Which of the following is not a traditional problem in computer investigations?

3. Computer Forensics in the Court System

Computer forensics is one of the few computer-related fields in which the practitioner will be found in the courtroom on a given number of days of the year. With that in mind, the following sections are derived from the author’s experiences in the courtroom, the lessons learned there, and the preparation leading up to giving testimony. To most lawyers and judges, computer forensics is a mysterious black art. It is as much a discipline of the art to demystify and explain results in plain English as it is to conduct an examination. It was with special consideration of the growing prevalence of the use of electronically stored information (ESI) in the courtroom, and the general unfamiliarity with how it must be handled as evidence, that spawned the idea for the sidebar “Preserving Digital Evidence in the Age of eDiscovery.”

Preserving Digital Evidence in the Age of eDiscovery2

Society has awoken in these past few years to the realities of being immersed in the digital world. With that, the harsh realities of how we conduct ourselves in this age of binary processing are beginning to take form in terms of both new laws and new ways of doing business. In many actions, both civil and criminal, digital documents are the new “smoking gun.” And with the new Federal laws that open the floodgates of accessibility to your digital media, the sanctions for mishandling such evidence become a fact of law and a major concern.

At some point, most of us (any of us) could become involved in litigation. Divorce, damage suits, patent infringement, intellectual property theft, and employee misconduct are just some examples of cases we see. When it comes to digital evidence, most people simply aren’t sure of their responsibilities. They don’t know how to handle the requests for and subsequent handling of the massive amounts of data that can be crucial to every case. Like the proverbial smoking gun, “digital evidence” must be handled properly.

Recently, a friend forwarded us an article about a case ruling in which a routine email exhibit was found inadmissible due to authenticity and hearsay issues. What we should take away from that ruling is that electronically stored information (ESI), just like any other evidence, must clear standard evidentiary hurdles. Whenever ESI is offered as evidence, the following evidence rules must be considered.

In most courts, there are four types of evidence. Computer files that are extracted from a subject machine and presented in court typically fall into one or more of these types:

Documentary evidence is paper or digital evidence that contains human language. It must meet the authenticity requirements outlined below. It is also unique in that it may be disallowed if it contains hearsay. Emails fall into the category of documentary evidence.

Real evidence must be competent (authenticated), relevant, and material. For example, a computer that was involved in a court matter would be considered real evidence provided that it hasn’t been changed, altered, or accessed in a way that destroyed the evidence. The ability to use these items as evidence may be contingent on this fact, and that’s is why preservation of a computer or digital media must be done.

Witness testimony. With ESI, the technician should be able to verify how he retrieved the evidence and that the evidence is what it purports to be, and he should be able to speak to all aspects of computer use. The witness must both remember what he saw and be able to communicate it.

Demonstrative evidence uses things like PowerPoint, photographs, or computer-aided design (CAD) drawings of crime scenes to demonstrate or reconstruct an event. For example, a flowchart that details how a person goes to a Web site, enters her credit-card number, and makes a purchase would be considered demonstrative.

For any of these items to be submitted in court, they each must, to varying degrees, pass the admissibility requirements of relevance, materiality, and competence. For evidence to be relevant, it must make the event it is trying to prove either more or less probable. A forensic analyst may discover a certain Web page on the subject hard drive that shows the subject visited a Web site where flowers are sold and that he made a purchase. In addition to perhaps a credit-card statement, this shows that it is more probable that the subject of an investigation visited the site on his computer at a certain time and location.

Materiality means that something not only proves the fact (it is relevant to the fact that it is trying to prove) but is also material to the issues in the case. The fact that the subject of the investigation purchased flowers on a Web site may not be material to the matter at hand.

Finally, competency is the area where the forensic side of things becomes most important. Assuming that the purchase of flowers from a Web site is material (perhaps it is a stalking case), how the evidence was obtained and what happened to it after that will be put under a microscope by both the judge and the party objecting to the evidence. The best evidence collection experts are trained professionals with extensive experience in their field. The best attorneys will understand this and will use experts when and where needed. Spoliation results from mishandled ESI, and spoiled data is generally inadmissible. It rests upon everyone involved in a case—IT directors, business owners, and attorneys—to get it right. Computer forensics experts cannot undo damage that has been done, but if involved in the beginning, they can prevent it from happening.

