STUDY UNIT 8: Aids and experts used to investigate crime, irregularities and transgressions: digital forensics {362 to 393}
Data is accessed for the purposes of:
= imaging it for later forensic examination and analysis = performing a live forensic examination or incident response process = examining and analysing the contents of a forensic image made of the original data.
Repeatability
is one of the primary means by which forensic scientists validate each other's results and thus combat the occurrence of scientific fraud. It can lead to the formalisation of scientific standards into commercial products.
Identifying the potential sources of digital evidence
requires investigators and digital forensic examiners to identify potential sources of digital evidence so that these can either be seized and forensically imaged and examined off-site, or forensically imaged on site.
An example of reconstructing an event
would be to determine exactly how a hacker gained unlawful access to a computer network, and what they did on that network.
How does "Reconstruction " apply to digital evidence
Dates and times relating to data, filing systems and network communications car be used to show sequences of events in computer systems.
Examples of digital evidence include
= digital photographs = digital videos (including CCTV footage) = emails = text messages (including SMS, MMS, BBM, WhatsApp, etc) = websites and web pages = documents = spreadsheets.
How does "classification/ individualisation" apply to digital evidence
File systems, partitions and individual file types have characteristics that allow for their classification, eg: = partition tables which define partitions = file allocation tables, master file tables, or inodes which define certain file systems = internal data structures of files which define what type of file they are. and Individualisation can be achieved through the use of one-way mathematical hashing such as MD5 and SHA-1 to demonstrate the uniqueness of the data.
The scientific analysis method used in digital forensic science
Gather information and make observations > Form a hypothesis to explain observations > Evaluate the hypothesis > Draw conclusions and communicate the findings
s 15(2) of the Electronic Communications and Transactions Act
Guides a court in how to evaluate the evidence. A key factor to be considered in this regard is the reliability of the digital evidence and how its integrity was maintained.
The post-examination phase's 5 processes
1. Results of examination & analysis subjected to peer review and quality assurance 2 Findings of examination documented in detail 3 Examination report or affidavits subjected to peer review and quality assurance 4 Examination report or affidavit provided to requesting party 5 Testifying about findings at court hearing
common mistakes by digital forensic examiners and investigators that can render digital evidence inadmissible include:
= failure to create and maintain the proper documentation through all stages of the digital forensic process = the inadvertent modification of digital evidence = failure to maintain tho chain of custody = failure by the digital forensic examiner or investigator to know when they have reached the limits of their knowledge and to ask for advice.
5 processes of the examination phase
1. Confirm examination parameters 2 Authenticate digital evidence provided 3 Process the digital evidence 4 Examine digital artefacts found 5 Analyse the digital artefacts that are relevant to the case
The Association of Chief Police Officers in the United Kingdom developed four basic principles for computer-based digital evidence to aid in the acceptance of digital evidence and the forensic examination thereof in a court of law. These principles have become widely accepted in the digital forensics discipline.
1. No action taken by an investigator or examiner should change data held on a computer or on storage media which may subsequently be relied upon in court. 2. In circumstances where an investigator or examiner must access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions. 3. An audit trail or other record of all processes applied to computer-based digital evidence must be created and preserved, and it must be detailed enough to allow another independent digital forensic examiner to use these documents and achieve the same results by following same processes. 4. The person in charge of an investigation has overall responsibility for ensuring that these principles are adhered to.
The examination phase of the digital forensic process consists of 5 specific processes that need to be completed before a thorough digital forensic examination has been conducted.
