequently be relied upon in court") (UK Association of Chief Police Officers, 2012, p. 6). This obtainment of data without altering it is accomplished by creating a duplicate copy of the content of the digital device (a process known as imaging) while using a device ( write blocker) that is designed to prevent the alteration of data during the copying process. To determine whether the duplicate is an exact copy of the original a hash value is calculated using mathematical computations; here, a cryptographic hash function is used to produce a hash value. If the hash values for the original and copy match, then the contents of the duplicate are the exact same as the original. Understanding that there are certain "circumstances where a person finds it necessary to access original data [i.e., during live acquisitions]," the United Kingdom National Police Chiefs Council notes that "the person [accessing this data] must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions" (Principle 2) (UK Association of Chief Police Officers, 2012, p. 6) (see Module 6 on Practical Aspects of Cybercrime Investigations and Digital Forensics for further information).
Certain cryptographic hash functions have weaknesses.
Want to learn more?
- Thompson, Eric. (2005). MD5 collisions and the impact on computer forensics. Digital Investigation 2, 36-40.
- Vijayan, Jaikumar. (2017). Researchers from Google, CTI Break SHA-1 Hash Encryption Function. eWeek, 23 February 2017.
Preservation. The integrity of digital devices and digital evidence can be established with a chain of custody (discussed in Module 3 on Legal Frameworks and Human Rights), which is defined as "the process by which investigators preserve the crime (or incident) scene and evidence throughout the life cycle of a case. It includes information about who collected the evidence, where and how the evidence was collected, which individuals took possession of the evidence, and when they took possession of it" (Maras, 2014, p. 377). Meticulous documentation at each stage of the digital forensics process is essential to ensuring that evidence is admissible in court (see Module 6 on Practical Aspects of Cybercrime Investigations and Digital Forensics for further information).
The remaining phases of the digital forensics process (analysis and reporting) are not included in the ISO/IEC 27037. The analysis (or examination) phase requires the use of appropriate digital forensic tools and methods to uncover digital data. There are numerous digital forensics tools on the market of varying qualities. Examples of digital forensics tools include Encase, FTK, and X-Ways Forensics. The type of digital forensics tools varies depending on the type of digital forensics investigation conducted (e.g., for mobile forensics and cloud services on mobile devices, one tool that can be used is the Oxygen Forensics Suite; for network forensics, which involves "the use of scientifically proven techniques to investigate [crimes committed against and via] computer networks" (Maras, 2014, p. 305), a tool that can be used is Wireshark). Existing digital forensics tools (e.g., EnCase, FTK, and NUIX) are designed to work with traditional computing environments. Specialized digital forensics tools are needed, for example, for the networks, interfaces, and operating systems of critical infrastructure (discussed in Module 2 on General Types of Cybercrime).
The United States National Institute of Standards and Technology has a searchable digital forensics tools database, which includes various functionalities (e.g., database, cloud, drone, and vehicle forensics tools, among others). National law enforcement agencies differ in their preference and use of digital forensics tools.
Smart vehicle forensics
Smart vehicle forensics is an understudied yet important area of digital forensics (Parkinson and McKay, 2016). The mass deployment of smart vehicles with Internet-enabled functions (and the development of autonomous vehicles) has added impetus to the need to create smart vehicle forensics processes, standards, and tools that could enable a forensically sound digital investigation of vehicles (Le-Khac et al., 2018). These vehicles can provide a wealth of information (such as places travelled and frequented, home and work address, numbers dialled, phone calls received etc.) that could be used when investigating crimes targeting smart or autonomous vehicles (e.g., hacking) or other crimes where the information obtained from these vehicles could be used as evidence of a crime (De La Torre, Rad, and Choo, 2018).
Want to learn more?
- De La Torre, Gonzalo, Paul Rad, and Kim-Kwang Raymond Choo. (2018). Driverless vehicle security: Challenges and future research opportunities. Future Generation Computer Systems, available online 11 January 2018.
- Le-Khac, Nhien-An, Daniel Jacobs, John Nijhoff, Karsten Bertens, Kim-Kwang, and Raymond Choo. (2018). Smart vehicle forensics: Challenges and case study. Future Generation Computer Systems, available online 7 June 2018.
The tools used must be forensically sound. To be forensically sound, the "acquisition and subsequent analysis of …[digital] data" with these tools must be able to preserve "the data in the state in which it was first discovered" and "not in any way diminish the evidentiary value of the electronic data through technical, procedural or interpretive errors" (McKemmish, 2008, p. 6). Put simply, the data acquired must not be modified in any way - that is, its integrity must be maintained. The Computer Forensics Tool Testing Program of the United States National Institute of Standards and Technology has
establish[ed] a methodology for testing computer forensic[s] software tools by [the] development of general tool specifications, test procedures, test criteria, test sets, and test hardware. The results provide the information necessary for toolmakers to improve tools, for users to make informed choices about acquiring and using computer forensics tools, and for interested parties to understand the tool[']s capabilities.
The Internet of Things (IoT) refers to an interconnected and interoperable network of Internet-enabled devices (e.g., cameras, televisions, refrigerators, ovens, lights, energy meters, clothing, toys, and accessories, to name a few) which facilitate the monitoring of objects, people, animals, and plants, and the vast gathering, storing, examination, and dissemination of data about them (Maras, 2015). Because IoT can provide a significant amount of information about users of these devices (see Module 10 on Privacy and Data Protection for the type of information these devices reveal), data obtained from these devices has been introduced as evidence in courts (Maras and Wandt, 2018). For example, in the United States, the data from a FitBit, an IoT device that monitors health and physical activity, was introduced as evidence in the murder of Connie Dabate (Altimari, 2018). In light of the introduction of IoT data in courts, it is imperative that IoT forensics processes, standards, and tools are established (Maras and Wandt, 2018).
