PRECEPT:a framework for ethical digital forensics investigations

Purpose: Cyber-enabled crimes are on the increase, and law enforcement has had to expand many of their detecting activities into the digital domain. As such, the field of digital forensics has become far more sophisticated over the years and is now able to uncover even more evidence that can be used to support prosecution of cyber criminals in a court of law. Governments, too, have embraced the ability to track suspicious individuals in the online world. Forensics investigators are driven to gather data exhaustively, being under pressure to provide law enforcement with sufficient evidence to secure a conviction. Yet, there are concerns about the ethics and justice of untrammeled investigations on a number of levels. On an organizational level, unconstrained investigations could interfere with, and damage, the organization’s right to control the disclosure of their intellectual capital. On an individual level, those being investigated could easily have their legal privacy rights violated by forensics investigations. On a societal level, there might be a sense of injustice at the perceived inequality of current practice in this domain. This paper argues the need for a practical, ethically-grounded approach to digital forensic investigations, one that acknowledges and respects the privacy rights of individuals and the intellectual capital disclosure rights of organisations, as well as acknowledging the needs of law enforcement. We derive a set of ethical guidelines, then map these onto a forensics investigation framework. We subjected the framework to expert review in two stages, refining the framework after each stage. We conclude by proposing the refined ethically-grounded digital forensics investigation framework. Our treatise is primarily UK based, but the concepts presented here have international relevance and applicability.Design methodology: In this paper, the lens of justice theory is used to explore the tension that exists between the needs of digital forensic investigations into cybercrimes on the one hand, and, on the other, individuals’ rights to privacy and organizations’ rights to control intellectual capital disclosure.Findings: The investigation revealed a potential inequality between the practices of digital forensics investigators and the rights of other stakeholders. That being so, the need for a more ethically-informed approach to digital forensics investigations, as a remedy, is highlighted, and a framework proposed to provide this.Practical Implications: Our proposed ethically-informed framework for guiding digital forensics investigations suggest a way of re-establishing the equality of the stakeholders in this arena, and ensuring that the potential for a sense of injustice is reduced.Originality/value: Justice theory is used to highlight the difficulties in squaring the circle between the rights and expectations of all stakeholders in the digital forensics arena. The outcome is the forensics investigation guideline, PRECEpt: Privacy-Respecting EthiCal framEwork, which provides the basis for a re-aligning of the balance between the requirements and expectations of digital forensic investigators on the one hand, and individual and organizational expectations and rights, on the other

A Case-Based Reasoning Method for Locating Evidence During Digital Forensic Device Triage

The role of triage in digital forensics is disputed, with some practitioners questioning its reliability for identifying evidential data. Although successfully implemented in the field of medicine, triage has not established itself to the same degree in digital forensics. This article presents a novel approach to triage for digital forensics. Case-Based Reasoning Forensic Triager (CBR-FT) is a method for collecting and reusing past digital forensic investigation information in order to highlight likely evidential areas on a suspect operating system, thereby helping an investigator to decide where to search for evidence. The CBR-FT framework is discussed and the results of twenty test triage examinations are presented. CBR-FT has been shown to be a more effective method of triage when compared to a practitioner using a leading commercial application

PRECEPT: A Framework for Ethical Digital Forensics Investigations.

The file attached to this record is the author's final peer reviewed version. The Publisher's final version can be found by following the DOI link.Cyber-enabled crimes are on the increase, and law enforcement has had to expand many of their detecting activities into the digital domain. As such, the field of digital forensics has become far more sophisticated over the years and is now able to uncover even more evidence that can be used to support prosecution of cyber criminals in a court of law. Governments, too, have embraced the ability to track suspicious individuals in the online world. Forensics investigators are driven to gather data exhaustively, being under pressure to provide law enforcement with sufficient evidence to secure a conviction. Yet, there are concerns about the ethics and justice of untrammeled investigations on a number of levels. On an organizational level, unconstrained investigations could interfere with, and damage, the organization’s right to control the disclosure of their intellectual capital. On an individual level, those being investigated could easily have their legal privacy rights violated by forensics investigations. On a societal level, there might be a sense of injustice at the perceived inequality of current practice in this domain. This paper argues the need for a practical, ethically-grounded approach to digital forensic investigations, one that acknowledges and respects the privacy rights of individuals and the intellectual capital disclosure rights of organisations, as well as acknowledging the needs of law enforcement. We derive a set of ethical guidelines, then map these onto a forensics investigation framework. We subjected the framework to expert review in two stages, refining the framework after each stage. We conclude by proposing the refined ethically-grounded digital forensics investigation framework. Our treatise is primarily UK based, but the concepts presented here have international relevance and applicability. In this paper, the lens of justice theory is used to explore the tension that exists between the needs of digital forensic investigations into cybercrimes on the one hand, and, on the other, individuals’ rights to privacy and organizations’ rights to control intellectual capital disclosure. The investigation revealed a potential inequality between the practices of digital forensics investigators and the rights of other stakeholders. That being so, the need for a more ethically-informed approach to digital forensics investigations, as a remedy, is highlighted, and a framework proposed to provide this. Our proposed ethically-informed framework for guiding digital forensics investigations suggest a way of re-establishing the equality of the stakeholders in this arena, and ensuring that the potential for a sense of injustice is reduced. Justice theory is used to highlight the difficulties in squaring the circle between the rights and expectations of all stakeholders in the digital forensics arena. The outcome is the forensics investigation guideline, PRECEpt: Privacy-Respecting EthiCal framEwork, which provides the basis for a re-aligning of the balance between the requirements and expectations of digital forensic investigators on the one hand, and individual and organizational expectations and rights, on the other