1. confirming the legal parameters of the examination as established by the legal authority that was used to acquire the digital evidence 2 authenticating the forensic images that were received for examination 3 processing the forensic images using standardised digital forensic processes and methods 4 examining and identifying the individual digital artefacts (individual files or part of a file that contains probative evidence) that were uncovered during the processing of the forensic image to determine and confirm their relevance to the case under investigation 5 analysing and individualising the digital artefacts that were identified as relevant, and interpreting this evidence.
pre-examination phase's sequential 5 processes
1. legal authority/mandate to conduct acquisition and examination 2. ID legal elements of all allegations 3. ID devices or media containing digital evidence 4. Seizing and transporting the evidence 5. Acquisition of digital evidence = Authentication of digital evidence
The computers and other devices that form part of cyberspace can play a number of roles in cybercrimes:
= As the target of a criminal act = As the instrument with which a criminal act is committed = As a repository of digital evidence of a criminal act that has been committed
The nature and features of digital evidence mitigate the contamination risk by through:
= Digital evidence can be duplicated exactly and a copy can be examined as if it were the original. Thus the copy can be examined without the need to examine the original data and potentially altering it. = Using mathematical one-way hashing allows any alteration of digital evidence to be determined by comparing the hash values of the copies to the original. = Digital evidence is difficult to destroy. Simply deleting the files and data does not actually remove them. Traces remain, which can be recovered using specific forensic procedures. = When criminals try to destroy digital evidence, copies and associated latent evidence can still remain in places they are not aware of, due to the nature of how modern computer systems, servers and networks work.
The scientific analysis method in digital forensic science involves four distinct stages:
= Gathering information and making observations about the evidence. This phase involves verifying the integrity and authenticity of the evidence, reviewing the evidence, performing data carving and keyword searching. This phase is typically known as a digital forensic examination. = Forming a hypothesis to explain the observations in the previous stage. = Evaluating the hypothesis. This phase involves testing the hypothesis to determine if it is true, and if it is not, to revise the hypothesis and look at further tests. = Drawing conclusions and communicating findings.
When seizing cellphones, investigators should follow these steps to ensure the integrity of the digital evidence contained on them:
= Handle the cellphone like any normal piece of physical evidence so as to preserve fingerprint and DNA evidence. = Under no circumstances should the cellphone be accessed by the investigator, as this will alter evidence on the phone. = If the cellphone is powered on, it must be placed in a Faraday bag or wrapped in several layers of aluminium kitchen foil. This will however increase the power consumption of the phone and drain the battery quickly, so it is vital that the phone be transported to the digital forensic laboratory for examination as quickly as possible. = If the phone is off, do not switch it on. = The power cables and connectors for the cellphone should be seized. = Seal the cellphone and all its cables and power supply in an appropriate evidence bag. = The owner or user of the cellphone should be interviewed to determine whether or not they use an access code to access the phone. If possible, the investigator should obtain this code. = When transporting the items seized, it is crucial that they be secured and not placed near any strong magnetic sources such as car speakers. The items should also be protected from physical shocks. They should be kept clean of excessive dust and heat and should not be exposed to any liquids.
Broad tests which should be applied to any torensic evidence include the following:
= Is the evidence authentic? does the evidence actually come from where it is said to have come from? = Is the evidence reliable? Can the story that the evidence tells be believed, and is that story consistent? Are there any reasons to doubt that the computer on which digital evidence was found was working correctly? = Is the evidence complete? Is the story that the evidence tells complete? Are there any other stories that the evidence may tell that may have a bearing on the case? = Is the evidence free from interference and contamination?
The three most common myths about cybercrime are:
= It is a new type of crime = It is simply too complex = It is not a serious crime
Digital forensics process can be divided in three phases
= Pre-examination phase = examination phase = post-examination
To ensure that digital forensic evidence meets these tests, any approach to digital forensic science, by both investigators handling potential sources of digital evidence and digital forensic examiners, should encompass the following considerations and processes:
= Procedures that are well defined to address the various digital forensic tasks performed during the various phases of the digital forensic process = Anticipation that the methodology used will be criticised by the opposition's legal practitioner in court on the grounds of failing to demonstrate authenticity, reliability and completeness, and that it has possibly been contaminated as a result of the forensic examination. To counter this, detailed documentation must be maintained for all processes and actions related to the evidence in question. = The possibility that repeat tests will be carried out, possibly by forensic experts hired by the other side. = The necessity of checklists to support each methodology used to ensure consistency. = Anticipation of any problems relating to formal legal tests of admissibility by the opposition's legal practitioner in court. To counter this, all the relevant legal authorisations must be obtained prior to any examination and detailed documentation must be kept. = The acceptance that any method used could almost certainly be subject to later modification or improvement because technology in the field of digital forensics changes so rapidly. This is especially relevant when cases take a long time to go to trial from the time that the digital forensic examination has been performed. In the time period leading up to the trial new methods, tools or techniques could have been developed that could give more accurate results.
