Computer forensics

Executive Summary
This document details the policy which the High Tech Crime Unit of Gallardia can adopt for the use of evidence derived from digital devices. This document begins with an introduction, which describes the need for electronic evidence collection, forensic examination and the establishment of procedures, or policies that govern these activities. This is followed by an overall guidance about the applicability of this policy and the overarching guidelines on the use of this policy. This document then details the policies that could be adopted in during the process of seizing digital devices for electronic evidence at the crime scene and the forensic examination of these devices away from the crime scene. Additionally, some guidance is given about the suggested policy while interviewing people detained in relation to crimes which may have electronic evidence, and the use of evidence from other sources which complement the electronic evidence obtained from digital devices. This document concludes with the justification and suggestion of how this policy framework can be kept relevant as time passes.
Introduction
In almost every court of law around the world, evidence is an important factor when determining the guilt or innocence of the accused. With the world becoming more technological, it is only to be expected that technological evidence has begun to make its way into the courtroom. Computers are used to commit crime and other unauthorized activities; computer forensics has thus become more important in tracking such criminal activity that is technologically enabled. Computer forensics deals with the “preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and/ or root cause analysis” (Kruse and Heiser, 2001). For example, data such as account numbers and balances from activities such as money laundering, and the pornographic material from child pornography can very often be found on the computer that was used for the activity, even long after it has been deleted. Information such as the date and time certain data was accessed, created, or deleted often forms part of the evidence that is often crucial. However, electronic, or digital evidence is very fragile. It can be easily destroyed, subverted, or lost. Thus it is actually very similar in characteristics to normal physical evidence. It is therefore very important to have good policies and guidance in place and to train the law enforcement officers to deal with handling digital evidence. This policy paper gives guidance on the use of evidence derived from digital devices and on how and when to use evidence from digital devices. It is intended as an aid to law enforcement agencies to help them make decisions as to whether to use digital evidence or not, and how to use it. It details the procedures that must be adhered to for digital evidence to be admissible in the first place, and also other general considerations when using or attempting to use digital evidence.
General Policy Issues
Due to the rapidly changing nature of technology, this policy cannot be viewed as a definitive rulebook. The guidance detailed in this policy has to always be interpreted in the light of the current technology.
When investigating and collecting evidence from a crime scene, the law enforcement officers have to first evaluate, if there is digital evidence or not. This does not necessarily mean the presence or absence of a computer. The presence of any other material such as floppy disks, hard disks, cd-roms, and any other technological material such as digital cameras, computer printouts, etc. have the potential to be valuable digital evidence. After identifying the potential digital evidence, the crime scene investigators have to secure the potential evidence in a suitable manner to prevent the digital evidence being lost, destroyed, or the evidence made otherwise inadmissible.
The physical digital evidence thus obtained will then have to be transported to a lab or any other suitable workplace where suitably qualified technical personnel can then proceed to examine the evidence.
Electronic evidence is by nature ‘latent’, which means that like fingerprints and DNA, it is not immediately visible to eye (US DoJ, 2000) and specific techniques or equipment are required to make the evidence visible. The examination process therefore will always be prone to weaknesses, and this stresses the importance of an independent audit trail being made available throughout the entire process, to ensure the impartiality of the evidence gathering process.
Examination of digital could involve assessing the admissibility of the evidence, capture the data present in the evidence, recovering data that has been deleted, and analysing the data thus obtained. The examination of digital evidence requires highly specialised skills and it is therefore of paramount importance that the examination is conducted only by personnel with the requisite skills. There are several industry-recognised qualifications offered by the International Information Systems Security Certification Consortium, Inc., also known as ISC2, such as the Systems Security Certified Practitioner (SSCP), Certified Information Systems Security Professional (CISSP), etc.
Guidance
Both the Association of Chief Police Officers (ACPO, 2003) as well as the United States Department of Justice (2004) has drawn up detailed policies on the comprehensive process that accompanies the use of digital evidence. Both these entities concur on the basic principles that should underlie any use of electronic evidence. They are:

1. Care should be taken that action by law enforcement officers or their agents while securing, collecting and examining digital evidence does not change the digital material itself. This is important to preserve the integrity of the evidence.
2. Utmost attempts should be made to avoid the direct use of original data instead of mirror copies. Only an impartial person (or persons) with the requisite training and expertise should perform the examination of digital evidence.
3. All actions done in the process of securing and examining the digital evidence should be recorded to allow an independent third party to examine the audit trail and arrive at the same conclusion.
4. The examiner should be impartial and the entire process should adhere to existing laws.

Identifying and collecting digital evidence from the crime scene
In situations where digital evidence may be present, and some thought and planning has to be given to the process of collecting the digital evidence. Law enforcement officers have to determine if a search warrant is required, and any conflict or concurrence with other laws exists, for example, while seizing evidence relating to a criminal activity, if the officers come across evidence about possible software piracy, what should be done, etc. It may also be helpful to have contingency plans; if for example, personnel who are trained are suddenly ill or injured, etc. Once the decision to seize the digital devices from a crime scene has been taken, the steps outlined below should be done as far as possible, after the area has been secured. Gloves should be used to protect other evidence such as DNA and fingerprints.