Differences Between Computer Forensics and Other Computing Domains

Computer forensics is considered a standalone domain, although it has some overlap with other computing domains such as data recovery and computer security.

Computer security aims to protect systems and data according to a specific security policy set by individuals or organizations, whereas computer forensics tries to explain how security policies became violated. One of the aims of computer security is to protect user data and assure privacy by using encryption and hiding techniques whereas computer forensics tries to recover passwords, access encrypted files, discover hidden data, and recover deleted files and wiped disks for evidence.

Data recovery involves recovering data from computers that were deleted by mistake or lost because of power failure or hardware crash. The user usually knows what he/she is looking for when conducting data recovery; however, in computer forensics an investigator is searching for hidden data and intentionally deleted files for the purpose of using them as evidence during a trial.

Data recovery has many things to share with computer forensics as it uses many of its techniques to restore data that has been lost, but the main difference between both is the final outcome of the process and the way to achieve it. The ultimate goal of computer forensics is to acquire data in a lawful way so that it could be submitted to a court of law.

Introduction

Computer forensics tools and techniques allow investigators to gather intelligence about computer users, find deleted files, reconstruct artifacts, and try to gather as much evidence as they can. The outcome of using all these tools should be handled by professional computer forensic analysts in order to be admissible in a court of law. Antiforensics science, on the other hand, try to reverse the process. It uses tools and techniques to make investigation of computer crimes more difficult and time-consuming by performing many actions like intentional deletion of files, wiping disk space to prevent data recovery, putting false evidence to fool computer forensics tools, and increasing the analysis time in addition to using data hiding and encryption techniques to make uncovering secret data more difficult. The best compact definition of computer antiforensics comes from Dr. Marc Rogers of Purdue University who defined it as follows:

Attempts to negatively affect the existence, amount and/or quality of evidence from a crime scene, or make the analysis and examination of evidence difficult or impossible to conduct [1].

In relation to data hiding techniques, antiforensics will include all techniques related to hiding the truth of using a steganography tool on the suspect machine. It also includes all the protective measures that can be used in order to delete user traces on the target’s machine like Internet activities, IP addresses, last-used programs, and anything that can be used to disclose the possibility of using steganography tools or/and data hiding techniques to conceal secret data.

The term antiforensics in a broad range includes both data hiding and encryption techniques. In fact, this entire book is about one branch of computer antiforensic techniques! Data hiding techniques (including encryption as a subtype of obscuring data) is the most used and advanced technique in the computer antiforensics family. Despite its great importance in computer security, few books about it are published, and few of these published books give such a practical approach as the one already in your hand.

In this chapter, we will practically teach you many techniques to hide your traces and make investigating your PC by professional computer forensic examiners very difficult and time-consuming. If the techniques presented in this chapter are combined with the appropriate data hiding and encryption techniques from the previous chapters, you will end up having a very strong approach to protect your confidential data to an extent that is impossible to break.

Forensics and eDiscovery

Computer forensics and eDiscovery are relatively mature disciplines within traditional IT environments.35 However, when it comes to cloud computing these disciplines are still in their infancy. Cloud computing brings a number of challenges when trying to forensically capture data. Firstly there is the issue of where the data is stored and located, and how can the data be gathered in a forensically sound way. There is also the issue of the dynamic nature of the cloud and how to soundly capture threats, processes, and memory to support an investigation. In a cloud environment there is also the challenge of how to isolate logs and other critical supporting evidence for one customer’s instance from all of the other customers using that Cloud Service Provider.

When engaging with a Cloud Service Provider the customer organization should ensure it fully understands what the Cloud Service Provider can, and just as importantly cannot, provide with regard to computer forensics and eDiscovery requests. With that information the customer organization should review its own computer forensics and eDiscovery processes and procedures and adapt them accordingly.

The Cloud Security Alliance’s research group on Incident Management and Forensics36 is looking to developing guidelines on Best Practices for Incident Handling and Forensics in a Cloud Environment.

