Read an Excerpt
Building a Digital Forensic Laboratory
Establishing and Managing a Successful Facility
By Andy Jones Craig Valli
Syngress
Copyright © 2009 Elsevier, Inc.
All right reserved.
ISBN: 978-0-08-094953-6
Chapter One
An Introduction to Digital Forensics
For gauging the scientific validity of evidence, it should be seen whether the technique in question can be or has been tested; whether the technique has been subjected to peer review and publication; its known or potential error rate; the existence of standards controlling its operation and whether the methodology in question has attracted widespread acceptance within the relevant scientific community.
—U.S. Supreme Court in Daubert v. Merrell Dow Pharmaceuticals, Inc., 509 U.S. 579, 113 S.C.T. 2786 (1993); popularly referred to as the "Daubert Standard"
Introduction
As computers and microprocessor-controlled devices become more capable and have a greater number of services available, they have become more ubiquitous and are increasingly integrated into our everyday lives. They are used in an growing number of ways, and as a result of this, more and more information is stored on computers of all types, from the ubiquitous desktop computer to the laptop, the personal digital assistant (PDA), and an ever-increasing range of other devices. As a result of this, the term "digital forensics" is used throughout this book wherever possible since it more accurately reflects our environment than "computer forensics."
The increasing ubiquity of digital devices, and our reliance on them, will result in digital forensics playing an ever-greater role in both civil and criminal litigation. It has been estimated that over 85 percent of all crimes committed today leave a trail of digital evidence.
Digital forensics is in a state of transition from "art" to "science" and is moving from the domain of a small number of highly skilled experts to an integral component of the information security enterprise. This change has been driven by factors that range from the increasing maturity of the area to the growing reliance in all areas on computers. As organizations have steadily adopted new technologies and services, more and more volumes of information have been stored electronically. Partly as a result of this, legislation has been introduced to ensure this information is processed and stored in a suitable manner so privacy, corporate governance, and a range of other concerns can be appropriately satisfied. The transition of digital forensics from art to science has been assisted by the introduction and acceptance of procedures, as well as improved and more widely accepted digital forensic software. The growing maturity of the subject area has meant an increasing number of practitioners with experience, and academic institutes that are providing suitable courses and qualifications.
Some History
Digital Forensics emerged as a scientific discipline initially developed in the U.S. by federal law enforcement agents in the mid- to late 1980s. The development started shortly after the introduction of personal computers (PCs) into businesses at the start of the 1980s when U.S. federal law enforcement organizations noticed the rise of white-collar crimes that were aided by these new personal computers. In the period since then, the processing power, storage capacity and speed of PCs has increased enormously. The field of digital forensics has had to keep pace with these developments and been forced to diversify so that today it has expanded to encompass a range of disciplines involving computers, networks, telecommunications, security, law enforcement, and the criminal justice system.
From the outset, it is important to understand that the examination of computers and their associated peripheral devices is not only related to criminal offenses, but also addresses the general business environment for civil litigation issues. A failure to follow the correct procedures in either criminal or civil cases may render the evidence that has been gained, often at considerable effort and expense, worthless and unusable.
A number of important concepts have been developed as the art and science of digital forensics has evolved. Computing and information technology is relatively young in scientific terms, and is still in its infancy in legal terms. Digital forensics is a new discipline that has been born of this highly volatile and uncertain environment.
It is worth starting this book with a definition of digital forensics, but as with anything related to information technology, the term has a range of interpretations. The first definition given here is from one of the earliest and most respected of organizations, the Scientific Working Group for Digital Evidence. It defines digital forensics as:
Any information of probative value that is either stored or transmitted in binary form.
This definition is very concise, but at the same time generic and all encompassing, but for the practitioner it is not, in many ways, particularly helpful. A more useable definition is that:
Computer forensics is the collection, preservation, analysis, and court presentation of digital-related evidence.