If a computer is powered on and no digital forensic examiner is present, the following steps should be taken when seizing digital items:
= Secure the area in which the computer is found, and move any people on the scene away from the computer and any of its wires and cables, as well as from any power plugs. = If the computer is connected to a network, whether via a cable or wireless connection, immediately contact a digital forensic examiner (it is advisable for the investigator to always have the telephone numbers of several digital forensic examiners on hand) for advice on how to proceed. = If the computer screen is on, photograph the screen and its contents. If the screen is off, move the mouse or touch the touchpad (in the case of a laptop computer), to restore the screen, then photograph it. = Label and photograph all the components of the computer, including the cables and the wall sockets and computer ports where they are plugged in, or at the very least draw a diagram, so that the computer set-up can be reconstructed in the digital forensic laboratory at a later date. = Remove the power supply from the back of the computer without closing down any programs or shutting down the computer. This will prevent any changes from being made to any running programs or any other data on the computer. = Unplug the computer from the power socket. If the computer is a laptop, remove the battery as well. = Allow the equipment to first cool down before placing it into properly labelled evidence bags. = Search the area surrounding the computer for diaries, notebooks or even pieces of paper which may contain user names and passwords for the computer. = If the owner of the computer is present, they should be interviewed to try and determine whether there are any passwords used on the computer, and if so, the investigator should try to obtain these. = Under no circumstances should the user or owner of the computer be allowed to access the computer while it is on, and the investigator should not act on any advice that they are given by bystanders or the suspect in relation to the computer.
If the computer is not powered on, the following steps should be taken when seizing the items:
= Secure the area in which the computer is found, and move any people on the scene away from the computer and any of its wires and cables, as well as from any power plugs. = Check to ensure that the computer is actually off. The monitors may simply be switched off, or the computer may be in sleep mode. = Label and photograph all the components of the computer, including the cables and the wall sockets and computer ports where they are plugged in, or at the very least draw a diagram, so that the computer set-up can be reconstructed in the digital forensic laboratory at a later date. = Unplug the computer from the power socket. If the computer is a laptop, remove the battery as well. = Seal all the components into properly labelled evidence bags. = Search the area surrounding the computer for diaries, notebooks or even pieces of paper which may contain user names and passwords for the computer. = the owner of the computer is present, they should be interviewed to try and determine whether there are any passwords used on the computer, and if so, the investigator should try to obtain these. = Under no circumstances must the investigator switch the computer on.
Principles of forensic science
= Transfer = Divisibility of matter = Identification = Classification/lndividualisation = Association = Reconstruction
Digital evidence can answer various questions
= When did something happen in a time sequence or timeline? For example, when was a particular email sent or read, or when was a particular file printed? In a suicide investigation, the digital forensic investigator could establish that the suicide note was created on the victim's laptop several hours after their actual death. This could prove that it was not a suicide but possibly a murder. = Who interacted with whom? For example, digital forensic evidence can be used to establish links between two parties, including which users were chatting in an internet chat room or had sent emails to each other, or establishing who a child pornographer had been talking to online or shared child pornography with. = What was the origin of a particular digital evidence item? For example, on which particular computer did a particular document originate? = Which user account was responsible for a particular transaction or event? For example, which user account was logged onto the computer when money was transferred from one bank account to another by means of internet banking? = How did this particular offence take place? For example, reconstructing how a hacker managed to gain access to a secure computer network
The post-examination phase of the digital forensic process comprises five specific processes that need to be completed. These processes all ultimately lead to the presentation of the digital evidence in court.
= a peer review of the results of the digital forensic examination process to ensure accuracy and the quality of the processes followed and the interpretations made = documenting the entire examination in detail in an affidavit or report — this must be done by the digital forensic examiner = reviewing the digital forensic examiner's affidavit or report for quality assurance purposes = providing the finalised affidavit or report to the investigator who requested the digital forensic examination = presenting the digital forensic examiner's evidence in court.
