Digital Evidence and Digital Investigations

1
Digital Evidence and Digital Investigations
2
Objectives

• Summarise the principles of digital investigation
• Discuss concept of digital evidence
• Consider need for standards

3
Digital Investigations
The digital investigation and forensic
examination of the contents of a computer are
skilled jobs and require special procedures,
techniques and tools are required to ensure that
any information that is retrieved can be present
as evidence in a court of Law. Two main
principles to consider Evidential Integrity
requires that the material being examined is not
changed in any way. What is examined must be an
exact copy of the original. Continuity of
Evidence refers to the means used to vouch for
the actions that have taken place regarding the
item under examination. This covers the seizure,
handling and storage of equipment and copies
4
Digital Evidence

• Most of the literature focuses (and indeed the
  majority of investigations) on disk forensics
• Need also to consider digital evidence from
• Large systems
• Remote sites
• Networks
• Digital communications (opens the notion of
  eavesdropping and interception)
• Other devices
• iPod, mobile phones, game boxes, SatNav, etc

5
Standards

• Applications of standards for gathering evidence
  from PC disks is high
• Are there unrealistic expectations in obtaining
  other forms of computer derived digital evidence
  ?
• What about digital evidence from other devices ?

6
ISO27001 and Forensics

• There is a need to ensure that the collection of
  digital evidence conforms to the rules for
  evidence laid down by the relevant law, rules of
  a specific court, published standard or code of
  practice for the production of admissible
  evidence

7
Implications for Digital Investigations

• Admissibility
• Legal rules which determine whether potential
  evidence can be considered by a court
• Need to take into account weight of evidence
• Consider the Auld Report and free admissibility
  (encourage you to read as independent study)
• Attempts to protect lay juries from complex
  technical issues
• Relationship between science, forensics science,
  computer forensics and activities of courts
• Professional issues about expert witness

8
Digital Evidence

• Two main situations
• Reliability of computer records
• Regular computer documents
• Regular computer reports (from databases)
• Records of transactions
• Occurred or not ?
• Authentication sought and acquired ?
• Reliability of forensically located and recovered
  data
• Data seized from computers
• Audit trails / activity logs
• Monitoring activities with computers
• Monitoring networks and communications

9
Investigation Techniques

• Analysis of existing files
• Including time and date stamps
• Recovering deleted or hidden data stored on disk
• Analysis of log files
• Local disks
• LANs
• Internet
• Interpretation of gathered data and meta data

10
Features of Digital Evidence

• Can change from moment to moment
• Within a computer or along a communication
  network
• Can be altered without trace of the alteration
• Can be changed during evidence collection
• Cant be read directly by humans
• Computers create evidence as well as record it
• Trojan defence, wireless defence !
• Need to consider the constant change and
  development of technology

11
Benefits of Digital Evidence

• Many more commercial transactions are recorded
• Easier to trace a persons history and activities
• Difficult to completely eradicate all digital
  evidence
• We can use computers to assist in investigations

12
Forensics procedures

• Freezing the scene
• Formal process (ACPO)
• Imaging
• Maintaining continuity of evidence
• Controlled copying, printing, analysis
• Documentation
• Authenticity
• Repeatability
• Independent checking / auditing
• Standard procedures
• Anticipate criticism

13
Summary

• We need to think very carefully about what we can
  do with digital evidence
• Digital evidence has a variety of strengths and
  weaknesses
• We need to consider the ways in which gather
  digital evidence and think carefully about what
  we are looking for
• As digital investigators we need to act
  professionally and responsibly