Another useful definition that has been attributed to Mark Pollit, a retired FBI special agent is:
Digital forensics is the application of science and engineering to the legal problem of digital evidence. It is a synthesis of science and law.
The US-CERT defines digital forensics as:
... the discipline that combines elements of law and digital science to collect and analyze data from digital systems, networks, wireless communications, and storage devices in a way that is admissible as evidence in a court of law.
The point that all these definitions make is that digital forensics is not just about science, but also about the law. A failure to satisfy either aspect will mean that any investigation has failed.
Digital evidence is obtained from digital devices and associated peripheral devices through the application of digital investigation and analysis techniques, the data from which is preserved in a scientifically sound manner in an electronic form. The evidence can then be analyzed using acceptable and repeatable processes without fear of the evidence being contaminated by the analysis process. Once the analysis is completed, the necessary reports can be produced in a suitable form.
Principles of Digital Forensics
As the art and science of digital forensics has developed, four underlining principles have evolved and are now widely accepted. As defined in the UK Association of Chief Police Officers (ACPO) Good Practice Guide for Computer-Based Electronic Evidence, the principles are:
* Principle 1: No action taken by law enforcement agencies or their agents should change data held on a digital device or storage media which may subsequently be relied upon in court.
* Principle 2: In circumstances where a person finds it necessary to access original data held on a digital device or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
* Principle 3: An audit trail or other record of all processes applied to digital device-based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
* Principle 4: The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to.
These principles have been developed within the law enforcement environment, which should not be surprising since it was law enforcement that was the first adopter in order to gather evidence for criminal cases. In the commercial environment, these principles hold equally true, and it should never be forgotten that an investigation started for civil litigation may become a criminal investigation.
Forensic evidence of all types must be collected by following rigorous and well-tested procedures in order to protect any such evidence from contamination or destruction, or from becoming subject to claims of tampering and improper handling, and to establish and preserve the chain of custody. Digital forensic evidence is no different. By following good scientific principles, the fragile and easily altered evidence collected will be provably sound and authentic. Any failure to follow the strict procedures developed and agreed upon may result in some digital evidence being excluded or limited by the courts.
The typical computer- or microprocessor-controlled device contains a range of potential sources of evidence to the skilled investigator. In modern computing devices, the places where information can be stored include the hard disk, the random access memory (RAM), CDs, DVDs, thumb drives, flash memory devices, and other external storage or processing devices that may be connected by wires, Bluetooth, WiFi, or infrared. To deal with this range of places where information that may be of evidential value can be stored, employing the specific knowledge and tools in order to safely access the information requires an increasing range of skills and experience.
Procedures
In order to satisfy the four principles, it is essential that the digital forensic investigation be undertaken using a set of procedures that have developed as the science, technology, and law have evolved. The procedures detailed next generate part of the evidence that demonstrates that the principles have not been breached. Some of the procedures in the digital forensic process are:
* Log all Actions: All actions taken in the investigation should be logged. This provides a record of all of actions taken at all stages of the investigation and serves a number of purposes. In addition to providing a record that all of the required actions were taken and carried out in the proper manner, this can also be used as a checklist for the investigators to make sure they have not missed anything.
* Record the Scene: Before any of the equipment at the scene is disturbed, either photographs or a video should be taken of the scene, including all of the connections related to the equipment. Once the initial photos of the scene have been made, it may be necessary to move the equipment slightly to give access to the rear of the equipment and the connections. If photographic or video equipment is not available, a diagram should be made to record the information; however, these days, this should be the exception. This will again form part of the evidence, but will also provide vital information if it becomes necessary to reconstruct the equipment in the laboratory. There is nothing worse than removing a large number of cables and devices, storing them and transporting them, following the appropriate procedures, only to find you cannot put it back together the way it was originally configured because you do not have the necessary information.
(Continues...)
Excerpted from Building a Digital Forensic Laboratory by Andy Jones Craig Valli Copyright © 2009 by Elsevier, Inc.. Excerpted by permission of Syngress. All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.
