Up-dating investigation models for smart phone procedures

The convergence of services in Smart Technologies such as iPhones, Androids and multiple tablet work surfaces challenges the scope of any forensic investigation to include cloud environments, devices and service media. The analysis of current investigation guidelines suggests that each element in an investigation requires an independent procedure to assure the preservation of evidence. However we dispute this view and review the possibility of consolidating current investigation guidelines into a unified best practice guideline. This exploratory research proposes to fill a gap in digital forensic investigation knowledge for smart technologies used in business environments and to propose a better way to approach smart technology investigations

Update on the State of the Science of Digital Evidence Examination

This paper updates previous work on the level of consensus in foundational elements of digital evidence examination. Significant consensus is found present only after definitions are made explicit, suggesting that, while there is a scientific agreement around some of the basic notions identified, the use of a common language is lacking. Keywords: Digital forensics examination, terminology, scientific methodology, testability, validation, classification, scientific consensu

Review of human decision-making during computer security incident analysis

We review practical advice on decision-making during computer security incident response. Scope includes standards from the IETF, ISO, FIRST, and the US intelligence community. To focus on human decision-making, the scope is the evidence collection, analysis, and reporting phases of response. The results indicate both strengths and gaps. A strength is available advice on how to accomplish many specific tasks. However, there is little guidance on how to prioritize tasks in limited time or how to interpret, generalize, and convincingly report results. Future work should focus on these gaps in explication and specification of decision-making during incident analysis

An examination of validation practices in relation to the forensic acquisition of digital evidence in South Africa

The acquisition of digital evidence is the most crucial part of the entire digital forensics process. During this process, digital evidence is acquired in a forensically sound manner to ensure the legal admissibility and reliability of that evidence in court. In the acquisition process various hardware or software tools are used to acquire the digital evidence. All of the digital forensic standards relating to the acquisition of digital evidence require that the hardware and software tools used in the acquisition process are validated as functioning correctly and reliably, as this lends credibility to the evidence in court. In fact the Electronic Communications and Transactions Act 25 of 2002 in South Africa specifically requires courts to consider issues such as reliability and the manner in which the integrity of digital evidence is ensured when assessing the evidential weight of digital evidence. Previous research into quality assurance in the practice of digital forensics in South Africa identified that in general, tool validation was not performed, and as such a hypothesis was proposed that digital forensic practitioners in South Africa make use of hardware and/or software tools for the forensic acquisition of digital evidence, whose validity and/or reliability cannot be objectively proven. As such the reliability of any digital evidence preserved using those tools is potentially unreliable. This hypothesis was tested in the research through the use of a survey of digital forensic practitioners in South Africa. The research established that the majority of digital forensic practitioners do not use tools in the forensic acquisition of digital evidence that can be proven to be validated and/or reliable. While just under a fifth of digital forensic practitioners can provide some proof of validation and/or reliability, the proof of validation does not meet formal international standards. In essence this means that digital evidence, which is preserved through the use of specific hardware and/or software tools for subsequent presentation and reliance upon as evidence in a court of law, is preserved by tools where the objective and scientific validity thereof has not been determined. Since South African courts must consider reliability in terms of Section 15(3) of the Electronic Communications and Transactions Act 25 of 2002 in assessing the weight of digital evidence, this is undermined through the current state of practice in South Africa by digital forensic practitioners

Transfers of gunshot residue (GSR) to hands: an experimental study of mechanisms of transfer and deposition carried out using SEM-EDX, with explorations of the implications for forensic protocol and the application of Bayesian Networks to interpretation

Gunshot residue (GSR) is produced during a firearm discharge and its recovery from the hands of a suspect may be used to support an inference that the suspect discharged a firearm. Various mechanisms of GSR transfer and deposition involving the hands of subjects were studied through a series of experimental scenarios that were intended to mimic real-world forensic situations. Samples were analysed using SEM-EDX with an automated search and detection package (INCAGSR, Oxford Instruments, U.K.). The results demonstrate the possibility of recovering considerable quantities of GSR from the hands of subjects as a result of a secondary transfer via a handshake with a shooter, or through handling a recently discharged firearm. As many as 129 particles were recovered from a handshake recipient. Additionally, GSR particles were found to undergo tertiary transfer following successive handshakes, while the possibility of GSR deposition on the hands of a bystander was confirmed. Particle size analysis revealed that very large (>50µm and >100µm) particles may undergo secondary transfer. The implications of these findings for forensic investigations are considered, particularly for interpreting the presence of GSR under competing activity level propositions about its deposition and the actions of the suspect. Bayesian Networks are inferential tools that are increasingly being employed in the interpretation of forensic evidence. Using the empirical data derived during the experimentation, the utility of Bayesian Networks for reasoning about mechanisms of GSR deposition is demonstrated. Further research aimed at unlocking the interpretative potential of GSR through empirical research and establishing the use of Bayesian Networks in forensic applications is recommended. It is anticipated that this emphasis on empirical support and probabilistic interpretation, in combination with the findings of this study, will strengthen the scientific basis of inferences made about GSR evidence and contribute to the accurate interpretation of evidence in legal settings