ISSUES IN DIGITAL EVIDENCE INVESTIGATION

Cyber crime is an illegal electronic operation that targets the security of computer systems and data processed by them. Hacking, cyber fraud, phishing, identity and data theft come under cyber crime. Bank accounts can be hacked and credit card details can be stolen. When such cyber crimes are committed, we need digital evidence investigators to catch the culprits. Though cyber forensics is doing a great deal to find out who is responsible for misusing computer systems, it faces many issues that have to be handled with care. Listed below are some issues in cyber forensics.

1. A digital evidence investigator must keep in mind the privacy and secrecy of the clients’ data and information while performing the investigation. But in some cases when the information has to be produced as evidence in the court of law to prove a crime, it is not possible for the cyber forensics expert to maintain the secrecy and privacy of the clients’ information.
2. Sensitive data and information that are very important to the client maybe lost or damaged while finding evidence. But it is the duty of the expert to take additional care to ensure that the possible evidence is not destroyed or damaged. Typically this involves making a forensic image or forensic copy of the original media, and conducting the analysis on the copy versus the original.  
3. While the investigations are on, it is possible that some malicious computer programs or computer viruses are released into the computer system. These viruses may corrupt the existing software and they may have the potential to damage the hardware system too. It maybe necessary to use high quality anti-virus software before the investigation is commenced.
4. Once the evidence is found, it must be preserved very carefully. It must be protected against any kind of mechanical and electro-magnetic damage. Any evidence found relevant to the situation at hand will need to be extracted from the working copy media and then typically saved to another form of media as well as printed out. The information that is obtained as evidence is the responsibility of the computer forensic team.
5. When the case is on, the evidence information maybe stored in court and, in some cases, the concerned partied may not be able to use that information. This may affect the business operations. In order to avoid causing any inconvenience and loss to the parties involved, the digital evidence investigator must make sure that justice is delivered as soon as possible.
6. Whatever is done during the analysis has to be documented along with the findings. The findings and reports need to be based on proven techniques and methodology, and any other competent investigator should be able to duplicate and reproduce the results. It is also important that the information acquired during the analysis is ethically and legally respected.
7. The operations cost of digital evidence investigations may some cases exceed regular investigations.

In spite of all these issues, cyber forensics or digital evidence investigation has gained a lot of importance in today’s computer world largely due to its vast application in varied situations.

By-line:

This post was contributed by Holly McCarthy, who writes on the subject of forensic science careers. She invites your feedback at hollymccarthy12 at gmail dot com

Digital Evidence Investigators Required to be Licensed PI's!

We are witnessing a very interesting and disturbing trend in the digital evidence domain. Many states are enacting or amending legislation that will require anyone conducting any type of an "investigation" where a computer is involved to be licensed as a Private Investigator – Michigan being one of the latest examples. This is interesting as it was predicted several years ago that, unless the digital evidence community came up with some sort of gold standard/professional designation with a professional code of ethics, the ability to censure unethical professionals etc. the government would intercede with a less than perfect knee jerk reaction in order to protect consumers of these services.

The American Bar Association has taken a stand on this issue and the Science & Technology Law Section has issued a resolution arguing against this requirement:

AMERICAN BAR ASSOCIATION ADOPTED BY THE HOUSE OF DELEGATES AUGUST 11-12, 2008

RECOMMENDATION

RESOLVED, That the American Bar Association urges State, local and territorial legislatures, State regulatory agencies, and other relevant government agencies or entities, to refrain from requiring private investigator licenses for persons engaged in:

computer or digital forensic services or in the acquisition, review, or analysis of digital or computer-based information, whether for purposes of obtaining or furnishing information for evidentiary or other purposes, or for providing expert testimony before a court; or

network or system vulnerability testing, including network scans and risk assessment and analysis of computers connected to a network.

FURTHER RESOLVED, That the American Bar Association supports efforts to establish professional certification or competency requirements for such activities based upon the current state of technology and science.

Unfortunately it appears that most states are ignoring the advise of the scientific and legal community. The cynical side of my nature wonders whether the motivation for moving toward the PI License requirement is driven primarily by an economic motive (It appears that the PI community has a strong lobbying presence in many of the states that have already passed these requirements) as opposed to any real concern over an unregulated "industry" and consumer protection.

This issue is shaping up to be a watershed event for the digital evidence community and the final outcome will have a long lasting impact on this maturing field.

In case you were wondering, there is a concerted effort underway to address the issue of a neutral, board like certification for digital evidence professionals supported by the forensic science accreditation board. The Digital Forensics Certification Board (www.DFCB.org) housed at the University of Central Florida's National Center for Forensic Science will offer its certification exam early in the spring of this year. This non-partisan body represents the collective effort of law enforcement, private sector, government, military and academia. For the sake of full disclosure, yes I am part of this effort.

More information about this effort will be presented at the Digital Sciences & Multimedia Section of American Academy of Forensic Sciences Annual Meeting in Colorado this February.

SWGDE's position on standards and controls for computer forensics

The scientific working group for digital evidence, in response to a series of articles by John Barbara that appeared in Forensic Magazine:

http://www.forensicmag.com/articles.asp?pid=138

have taken a very interesting stance. In a published document, the SWGDE claim that computer forensics is different than other forensic sciences because in computer forensics "false positives are non-existent". Therefore controls are not applicable to this field.

I am deeply troubled by what I consider to be a false belief system – computer forensics and its tools are infallible. This position is not supported by the larger scientific community and in fact numerous examples are available that contradict this position (e.g., orphan files and folders in NTFS, misrepresentation from data carving).