Cross-Border Forensic Practices

Computer forensics practices in another country face the same procedural challenges as documentary evidence, to say nothing of the communications challenges of translating technical forensic concepts from one language to another.

Only in 2013 did the United States Department of Justice join with the National Institute of Standards and Technology (Dept. of Commerce) to begin the task of defining specific forensic practices in the United States, through the National Commission on Forensic Science. The National Commission on Forensic Science has begun developing standards for defining scientifically reliable guidelines for various forensic procedures, and for designing appropriate professional certifications for forensic service providers. This includes forensic collection and analysis of digital evidence.

It goes without saying that if computer forensics is not standardized within the United States, it is not standardized across the globe. As a result, any expectation by the International Team that digital evidence will be collected in a specific way in another country is an exercise in elevating stress. It is important to have a computer forensics consultant with good connections to the international professional organizations for highest-quality forensic practices. This prevents the ugly moment when your expert witness attempts to explain why digital evidence was handled badly during collection by your International Team, and is thus open to question.

Computer Forensic Information

Computer forensics is a field that is not only growing fast but changing fast as well. New techniques and technologies are being developed and proven all the time, and it's important that investigators keep up with the latest news in the field. There are several ways to stay current, including:

Reading computer security information available through government and computer security sites on the Internet.

Attending seminars and conferences that focus on computer crime and cybercrime, which may be hosted by law enforcement organizations or private companies. An example of one such conference is the Techno-Security Conference, of which information is available at www.techsec.com.

Joining associations of computer forensic and cybercrime investigation professionals, such as IACIS (www.cops.org), the International High Technology Crime Investigation Association (http://htcia.org/), the High Tech Crime Consortium (www.hightechcrimecops.org), and others.

Computer Forensics and Investigatory Activities

Computer forensics is an exciting field concerning security analysis, engineering, and legal procedural knowledge used in collecting and preserving electronic evidence. Electronic evidence may include raw data, photographs, files, log data, network and software parameters, or computer state information. Since electronic information is volatile and subject to tampering, there are established procedures that must be taken to locate, extract, and preserve data so it may be admissible as legal evidence. Such is the domain of the forensic computer analyst. Some organizations may find it necessary to hire and retain their own internal team of forensic analysts to handle serious issues anywhere from employee theft, internal abuses of authority, sexual harassment, to corporate espionage. Electronic forensic investigations may also be necessary to collect information which could later be submitted to law enforcement such as logs from systems that were hacked or compromised. Companies with a vested interest in confidentiality, government work, or maintaining secrets may outright retain a team of professionals to handle such matters internally than involve outside resources.

Computer Forensic Investigators

Computer forensic investigators are usually called after a suspicious activity has been detected or when a crime has been committed. Their job is to recover information from the target machine that will be used later as evidence that a crime was committed. One of the key tasks in computer forensics concerns investigating the consequences leading to an attack on a specific machine—usually a server running a sensitive service such as a financial backend application or a critical Web site that was hacked. The investigator's job in those cases is to analyze the system while looking for clues that will shed some light on how the attack was carried out, what kind of vulnerability was exploited, whether any information that can lead to catching the attacker exists, and so forth.

Since it is assumed that the attacker most likely wanted to keep control of the machine, the investigator will look for any kind of malware, such as backdoors or rootkits, which the attacker left behind on the machine. Such malware often helps the investigator to better understand the situation, and might even provide him with clues about the attacker's remote IP or username.

Today's computer forensic methodologies do not cover application VM runtimes as a possible place to look when searching for evidence that might exist on a compromised machine. This is the same problem that we discussed regarding security auditors. Investigators are not aware that an MCR can be hidden in an application runtime, causing them to overlook the runtime and miss the evidence—the code that might be deployed by the attacker, which can be a source of valuable information to the auditor.

Educational Provision for the Study of Computer Forensics

Computer forensics is no longer a new field as some would like to believe and a lot needs to be done to train and encourage new entrants to the field as well as unifying skills and experience acquired by those already in the field. The need to train not just on the technical side but also the legal aspects has been fully recognized by government, training companies and universities, and most universities are now offering courses specifically tailored to law enforcement officers, yet training is only embarked upon by most in law enforcement as a backup plan for post-retirement.