In the context of a digital forensic examination, appropriate authority includes:
= a search warrant or Anton Piller order (see section 7.7 in chapter 7) = a subpoena or other court order = consent from a person who can legally consent to the acquisition and examination of digital evidence.
Common devices and media
= desktop computers = portable computers (including laptops, netbooks and tablets) = external and portable hard drives = cellphones and smartphones = portable media players = USB thumb drives (memory sticks, flash drives) = digital cameras = flash memory cards = CD or DVD disks.
The essential elements of forensic science include the ability of the scientist to
= know the hypothesis or question to be tested = establish that the items provided are suitable for the requirements of the case at hand = confirm that the type of examination has been correctly selected = confirm that the examination has been carried out competently = summarise and collate the results of the examination = interpret the results of the examination in accordance with established scientific principles = consider any alternate hypotheses = prepare a report or affidavit based on the findings of the examination = present evidence in court = ensure that all documentation used in the process is fit for the purpose for which it is intended.
The pre-examination phase in the digital forensic process of 5 specific processes that need to be completed before any digital evidence can be examined by a digital forensic examiner. These are:
= obtaining the legal authority or mandate to acquire and examine the digital evidence identifying all the legal = identifying all the legal elements of all allegations to be investigated in terms of legal authority = identifying all possible devices or media that may contain potentially relevant digital evidence, in terms of the legal authority = seizing and transporting the evidence = forensic acquisition of the digital evidence from the identified devices or media = forensic authentication of the digital evidence acquired.
The scientific process of digital forensics consists of the following components:
= search authority = chain of custody = imaging/hashing function = validated tools = analysis = repeatability (reproducibility) (quality assurance) = reporting = possible expert presentation.
Uncommon devices and media
= server computers = printers with an internal memory or a digital media storage capacity = telephone answering machines or telephones with these capacities built in = digital voice recorders = GPS devices = digital video recorders = dedicated computer game consoles.
Underlying fundamental processes will remain same for every digital forensics examination but some of the following my differ:
= the data being examined = objectives of investigation = resources available = factors such as skills, knowledge, experience of digital forensic examiner
Identifying the legal elements to be proved
= the investigator to identify all the legal elements of each allegation they are investigating and brief the digital forensic examiner, so that the digital forensic examiner has a good idea of what digital evidence may be legally relevant to the case at hand. = The legal authority also limits the scope of the potential digital evidence that may be used in subsequent legal proceedings. = To ensure that only relevant digital evidence is ultimately presented in legal proceedings, investigators need to know the exact legal elements of each allegation they are investigating so that digital forensic examiners can be made aware of the types of digital evidence they should consider in their examinations.
Section 15(3) of the ECT Act requires a court to give due regard to:
= the reliability of the manner in which the data message (digital evidence) was generated, stored or communicated = the reliability of the manner in which the integrity of the data message (digital evidence) was maintained the manner in which the originator of the data message (digital evidence) was established = any other relevant factors.
Examination and analysis peer review
= the work of the digital forensic examiner should be peer-reviewed to check the processes used and the correctness of interpretations made. This acts as of quality assurance to ensure that the court can rely on the digital evidence.
Physical evidence must also be collected procedures:
= to protect it from contamination or destruction = to protect it from claims that it was tampered with or handled improperly = to establish and preserve the chain of custody.
Association
Association is an inference of contact between the source of the evidence and a target.
Classification/lndividualisation
Classification is an attempt to determine a common origin, while individualization uses a set of characteristics to uniquely identify a specimen.
How does "identification" apply to digital evidence
Description of the digital evidence in terms of: = physical structure (eg the number of cylinders, heads and sectors of a computer hard drive) logical structure (an NTFS partition) = location (physically on the storage device, and the logical path) = content (eg an email or graphics file) = metadata.
DIGITAL FORENSICS
Digital forensics involves the preservation, identification, extraction and documentation of digital evidence stored as data or magnetically encoded information.