What is equally as disturbing, is the notion that has been proffered that somehow using a hashing algorithm to verify the integrity of a forensic copy of the original, is a control against false positives at the data abstraction and presentation layer during the analysis and examination phases.

Most of the examples of false positives occur due to an error in the data abstraction layer. Since we rely on tools (software) to abstract the data (we cannot see the ones & zeroes etc.) an error in the tool becomes problematic, as we trust the tools output. To date, none of the commercial computer forensic tool vendors are willing to share the error rates of their tools, so we are left to experimentation in order to try and determine this for ourselves.

I have weighed in on this issue with the SWGDE (full disclosure - I am a non-voting academic associate member). Since the SWGDE has publicly released their position paper, I think that in the spirit of open discussion and debate, we in the digital forensics community need to weigh in on this. I believe this is a watershed issue and it needs to be addressed.

Here is the link to the SWGDE position paper:

http://www.swgde.org/documents/swgde2008/SWGDEStandardsandControlsPositionPaper.pdf

Journal of Digital Forensic Practice

As the Editor-in-Chief of the Journal of Digital Forensic Practice I would like announce the latest round of a call for papers for the Journal. Author instructions for submissions can be located at:

http://www.tandf.co.uk/journals/journal.asp?issn=1556-7281&linktype=44

National Center for Forensic Sciences Announces Certification Body for Digital Forensics

By way of full disclosure, I am the Chair of Certification Committee for this Body. This effort is an indirect result of the AAFS recognizing the new section of Digital and Multimedia Sciences.

Certification of Digital Forensics Professionals - Becomes a Reality

Introduction to Certification
The Digital Forensics Certification Board (DFCB) will offer digital forensics practitioners the opportunity to achieve a professional certification. DFCB is headquartered at the National Center for Forensic Science at the University of Central Florida’s Research Foundation, in Orlando. This certification will require more than paying a fee and passing a test; successful completion of the certification process will require a peer-group validation of knowledge, skills and abilities in the analysis and evaluation of digital evidence. Certification will be based on successfully meeting core competency requirements identified by a community of experts.
Attaining certification will require strict adherence to an ethics component. Continuing education and other related professional activities will be required for all digital forensics professionals recognized by the DFCB.

Certification and Application Overview
Professional core competencies in digital forensics will be evaluated in the application and examination process: foundation knowledge, acquisition knowledge, examination knowledge and analysis knowledge and reporting (written and testimonial) knowledge. The “Founders”
graded application process will begin in the fall of 2008 and continue to the end of the calendar year. One type of certification will be offered for both managers and practitioners: the Digital Evidence Practitioner (DEP) Certification will include those who are practitioners and managers in digital evidence programs in law enforcement or the private sector. For applicants to qualify for the DEP certification under the Founders provision, an applicant must provide evidence of digital evidence practical experience. Note that, in general, an applicant’s experience should include a mixture of both digital forensic acquisitions as well as analyses. A total of at least five (5) years experience is required which will include full-time practical experience conducting digital forensics. One year of current experience in the last three years is required to apply for practitioner status.

Goals and Objectives
The goals and objectives of the DFCB are as follows:

1. To promote trust and confidence in the Digital Forensics profession
2. To provide an objective certification process in digital forensics which will help the maturation of digital forensics as a science
3. To encourage, promote, aid, and affect the voluntary interchange of data, information, experience, and knowledge about methods and processes among the membership of DFCB
4. To establish, encourage, and enforce observation of a Code of Ethics and Standards of Professional Conduct
5. To publish and distribute books, pamphlets, periodicals, papers and articles supportive of activities and purposes of DFCB
6. To establish and conduct such committees, bureaus, and offices as are necessary and incidental to the activities of DFCB
7. To conduct surveys, studies, hold conferences, symposiums, seminars, and forums
8. To arrange for the presentation of lectures and papers on matters and problems of interest
9. To foster, promote, encourage, study, research, facilitate discussion, collect and disseminate information of service or interest to the members of DFCB or the public at large
10. To conduct (such other) related activities as may be necessary, desirable, or incidental to gaining recognition of accomplishments in the field of investigations and analysis involving advanced technologies within government, business and academia.

Every person certified by DFCB will be required to demonstrate excellence, integrity, and objectivity in every forensic analysis where conclusions are formulated and reported for presentation in the judicial system.

For more information, please contact:

Sam Guttman – DFCB President sguttman@mail.ucf.edu
Mark Pollitt – DFCB Vice-President mpollitt@mail.ucf.edu
Carrie Whitcomb – Director, NCFS whitcomb@mail.ucf.edu
Telephone number for all officers: 407-823-6469

NIJ Announces New Round of Funding for Electronic Crime & Digital Evidence

The NIJ has finally posted their RFP for funding related to E-Crimes and Digital Evidence Recovery!

http://www.ojp.usdoj.gov/nij/funding/current.htm

Welcome to My Blog

Welcome to my blog on all things related to Cyber Forensics. I intend this blog to be a resource to discuss what we are currently doing in the field of digital forensics and digital evidence. Many of my students requested a resource that they could go to to discuss and keep up to date on happenings in the field. I figured X-mas break was a good time to start the blog!

As an educator, program chair, research scientist, journal editor-in-chief (shameless plug – Journal of Digital Forensic Practice) and committee board member at the national and international level, I hope to share what is current and maybe more importantly, what is coming down the pipe.

I hope this blog encourages frank and open discussion and allows us to shine a light on this burgeoning scientific field. While vendor responses etc. are encouraged, this is not a venue for direct or indirect marketing..no exceptions.