Digital forensics: Where to begin???
3rd October 2011
CYFOR and Deans Court Chambers held a successful digital forensics seminar last Thursday.
It was well attended by lawyers and barristers alike with the feedback being very positive. The speakers were Keith Cottenden, Forensic Services Director at CYFOR, and Joseph Hart, Deans Court Chambers Barrister. Here are some highlights from their presentations…
An introduction to digital evidence
Digital source evidence
The use of evidence generated by the investigation of a digital source must be one of the fastest growing sources of evidence in modern trials. Everyone uses computers every day to do many tasks and as they use them they leave a trail of activity which can be used in the trial process.
There is nothing about digital evidence except it’s source which sets it outside the normal evidential rules and it’s admissibility will be considered in exactly the same way any other evidence will be considered. It is important to consider at every stage how the evidence will be admissible before the courts.
- Emails (straddling the gap between direct evidence and admissible hearsay) It all depends on where the e-mail was sent from, or which Internet provider was used. The issues which are raised include a number of concerns but mainly the problem will be proving where the email came from and who wrote it:
In many cases individuals will accept where an email is from or generated.
In many cases the email has been physically found on a computer relating to the sender or recipient of the email.
In some cases the suggestion will be that the email is entirely falsified or has been tampered with, the person relying on the email should be in a position to exclude that possibility or at least make it unlikely. It is not enough to print out an email and then comment on the address route attached.
Documents created in the course of a trade, occupation, profession or public office can be used as evidence of the facts stated in them.
To be admissible, the evidence referred to in the document must itself be admissible. The person supplying the information must have had personal knowledge of it (or be reasonably supposed to have had), and everyone else through whom the information was supplied must have also been acting in the course of business.
Investigation to admissable evidence
There are specific concerns about computer generated evidence having been tampered with either automatically by an operating system or by an individual.
The ACPO Guidelines set out a useful breakdown as to what is expected by lawyers from the digital evidence in order to make the best use of it:
1. The collection phase.
The integrity of the seizure of devices, and hardware, also passwords.
2. The examination phase
Just as important as the actual examination of a digital device is the procedure which is followed to do that examination. There are no universally agreed standards, rules or protocol for the handling of computer evidence. Any technical processes applied to digital evidence ‘does not have to pass any formal test’ for it to be placed before a court.
There are, however, best practice guidelines on the recovery of digital based evidence. One of the important parts of a witness statement might be to show that these guidelines have been followed.
The guidelines were laid down by the Association of Chief Police Offices (ACPO) of England, Wales and Northern Ireland:
- Principle 1: The data held on an exhibit must not be changed.
- Principle 2: Any person accessing the exhibit must be competent to do so and explain the relevance and the implications of their actions.
- Principle 3: A record of all processes applied to an exhibit should be kept. This record must be repeatable to an independent third party.
- Principle 4: The person in charge of the investigation has responsibility for ensuring that the law and these principles are adhered to.
At the examination phase the forensic analyst is essentially building up the evidence so that any particular piece of information can be tracked back through the system. It might be best described as a digital audit trail this may cover the exact location of a piece of information or it may be that there are systems in place which sets up an automatic auditable log. For example, an accounting system might track all invoices created during a particular time and log them in a file or journal, which can be printed upon demand. An intrusion detection system logs all attempted break-ins into another type of log. In considering the evidence it is important to be able show where it came from and how it was generated to avoid concerns that it might have been tampered with.
Forensic accountants and computer specialists working on the Enron case poured through 10,000 computer backup tapes and over 400 computers and handheld devices, searching for digital evidence. (Source: Edward Iwata, “Enron Case Could Be Largest Corporate Investigation,” USA Today, February 19, 2002.)
3. The analysis phase
Effectively at the end of this process what does the data recovered actually mean (For example an analysis might show that Mr X’s password was used to access the internet at Y time, if the computer is accurate but what it cannot show is that Mr X in fact accessed the internet.
Issues which should be considered include:
• Is the data easily alterable? If so, less reliance can be placed upon it.
• How credible is the data? If it’s from an independent source and the analyst can corroborate it, the data has more credibility.
• How complete is the data?
• Are approvals in place? Approvals that are part of the document and when they are intact they add to the document’s validity.
• Is the data easy to use? Can the analyst easily understand the data?
• Is the data clear? Would all analysts come to the same conclusion when they see this evidence?
Sources of digital evidence
In a file.
On a disc or memory stick.
Viewing Cache Data you can now view cached data just as the original user of the computer did.
A digital forensics technique that correlates information found on multiple hard drives. The process, which is still being researched, can be used for identifying social networks and for performing anomaly detection.
Modern forensic software has their own tools for recovering or carving out deleted data. Most operating systems and file systems do not always erase physical file data, allowing it to be reconstructed from the physical disk sectors. File carving involves searching for known file headers within the disk image and reconstructing deleted materials.
The report or statement
Taken from the CPS guidance on digital evidence:
Unlike a written document, raw computer evidence must be presented with an accurate interpretation, which clearly identifies its significance in the context of where it was found. For example, the hard disk of a computer contains raw binary data.
This interpretation must be undertaken by a suitable qualified person and then presented in a human readable form for consumption by a court. Over-simplification is dangerous as it could lead to the data becoming open to interpretation.
Any doubt as to the interpretation of a single item of evidence can often be correlated with other evidence such as logs files, internet history, link files, and so forth.
A particular area of difficulty is the communication of risk and probability. The court ultimately has to make a clear judgment on such matters and it is not always possible to give black and white answers to questions.
Using terminology such as ‘indicative of’ and ‘a common cause of’, it is possible to present such evidence with a possible cause and an indication of its associated probability.