Concealed devices and media
Electronic devices and storage media can be disguised, either commercially or through a process of 'moding', to look like something else. The use of wireless networking technology has also aided the concealment of certain electronic devices such as wireless routers and wireless network storage devices, and there have been examples of these devices hidden in ceilings or crawlspaces.
ensuring the reliability of the digital evidence by cryptographic means such as mathematical hashes.
Essentially, mathematical hashing is a digital forensic technique that creates a digital fingerprint of a single file or even of an entire digital storage medium. If even one bit of the data is changed, one will be able to determine that the data has been altered because the mathematical hash would no longer match the original one. While it is generally the responsibility of the digital forensic practitioner to analyse the hashing functions, investigators can still play a crucial role in ensuring that the courts would give due evidential weight to the digital evidence.
identification
Identifies the nature of the evidence at a physical and structural level.
Seizing and transporting the evidence
It is essential that the investigator follows the correct procedure when carrying out such search-and-seize operations.
Transfer
Locard exchange principle, whenever 2 objects come into contact with each other there is reciprocal transfer of trace evidence of information from to another
Reconstruction
Reconstruction is the ordering of associations in time and space.
Documenting the findings
The digital forensic examiner documents the entire digital forensic examination for court purposes. This record must be detailed enough so that another digital forensic examiner could follow the entire process and reach the same findings. The digital forensic examiner records the examination in the form of either an affidavit or a report.
Testifying
The entire digital forensic process is concluded when the digital forensic examiner's evidence is presented and tested in court.
Once the electronic devices containing potential digital evidence have been identified, a digital forensic examiner should make a forensic image of the data.
a digital forensic examiner acquires one or more forensic images of the data contained on the electronic device using a variety of specialised digital forensic software and hardware. These can either be done on site, or off site. A forensic image is an exact duplicate of all the data contained on the electronic device. From a mathematical point of view the image is identical to the original. It is thus considered original evidence and not a copy.
Digital evidence includes
any computer hardware (containing data), software or data that can be used to prove who, what, when, where, why or how (the Wx5; H) the incident being investigated occurred.
without the necessary and relevant authority to image or examine and analyse digital data
any digital forensic process applied in relation to that data would amount to a contravention of s 86(1) of the Electronic Communications and Transactions Act.
Divisibility of matter
ability to impute characteristics to the whole from a separated piece
In terms of digital evidence, Investigators should never
access any computers, cellphones or other electronic devices themselves to look for possible information of value, as they will very likely alter the evidence at a fundamental level. As stated above, this is the digital equivalent of trampling all over a physical scene of incident.
digital evidence and the concept of a data message
as defined in terms of the Act are synonymous. Section 1 of the Electronic Communications and Transactions Act defines data as 'an electronic representation of information in any form', and a data message as 'any data that is generated, sent, received, or stored in electronic means'.
Verification is defined
as the confirmation of a validation with forensic laboratory tools, techniques and procedures.
Evidence
can be defined as anything that tends to logically prove or disprove a fact in issue in a judicial case.
How does "Association" apply to digital evidence
can be determined through interactions in the system, eg proving that a particular USB flash drive had been attached to a particular Windows computer through an analysis of the registry, and then showing that a particular file was copied to it through link files.
Confirming the examination parameters
confirm the legal parameters of the examination to ensure that the correct legal authority is in place and that all the elements of the legal issues being investigated are understood. This is done again, it often happens that the digital forensic examiner who examines the digital evidence is not the same person who acquired the digital evidence,
Admissible evidence
is evidence that meets all regulatory and statutory requirements and that has been correctly obtained and handled.
How does "divisibility of matter" apply to digital evidence
digital duplicates are representative of the original evidential item
How does "Transfer" apply to digital evidence
digital evidence exhibits transference in its interactions
Report/affidavit peer review
digital forensic examiner's affidavit or report should then be reviewed for accuracy before it is released to the investigator who requested the digital forensic examination. This acts as a final quality assurance check before the digital forensic examiner's report or affidavit is released.