1. Document the scene (take photographs, notes, etc.)
2. Identify all possible sources of digital evidence at the scene.
3. Allow any printers to finish printing.
4. If there are any devices that are switched on, document the connections and only then disconnect the modem or other means the device uses to connect to the network. Look for wireless modems if no wires are found. If possible, get a specialist’s advice before proceeding. Otherwise, switch off (unplug) any devices by pulling off the power cable at the end where it connected to the particular device, not the socket. Remove all batteries found, including back up batteries, from any laptops or other such devices that run on batteries.
5. Systematically remove each equipment, tag and bag. Ensure that the labelling allows the forensic examiners to reconstruct the exact connections when required. Document any serial numbers, the connections and locations of each device, the status it was in when discovered (on, off, sleep, etc.) Use anti-static packaging, and also careful collection and packaging, as electronic data can be lost if for example, disks are bent, or hard drives are dropped.
6. Also search for written material such as notebooks and diaries, including blank pages with the indentation of writing that may contain information that will help the forensic examination, such as passwords and pin numbers, in addition to containing other information that could be used as direct evidence. Other non-electronic material such as manuals, calendars, etc. may also contain evidence and should be considered as such.
7. While transporting digital equipment, all the devices being transported should be switched off. This is because movement of a digital device like a computer while the system is running may cause changes to system data. When transporting digital equipment, it is also important to protect the latent data in them as far as possible, as electronic data is susceptible to damage or alteration from electromagnetic fields such as those generated by magnets, radio transmitters, and other devices (Us DoJ, 2000).
8. When handing over devices that were battery powered, inform the custodian and/or person responsible for forensic examination, and data stored in battery powered devices may be lost if the battery is removed for long periods.
9. If the operation of digital device collection takes place in a place where business is ongoing, extreme care must be taken to minimise the disruption caused to the business, and also that the data held by the law enforcement agency is protected against loss or damage such that the business does not experience negative financial implications as a result of the mistakes or negligence of the law enforcement agency (Anderson, 1996).

Networked devices can be accessed remotely, and therefore it is very important to disconnect any networks immediately. This is to prevent any erasure or subversion of the data on the device by anyone who has information about the digital evidence being collected. The advances of technology mean that where previously cables were used to connect to a network, today there are many wireless methods of connection to a network, and even connection between two or more devices need not be wired. This presents a very challenging situation, as while it is difficult to quickly determine which devices are used to connect to an outside network – wireless modems, mobile phones, PDAs, etc, it is also very important that connection to the outside network is terminated to prevent any unauthorised access and subsequent loss of digital evidence. Sometimes, there may be local wireless networks operating in the area that are beyond the immediate control of the law enforcement officers and the only way to disconnect the device from the network is to switch it off (for example, consider a situation where a laptop in the crime scene uses a neighbour’s wireless network to connect to the Internet, and the neighbour is at the moment away from his home). It is therefore important to also note down when the networks were detected and disconnected. This will help prove that the data was not subverted, for example.
Another point to note is that switching off the power can cause some loss of data, and correspondingly some loss of evidence. However, it is more risky to transport electronic equipment that is not switched off, and therefore switching the devices off is recommended. It is desirable to have a checklist, which can be referred to by law enforcement officers responsible for securing the crime scene. This may be developed as part of a Standard Operating Procedure.
Policy: Any electronic evidence gathered in adherence to the procedures above may be deemed as acceptable for use. Any electronic evidence gathered without adherence to any of the procedures above may still be used, subject to an evaluation from an independent computer forensics specialist.
Digital Evidence Forensic Examination
It is important to note that electronic evidence obtained from digital devices may appear unimportant but can actually be crucial evidence when combined with electronic evidence from other sources, for example, ISP (Internet Service Provider) logs, mobile phone logs, evidence from remote storage locations, etc. Computer forensic examination has to be performed by specialist personnel or independent investigators. A valid and reliable forensic examination is required regardless of political, bureaucratic, technological, or jurisdictional boundaries in order for the electronic evidence collected to be valid (Noblett, 2000). Whoever conducts the forensic examination must adhere to the following guidelines:

