The Principles of Cyber Forensics
The principles of cyber forensics are meant to ensure that the information collected does not lose legitimacy before a court of law. The principles are meant to ensure that the data remain admissible before a court of law. It should be appreciated that the art of cyber forensics being a recent one it is not very much developed and as a result the principles behind the art which is also a science have not been fully developed as they still have some loopholes which can be capitalized on.
According to Forensic focus (2010), there are three principles associated with cyber forensics particularly in the collection of digital evidence:
The act of collecting digital evidence should not result in any alteration of the data in question, wherever this is possible.
All handling of digital evidence (from collection through to preservation and analysis) must be fully documented. Access to original digital evidence should be restricted to those deemed “forensically competent”
A close observation will ascertain that the above principles are pointing at ensuring the admissibility of the data collected before a court of law. It has been argued that the principles above are not properly worded and lack some key terms to cancel the possibility of ambiguity.
For instance, it has been argued that it might not be possible to uphold the first principle in the case where they are a need for live analysis. Furthermore, in the second principle, full documents have not been explained. Lastly, in the last principle, forensic competence is not defined. Lack of properly carrying out the investigative process exposes the digital evidence to threats that are likely to spoil the data and make it impermissible before a court of law.
The Digital Evidence
As emphasized above digital evidence has been ranked as the most sensitive evidence in a court of law. Its handling calls for a lot of caution otherwise it is likely to be considered null or corrupted. The biggest challenge and hence threat to digital evidence, in the views of Smith and Kenneally (2010), is “the addressing the integrity of electronic data and events.” Smith and Kenneally (2010) have argued that the biggest threat to digital evidence is the ease with which the information can be easily altered.
They have asked a significant question in relation to digital evidence, “is there not the same risk (same as in corporeal crime scenes) that evidence may have been planted, altered, wholesale removed prior to the investigation – similar to moving or removing a gun, body, blood, physical document, and so forth?”
The ability to alter digital data before an investigation can begin and whether the experts carrying out the investigation will detect that the digital data was interfered with is a real threat to cyber forensics. This is worsened by a situation whereby the alteration is committed by another expert and worse still if there is some implantation of misleading data which will lead to wrong judgment being made in a court of law.
This threat especial the liability to prove that the digital data collected is valid and can be relied upon by a court of law has laid a heavy responsibility upon the investigators. This has also resulted in a process being laid out on how this process should be carried out. The next section discusses the investigation process used to preserve, locate, select, analyze, validate, and present digital evidence for evidentiary purposes.
Lewis has identified the following qualities as significant to an ideal forensic process:
- Must not modify or contaminate the media or data
- Must acquire the image
- Must authenticate the data
- Analysis of the data to include
- Chain of custody
- Identification (Adapted from Corporate Computer Forensics Training Systems Text Manual, Volume 1 by Lewis 18)
Close observation of the procedure proposed by Lewis above shows that the process needs to pay attention to issues of preservation, location, selection, analysis, validation, and presentation. According to the New York Computer Forensic Services computer, the forensic examination process involves the “preservation, identification, extraction, interpretation, and documentation of computer evidence.” It very significant to note that all these are done to render the digital data collected valid before a court of law as brought out in the block note on the definition of computer forensics by the Global Digital Forensics (2010):
Computer Forensics is the preservation, identification, extraction, interpretation, and documentation of computer evidence, including the USDOJ rules of evidence, legal processes, the integrity of evidence, factual reporting of the information found, and the ability to provide expert opinion in a court of law or other legal proceedings as to what was found.
Basically, five steps can be identified in the process of cyber forensic: preparation, data collection, examination, analysis, and reporting to relevant authorities.
It is very significant that from the very initial stages of this process everything should be well validated. This will include the person or team carrying out the process. The process should be carried out by a certified computer forensic examiner(s). It should be noted that the equipment to be used should be licensed so as to ensure validity in court. It should be noted that some authors have raised concerns about the definition of a certified computer forensic examiner.