Want to learn more?
- Conti, Mauro, Ali Dehghantanha, Katrin Franke, and Steve Watson. (2018). Internet of Things security and forensics: Challenges and opportunities. Future Generation Computer Systems, Vol. 78(2), 544-546.
- MacDermott, Aine, Thar Baker, and Qi Shi. (2018). IoT Forensics: Challenges for the IoA Era. 9th IFIP International Conference on New Technologies, Mobility and Security (NTMS) (2 April 2018).
- Watson, Steve and Ali Dehghantanha. (2016). Digital forensics: The missing piece of the Internet of Things promise. Computer Fraud & Security, Vol. 6, 5-8.
The purpose of the analysis phase is to determine the significance and probative value of evidence. This determination is made by, for example, examining whether the evidence under examination "has the tendency to make the existence of any fact that is of consequence to the determination of the action more probable or less probable than it would be without the evidence" (Rule 401, U.S. Federal Rules of Evidence) (see Module 6 on Practical Aspects of Cybercrime Investigations and Digital Forensics for further information).
The reporting phase includes a detailed description of the steps taken throughout the digital forensics process, the digital evidence uncovered, and the conclusions reached based on the results of the digital forensics process and the evidence revealed (see Module 6 on Practical Aspects of Cybercrime Investigations and Digital Forensics for further information). Artificial intelligence (i.e., "computational models of human behaviour and thought processes that are designed to operate rationally and intelligently"; Maras, 2017, p. 7) can be used to produce reliable results. However, the use of artificial intelligence could pose problems in the analysis and presentation phases of the digital forensic process because experts may not be able to explain how these results were obtained (Maras and Alexandrou, 2018).
The ISO/IEC have published other guidelines on the digital forensics process that cover: validity and reliability of digital forensic tools and methods ( ISO/IEC 27041:2015, Guidance on assuring suitability and adequacy of incident investigative methods), and the examination (or analysis) and interpretation phases of the digital forensics process ( ISO/IEC 27042:2015, Guidelines for the analysis and interpretation of digital evidence).
The standards were not designed for non-traditional computing systems - like cloud computing. Nevertheless, the Cloud Security Alliance published a document titled "Mapping the Forensic Standard ISO/IEC 27037 to Cloud Computing" to "reinterpret the ISO 27037 guidance for a cloud context" (CSA, 2013, p. 130).
For more information, see here.
Best practice guides are available to identify and promote valid and reliable digital forensics processes and outcomes. Cases in point are the U.S. Scientific Working Group on Digital Evidence's best practices for computer forensic examination, digital evidence collection, and computer forensic acquisitions, and the European Network of Forensic Science Institutes' best practice manual for the forensic examination of digital technology.
These standards and best practices seek to establish the validity and reliability of digital forensics results. First, to be admissible, the tools and techniques used in the digital forensics process must be "scientifically valid;" that is, proven to provide accurate results through empirical testing. Second, the digital forensics results must be reliable; that is, the same results must be obtained on different occasions using the same data, tools, and techniques (Maras, 2014; p. 48). Particularly, the results should be repeatable and reproducible. Results are repeatable when the same digital forensics results are obtained using the same test items, equipment, laboratory, and operator (Maras, 2014, p. 48). Results are reproducible when the same digital forensics results are obtained using the same test items, but different equipment, laboratories, and operators (Maras, 2014, p. 49). As the United Kingdom National Police Chiefs Council noted, an important principle of digital forensics practice is the ability of "[a]n independent third party…to examine those processes and achieve the same result" (Principle 3) (UK Association of Police Chiefs, 2012, p. 6).
Anti-forensics (or anti-digital forensics) is a term used to describe the "tools and techniques [used] to remove, alter, disrupt, or otherwise interfere with evidence of criminal activities on digital systems, similar to how criminals would remove evidence from crime scenes in the physical realm" (Conlan, Baggili, and Brietinger, 2016, p. 67). Anti-forensics includes data hiding (e.g., encryption, discussed further Module 10 on Privacy and Data Protection, and steganography, the practice of concealing secret information, images, audio recordings, videos, and other content within non-secret information, images, audio recordings, videos, and other content), artefact and/or digital device wiping (through, for example, software designed to delete specific or all data, and/or device content), and digital trail obfuscation (e.g., spoofing tactics, discussed in Module 2 on General Types of Cybercrime; data misidentification, misinformation and/or fabrication; and the use of proxy servers, which acts as a gateway or an intermediary between requests from Internet-connected digital devices to other servers) (Shanmugam, Powell, and Owens, 2011; Maras, 2014; Brunton and Nissenbaum, 2016; Liskiewicz, Reischuk, and Wolfel, 2017). The use of anti-forensics techniques challenges digital forensics efforts (Caviglione, Wendzel, and Mazurczyk, 2017).
Want to learn more?
- Conlan, Kevin, Ibrahim Baggili, and Frank Breitinger. (2016). Anti-forensics: Furthering digital forensic science through a new extended, granular taxonomy. Digital Investigation Vol. 18, 66-75.