Those joining the profession will have to understand the importance of an academic qualification especially if they have no experience in the field at all.

Computer forensics is no longer a profession where training on the job to get experience is sufficient. Most other professions require one to have a degree before one can progress to train in their vocation, i.e. teachers, lawyers, forensic scientist and doctors, etc., the same should be with computer forensic as the work we do is as important as those in other fields and be it positive or negative does affect people’s lives.

Numerous universities in this country and abroad are offering Computer Forensic and Information Security courses to graduate and post-graduate level which will help those taking on the courses to have a good grounding in computer science, a better understanding of computer forensic theories and most of all help them develop to be more innovative in coming up with new forensically sound ways of fighting e-crime and to “think outside the box.”

It is time for the government to actively work in partnership with universities to encourage people to take on these courses especially those already working in the field in the public sector.

A degree is now a prerequisite in the private sector as well as experience, as it is becoming a lot more difficult for one to claim to be an expert in the field of computer forensics and an expert witness in a court of law. Gone are the days where do-it-yourself forensics will be accepted.

This leads us to another area a lot of experts in the field of computer forensics have been reserved about and that is the idea of accreditation. It is an area that is very difficult to make decisions on. Most agree and recognize that a board should be set up, but what cannot be agreed upon is who should lead it. Some have suggested that it should be led by universities, by government, by their peers or jointly by universities, government and businesses.

If it is university led, the concern is that those who have worked in the field for many years without academic qualifications may find that in order to be recognized as experts in the field and fully accredited they may have to get some recognized academic qualification in addition to their experience, which most are against.

If it is government led, without set standards the situation will be no different from what we have at present. It will also involve those working in the profession to give it some direction and it is still doubtful as to whether those people are in a position to decide what form of accreditation to be embarked upon.

This brings us to the last option, a joint partnership with government, universities and businesses. This is the most feasible option but a lot of joint effort will be required to come up with a credible accreditation that will be accepted by all.

The March 2007 an article written by a Peter Warren appeared in the Guardian newspaper, the incident has been of great concern to those in the profession. “Last month saw the downfall of Gene Morrison.” A conman who masqueraded as a forensic scientist and gave evidence in more than 700 police cases, some of them involving rape and drink-driving, Morrison, 48, of Hyde, Tameside, was found guilty of 22 counts of perjury at Minshull Street Crown Court in Manchester and given a 5-year jail sentence. His claims to be a forensic scientist were bogus, and the BSc and PhD qualifications he claimed were in fact bought from a university that existed only on the internet.

One thing is for sure having a form of accreditations will force government, academics, researches and those working in the field of computer forensics to set more appropriate standards and controls for those who handle, analyze and investigate computer evidence.

Publisher Summary

Computer forensics refers to an investigation process of gathering and examining evidence to establish facts so that accurate testimony and evidence can later be presented in court or other hearings. The key to this definition is that any work an investigator performs may be scrutinized and used as evidence in court. Computer forensics is used to collect, examine, preserve, and present data that is stored or transmitted in an electronic format. This branch of forensics uses scientific methods to retrieve and document evidence located on computers and other electronic devices. Using specialized tools and techniques, digital evidence may be retrieved in a variety of ways. Such evidence may reside on hard disks and other devices, even if it has been deleted so that it is no longer visible through the normal functions of the computer, or hidden in other ways. Forensic software can reveal this data that is invisible through normal channels, and restore it to a previous state. Because the purpose of computer forensics is its possible use in court, strict procedures must be followed for evidence to be admissible. For evidence to be used in court, numerous standards must be met to ensure that the evidence isn't compromised and that information has been obtained correctly. If one does not follow forensic procedures, judges may deem evidence inadmissible, defense lawyers may argue its validity, and the case may be damaged significantly. In many cases, the only evidence available is that which exists in a digital format. This could mean that the ability to punish an offender rests with the quality of the evidence you’ve acquired, authenticated, examined, and presented to the court through thorough documentation and testimony.