Implementing chain of custody requirements in database audit records for forensic purposes

During forensic database investigations, audit records become a crucial evidential element; particularly, when certain events can be attributed to insider activity. However, traditional reactive forensic methods may not be suitable, urging the adoption of proactive approaches that can be used to ensure accountability through audit records whilst satisfying Chain of Custody (CoC) requirements for forensic purposes. In this paper, role segregation, evidence provenance, event timeliness and causality are considered as CoC requirements in order to implement a forensically ready architecture for the proactive generation, collection and preservation of database audit records that can be used as digital evidence for the investigation of insider activity. Our proposal implements triggers and stored procedures as forensic routines in order to build a vector-clockbased timeline for explaining causality in transactional events recorded in audit tables. We expect to encourage further work in the field of proactive digital forensics and forensic readiness; in particular, for justifying admissibility of audit records under CoC restrictions

Are You Ready? A Proposed Framework For The Assessment Of Digital Forensic Readiness

This dissertation develops a framework to assess Digital Forensic Readiness (DFR) in organizations. DFR is the state of preparedness to obtain, understand, and present digital evidence when needed. This research collects indicators of digital forensic readiness from a systematic literature review. More than one thousand indicators were found and semantically analyzed to identify the dimensions to where they belong. These dimensions were subjected to a q-sort test and validated using association rules, producing a preliminary framework of DFR for practitioners. By classifying these indicators into dimensions, it was possible to distill them into 71 variables further classified into either extant or perceptual variables. Factor analysis was used to identify latent factors within the two groups of variables. A statistically-based framework to assess DFR is presented, wherein the extant indicators are used as a proxy of the real DFR status and the perceptual factors as the perception of this status

A Forensic Enabled Data Provenance Model for Public Cloud

Cloud computing is a newly emerging technology where storage, computation and services are extensively shared among a large number of users through virtualization and distributed computing. This technology makes the process of detecting the physical location or ownership of a particular piece of data even more complicated. As a result, improvements in data provenance techniques became necessary. Provenance refers to the record describing the origin and other historical information about a piece of data. An advanced data provenance system will give forensic investigators a transparent idea about the data\u27s lineage, and help to resolve disputes over controversial pieces of data by providing digital evidence. In this paper, the challenges of cloud architecture are identified, how this affects the existing forensic analysis and provenance techniques is discussed, and a model for efficient provenance collection and forensic analysis is proposed

Digital Forensics Investigation Frameworks for Cloud Computing and Internet of Things

Rapid growth in Cloud computing and Internet of Things (IoT) introduces new vulnerabilities that can be exploited to mount cyber-attacks. Digital forensics investigation is commonly used to find the culprit and help expose the vulnerabilities. Traditional digital forensics tools and methods are unsuitable for use in these technologies. Therefore, new digital forensics investigation frameworks and methodologies are required. This research develops frameworks and methods for digital forensics investigations in cloud and IoT platforms

Developing a Proactive Framework for E-Discovery Compliance

The purpose of this document is to provide Information Systems Management an awareness of a compliance risk associated with the management of electronic data. The changes to the Federal Rules of Civil Procedure in 2006 make electronic data discoverable as evidence for civil court cases introducing the need for proactive management of end user data beyond the data that a particular form of legislation may require. Leveraging existing forensic data collection processes and raising the awareness of the problem and risk to the organization will provide a level of assurance for compliance should the data be requested in a civil trial. This project analyzed the current state that existed for businesses and organizations, the actual risk and precedence that has been set, and determines the current state of awareness and readiness that businesses have for this problem. The project then offers a solution to this problem that will aid in reducing the risk and hardship an organization could face when electronic data is requested. Finally, this project presents the results of actual testing of the proposed solution in a real world business enterprise

IPCFA: A Methodology for Acquiring Forensically-Sound Digital Evidence in the Realm of IAAS Public Cloud Deployments

Cybercrimes and digital security breaches are on the rise: savvy businesses and organizations of all sizes must ready themselves for the worst. Cloud computing has become the new normal, opening even more doors for cybercriminals to commit crimes that are not easily traceable. The fast pace of technology adoption exceeds the speed by which the cybersecurity community and law enforcement agencies (LEAs) can invent countermeasures to investigate and prosecute such criminals. While presenting defensible digital evidence in courts of law is already complex, it gets more complicated if the crime is tied to public cloud computing, where storage, network, and computing resources are shared and dispersed over multiple geographical areas. Investigating such crimes involves collecting evidence data from the public cloud that is court-sound. Digital evidence court admissibility in the U.S. is governed predominantly by the Federal Rules of Evidence and Federal Rules of Civil Procedures. Evidence authenticity can be challenged by the Daubert test, which evaluates the forensic process that took place to generate the presented evidence. Existing digital forensics models, methodologies, and processes have not adequately addressed crimes that take place in the public cloud. It was only in late 2020 that the Scientific Working Group on Digital Evidence (SWGDE) published a document that shed light on best practices for collecting evidence from cloud providers. Yet SWGDE’s publication does not address the gap between the technology and the legal system when it comes to evidence admissibility. The document is high level with more focus on law enforcement processes such as issuing a subpoena and preservation orders to the cloud provider. This research proposes IaaS Public Cloud Forensic Acquisition (IPCFA), a methodology to acquire forensic-sound evidence from public cloud IaaS deployments. IPCFA focuses on bridging the gap between the legal and technical sides of evidence authenticity to help produce admissible evidence that can withstand scrutiny in U.S. courts. Grounded in design research science (DSR), the research is rigorously evaluated using two hypothetical scenarios for crimes that take place in the public cloud. The first scenario takes place in AWS and is hypothetically walked-thru. The second scenario is a demonstration of IPCFA’s applicability and effectiveness on Azure Cloud. Both cases are evaluated using a rubric built from the federal and civil digital evidence requirements and the international best practices for iv digital evidence to show the effectiveness of IPCFA in generating cloud evidence sound enough to be considered admissible in court

Guide to investigating business fraud

https://egrove.olemiss.edu/aicpa_guides/1354/thumbnail.jp

Police Retention and Storage of Evidence in England and Wales

Central to the operation of the appellate system, is the ability of individuals who claim that their conviction is in error, to revisit and re-examine evidence gathered during the investigation, as well as that relied upon at their trial. High-profile miscarriages of justice have often only been remedied when there has been defence access to materials post conviction. There is also an imperative for forces to retain evidence in investigations in which no perpetrator has been detected or convicted, to facilitate cold case reviews. In order to give effect then to an appellate system and enable cold case reviews, evidence needs to be retained and properly stored. If materials are not retained and stored correctly, then re-investigations are rendered impossible. Retention is especially critical in respect of physical materials that could be subject to forensic examination. With the progress of science and technology, and the interpretation of results, it is essential that such physical (and now, often digital) materials are retained for future (re)evaluation. From analysis of responses to a Freedom of Information request to all police forces in England and Wales, and qualitative interviews with criminal justice stakeholders, this article examines the retention and storage of materials, and considers the operation and future of the Forensic Archive Ltd. It details a worrying picture of inconsistency, with confusion over what should be retained, and how. It concludes that justice demands that we accept that the proper retention and storage of materials is fundamental to the fair and effective operation of our criminal justice system, and ensures that the Court of Appeal can fulfil its remit in addressing wrongful convictions and forces can pursue justice in cold cases