Mobile forensic triage for damaged phones using M_Triage

Mobile forensics triage is a useful technique in a digital forensics investigation for recovering lost or purposely deleted and hidden files from digital storage. It is particularly useful, especially when solving a very sensitive crime, for example, kidnapping, in a timely manner. However, the existing mobile forensics triage tools do not consider performing a triage examination on damaged mobile phones. This research addressed the issues of performing triage examination on damaged Android mobile phones and reduction of false positive result generated by the current mobile forensics triage tools. Furthermore, the research addressed the issues of ignoring possible evidence residing in a bad block memory location. In this research a new forensics triage tool called M_Triage was introduced by extending Decode’s framework to handle data retrieval challenges on damaged Android mobile phones. The tool was designed to obtain evidence quickly and accurately (i.e. valid address book, call logs, SMS, images, and, videos, etc.) on Android damaged mobile phones. The tool was developed using C#, while back end engines was done using C programming and tested using five data sets. Based on the computational time processing comparison with Dec0de, Lifter, XRY and Xaver, the result showed that there was 75% improvement over Dec0de, 36% over Lifter, 28% over XRY and finally 71% over Xaver. Again, based on the experiment done on five data sets, M_Triage was capable of carving valid address book, call logs, SMS, images and videos as compared to Dec0de, Lifter, XRY and Xaver. With the average improvement of 90% over DEC0DE, 30% over Lifter, 40% over XRY and lastly 61% over Xaver. This shows that M_Triage is a better tool to be used because it saves time, carve more relevant files and less false positive result are achieved with the tool

Mobile health applications digital evidence taxonomy with knowledge sharing approach for digital forensics readiness

M-health is the current application that capable to monitor and detect human biological change and used the Internet as a platform to transfer and receive the data from the cloud providers. However, the advancement of Internet of Things (IoT) technology poses a great challenge for digital forensic experts in order to preserve, acquire and analyse digital evidence. Digital evidence taxonomy is one technique in digital forensics that facilitates digital forensics readiness and integration with knowledge sharing approach is necessary to allow digital forensics experts to share their knowledge. Therefore, this research was carried out that consists three phases, namely (1) initial phase, (2) intermediate phase and (3) final phase. In the initial phase, a systematic literature review was conducted to identify any potential gaps from the existing studies. Subsequently, digital evidence taxonomy in the IoT forensics layers was adopted, which consisted of three artefact categories to represent the IoT forensics layers. In the intermediate phase, 34 top rating m-health apps were used as a case study to validate the digital evidence taxonomy. From the analysis of the result, various types of information for forensic investigation were acquired, such as type of outdoor activity, activity timestamp, client IP address and date accessed. In the final phase, the M-Health Digital Evidence Taxonomy System (MDETS) was developed as a proof of concept to demonstrate the integration of digital evidence taxonomy with the knowledge-sharing approach to facilitate digital forensic readiness. Interviews were used as the instrument tool to evaluate knowledge sharing in terms of people, process and technology elements in enabling digital forensic readiness. The results from the interviews support that knowledge sharing facilitates digital forensic readiness in terms of people, process and technology elements. As a conclusion, the integration of digital evidence taxonomy with the knowledge-sharing approach gives the opportunity for the digital forensic community to enhance the existing approach or procedure to increase the findings of a digital forensic investigation and make digital forensic readiness more proactive within the organisation

Snap Forensics: A Tradeoff between Ephemeral Intelligence and Persistent Evidence Collection

Digital evidence needs to be made persistent so that it can be used later. For citizen forensics, sometimes intelligence cannot or should not be made persistent forever. In this position paper, we propose a form of snap forensics by defining an elastic duration of evidence/intelligence validity. Explicitly declaring such a duration could unify the treatment of both ephemeral intelligence and persistent evidence towards more flexible storage to satisfy privacy requirements