Section 15 of the Electronic Communications and Transactions Act
governs the admissibility and weight of data messages and, subsequently, digital evidence.
Digital evidence is defined as
information of a legal probative value that is either stored or transmitted in digital format.
Metadata
is 'data about data', for example the date that a particular file was created is a form of metadata.
A digital forensic examiner
is a forensic scientist who specialises in the forensic examination of digital evidence and the devices containing digital evidence. Generally, they have a degree in computer science or similar field, and often a postgraduate qualification in digital forensics. They also have extensive specialist training, not only in digital forensics but also in general information technology.
The problem with digital forensic evidence
is that it is often technically complex. The legal system's lack of technical awareness has led some presiding officers to make inappropriate assumptions because they are not always in the best position to evaluate the reliability of the digital evidence. The best way in which this can be addressed is to make use of experienced and well-trained digital forensic scientists who can interpret and explain the evidence to the court as expert witnesses.
definition of digital forensics by Zatyko
is that it is the application of computer science and investigative procedures for a legal purpose involving the analysis of digital evidence after proper search authority, chain of custody, validation with mathematics, use of validated tools, repeatability, reporting and possible expert presentation
The most common mistake leading to digital evidence being ruled inadmissible in court
is that it was obtained without the correct legal authorisation.
Fundamental tenet of digital forensics
is the repeatability or reproducibility, this scientific analysis method acts as a safeguard against drawing incorrect conclusions due to incomplete or inaccurate methods.
key element in the various definitions of digital forensics
is the scientific nature of digital forensics. This is a strong indication that digital forensics is considered a scientific, or at the very least an applied scientific, discipline
A key factor in the forensic science process used in digital forensics
is to ask one or more specific investigative or legal questions, which are ultimately translated into scientific questions. These questions should be asked by the forensic scientist in response to questions posed by the investigator in the case, before any evidence is examined or analysed by the forensic scientist.
definition of digital forensics
it is the science of acquiring, preserving, retrieving and presenting data that has been processed electronically and stored on computer media. or it is the use of scientifically derived and proven methods towards the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events, or helping to anticipate unauthorised actions
For evidence to be usable in court proceedings,
it must be both relevant and admissible.
Section 15(1) of the ECT Act states
that a data message (and thus digital evidence) cannot be ruled inadmissible simply by virtue of the evidence being in an intangible digital format,
Section 86(1) of the Electronic Communications and Transactions Act states
that any person who intentionally accesses or intercepts any data without authority is guilty of an offence. the maximum penalty for the contravention is a fine or imprisonment for a period of no longer than 12 months.
Section 15(2) of the ECT Act states
that information in a digital form must be given due evidential weight.
Cybercrime is defined as
the abuse and misuse of computers and information systems connected to the internet that result in either direct or indirect losses. The key aspect of the definition is that the internet or other networked computer systems are the environment in which these crimes take place.
Validation is defined as
the confirmation by way of an examination and a demonstration of objective evidence that a particular forensic tool, forensic technique or forensic procedure functions correctly and as it was intended to function
Analysing relevant data artefacts
the digital forensic examiner needs to analyse these data artefacts to answer the 'who, what, when, where and how' questions, and to test this evidence in terms of the scientific method. It is during this step that the data artefacts are interpreted by the digital forensic examiner to explain their relevance to the case
Section 15(3) of the ECT Act sets out
the guidelines for a South African court when assessing the evidential weight of digital evidence
Protected devices and media
those common and uncommon devices and media that are designed to prevent unauthorised access or usage through the use of some security mechanism. These can include biometric devices such as fingerprint readers or iris scanners, or devices that require a security access 'token' such as an encoded access card or a dongle.
Authentication of forensic images
to authenticate the forensic image of the digital evidence and mathematically verify that it is a mathematically identical duplicate of the source data. If the forensic images are not authenticated, it could mean that all the digital evidence has not been correctly acquired. This process is performed by a digital forensic examiner. If it is not done, the digital evidence could be easily challenged in court.
The objective of digital forensics
to recover, analyse and present digital evidence in such a way that it is usable as evidence in a court of law