1. Only standard forensics analysis techniques and procedures for disk drive examination must be used. Nelsen et. al (2004) list the standard techniques and procedures for such an examination.
2. Forensic examination should as far as possible be conducted on a bit stream copy of the evidence. Where this is not possible, strong cause is mandatory, and independent expert opinion is recommended.
3. It is important to do things right and to properly document every activity that is undertaken in the process of examining the digital devices for evidence. This audit trail should be available at all times. This helps to prevent any accusations of evidence being planted as well as any doubt about the integrity of the data and the evidence found. In the absence of rigorous auditing, all the time and manpower that was put to work in the task of evidence gathering may be wasted if in the end the evidence is deemed unacceptable by a judge or jury because of the aspersions cast on the integrity of the evidence due to improper auditing.
4. Personnel or independent specialists who conduct the forensic examination should be properly trained, and should enrol in appropriate recognised programmes for continuing professional development. Law enforcement agencies may individually have a set of continuing professional development courses which specialist personnel are required to undertake. Continuing professional development is important because of the rapidly changing nature of technology. Specialists need to constantly keep abreast of the latest developments not only in order to be able to use the latest and most sophisticated tools, but also to be able to learn more reliable and better ways of doing old task. Where independent specialists are hired for forensic examination, such specialists must have international recognition in the field of their work, be impartial and also be appropriately qualified.
5. Personnel conducting the forensic examination should have the requisite understanding of the relevant laws in addition to the specialist technical skills. Only then will they be able to detect when those laws are being broken, for example, the Data Protection Act, what legally constitutes software piracy, what legally constitutes electronic money laundering, etc. This is also important so as not infringe on the privacy of individuals who have a reasonable right to expect it, for example, a patient doctor privilege.
6. Attention should also be given as to other skills that may be required of the specialist technical personnel conducting the forensic examination, for example, accounting for white-collar crime, and familiarity with different languages used by the suspect, etc. In such cases it may be desirable for a group of personnel with complimentary skills to be assigned to the task of forensic examination.
7. Where specialist personnel belonging to the law enforcement agency itself conduct forensic examination, there must be a standard operating procedure that has been developed to ensure the quality and integrity of the examination. Craiger and Swauger (2006) propose some widely accepted measures for the validation of digital forensics tools. The Scientific Working Group on Digital Evidence (SWGDE) and the International Organization on Digital Evidence (IOCE) (2000) list the internationally accepted principles for computer evidence. These principles are to be adhered to in the development of any standard operating procedure.

Policy: Any evidence obtained from forensic examination that is conducted in adherence to the procedures outlined above may be deemed acceptable for use. Any evidence that is obtained from forensic examination that did not adhere to the procedures mentioned above may still be used subject to evaluation from a qualified independent specialist. Overall, the forensic examination must be conducted
Information to be acquired during investigation and interview
It may be desirable to have an independent specialist or suitably qualified technical officers present during an interview of a person who has been detained and/or is being questioned in relation to electronic crime, or any crime where electronic evidence may be used. This is both to allow the law enforcement agency to be able to articulate effective questions of a technical nature that can be understood by the person being questioned, and also to allow the person’s answers to be understood within context.
It is also to be kept in mind that digital devices can run on varied systems, and these different systems have different capabilities. For example, different operating systems allow different ways of encrypting and obfuscating data (Craiger, 2006b and Craiger, 2004), and the specialist attending the interview needs to be aware of such issues, and not underestimate the expertise required of him or her.
Evidence from other sources
It is also to be kept in mind that electronic evidence obtained by means other than the digital devices themselves may be used in conjunction with the electronic evidence obtained from digital devices to complete the evidence. This may mean that for example, network forensics may be used to determine the suspect’s activity while online if such information cannot be found in whole on the digital device, mobile phone logs may be used in conjunction with evidence from email communications, etc. Even non-electronic evidence may be used in conjunction with electronic evidence to provide the complete evidence. Such evidence may form part of the entire circumstantial evidence being constructed by the law enforcement agency and may be required by the High Tech Crime Unit in order to assist the operation of computer forensic examination itself. This may also be achieved through the formation of groups of people with complementary expertises tasked with the forensic examination as explained above. Additionally, specific evidence about actions taken to obfuscate, hide or destroy potentially incriminating evidence (Craiger, 2004) should also be taken into account as the discovery of these can also form part of the actual evidence.
Conclusion
Computer forensics is a field that is constantly changing, in conjunction with the wider field of advances in technology, with new developments advancing the specific field as well as invalidating or making irrelevant older methods and procedures. As technology advances, society becomes more reliant on technology and uses technology more and more. This in turn causes a shift in the way crime is committed; more and more crime is committed with the aid of technology. This results in newer ways of committing the same old crime (for example, stealing money progressed to stealing credit cards, then now stealing access to electronic banking accounts). Law enforcement will therefore necessarily have to keep up in order to be relevant. Increasing amounts of money, time and effort will have to be spent in training law enforcement personnel in the detection of crime committed with the help of technology, as well as the process of gathering evidence from such activities. As the field advances, new issues will have to be dealt with, and new boundaries defined. This policy described operating guidelines for the status quo – but with the rapid advances and uptake of technology, it will very well be that this policy may soon become out of date and irrelevant. In order to make this policy complete and relevant, it has to be stated that there has to be a systematic process of review and revision that updates this policy to reflect the changes and advances in technology.