PRECEPT:a framework for ethical digital forensics investigations

Purpose: Cyber-enabled crimes are on the increase, and law enforcement has had to expand many of their detecting activities into the digital domain. As such, the field of digital forensics has become far more sophisticated over the years and is now able to uncover even more evidence that can be used to support prosecution of cyber criminals in a court of law. Governments, too, have embraced the ability to track suspicious individuals in the online world. Forensics investigators are driven to gather data exhaustively, being under pressure to provide law enforcement with sufficient evidence to secure a conviction. Yet, there are concerns about the ethics and justice of untrammeled investigations on a number of levels. On an organizational level, unconstrained investigations could interfere with, and damage, the organization’s right to control the disclosure of their intellectual capital. On an individual level, those being investigated could easily have their legal privacy rights violated by forensics investigations. On a societal level, there might be a sense of injustice at the perceived inequality of current practice in this domain. This paper argues the need for a practical, ethically-grounded approach to digital forensic investigations, one that acknowledges and respects the privacy rights of individuals and the intellectual capital disclosure rights of organisations, as well as acknowledging the needs of law enforcement. We derive a set of ethical guidelines, then map these onto a forensics investigation framework. We subjected the framework to expert review in two stages, refining the framework after each stage. We conclude by proposing the refined ethically-grounded digital forensics investigation framework. Our treatise is primarily UK based, but the concepts presented here have international relevance and applicability.Design methodology: In this paper, the lens of justice theory is used to explore the tension that exists between the needs of digital forensic investigations into cybercrimes on the one hand, and, on the other, individuals’ rights to privacy and organizations’ rights to control intellectual capital disclosure.Findings: The investigation revealed a potential inequality between the practices of digital forensics investigators and the rights of other stakeholders. That being so, the need for a more ethically-informed approach to digital forensics investigations, as a remedy, is highlighted, and a framework proposed to provide this.Practical Implications: Our proposed ethically-informed framework for guiding digital forensics investigations suggest a way of re-establishing the equality of the stakeholders in this arena, and ensuring that the potential for a sense of injustice is reduced.Originality/value: Justice theory is used to highlight the difficulties in squaring the circle between the rights and expectations of all stakeholders in the digital forensics arena. The outcome is the forensics investigation guideline, PRECEpt: Privacy-Respecting EthiCal framEwork, which provides the basis for a re-aligning of the balance between the requirements and expectations of digital forensic investigators on the one hand, and individual and organizational expectations and rights, on the other

PRECEPT: A Framework for Ethical Digital Forensics Investigations.

The file attached to this record is the author's final peer reviewed version. The Publisher's final version can be found by following the DOI link.Cyber-enabled crimes are on the increase, and law enforcement has had to expand many of their detecting activities into the digital domain. As such, the field of digital forensics has become far more sophisticated over the years and is now able to uncover even more evidence that can be used to support prosecution of cyber criminals in a court of law. Governments, too, have embraced the ability to track suspicious individuals in the online world. Forensics investigators are driven to gather data exhaustively, being under pressure to provide law enforcement with sufficient evidence to secure a conviction. Yet, there are concerns about the ethics and justice of untrammeled investigations on a number of levels. On an organizational level, unconstrained investigations could interfere with, and damage, the organization’s right to control the disclosure of their intellectual capital. On an individual level, those being investigated could easily have their legal privacy rights violated by forensics investigations. On a societal level, there might be a sense of injustice at the perceived inequality of current practice in this domain. This paper argues the need for a practical, ethically-grounded approach to digital forensic investigations, one that acknowledges and respects the privacy rights of individuals and the intellectual capital disclosure rights of organisations, as well as acknowledging the needs of law enforcement. We derive a set of ethical guidelines, then map these onto a forensics investigation framework. We subjected the framework to expert review in two stages, refining the framework after each stage. We conclude by proposing the refined ethically-grounded digital forensics investigation framework. Our treatise is primarily UK based, but the concepts presented here have international relevance and applicability. In this paper, the lens of justice theory is used to explore the tension that exists between the needs of digital forensic investigations into cybercrimes on the one hand, and, on the other, individuals’ rights to privacy and organizations’ rights to control intellectual capital disclosure. The investigation revealed a potential inequality between the practices of digital forensics investigators and the rights of other stakeholders. That being so, the need for a more ethically-informed approach to digital forensics investigations, as a remedy, is highlighted, and a framework proposed to provide this. Our proposed ethically-informed framework for guiding digital forensics investigations suggest a way of re-establishing the equality of the stakeholders in this arena, and ensuring that the potential for a sense of injustice is reduced. Justice theory is used to highlight the difficulties in squaring the circle between the rights and expectations of all stakeholders in the digital forensics arena. The outcome is the forensics investigation guideline, PRECEpt: Privacy-Respecting EthiCal framEwork, which provides the basis for a re-aligning of the balance between the requirements and expectations of digital forensic investigators on the one hand, and individual and organizational expectations and rights, on the other

A comparative study of teaching forensics at a university degree level

Computer forensics is a relatively young University discipline which has developed strongly in the United States and the United Kingdom but is still in its infancy in continental Europe. The national programmes and courses offered therefore differ in many ways. We report on two recently established degree programmes from two European countries: Great Britain and Germany. We present and compare the design of both programmes and conclude that they cover two complementary and orthogonal aspects of computer forensics education: (a) rigorous practical skills and (b) competence for fundamental research discoveries

Security and computer forensics in web engineering education

The integration of security and forensics into Web Engineering curricula is imperative! Poor security in web-based applications is continuing to cost organizations millions and the losses are still increasing annually. Security is frequently taught as a stand-alone course, assuming that security can be 'bolted on' to a web application at some point. Security issues must be integrated into Web Engineering processes right from the beginning to create secure solutions and therefore security should be an integral part of a Web Engineering curriculum. One aspect of Computer forensics investigates failures in security. Hence, students should be aware of the issues in forensics and how to respond when security failures occur; collecting evidence is particularly difficult for Web-based applications

Beginner's Guide for Cybercrime Investigators

In the real world there are people who enter the homes and steal everything they find valuable. In the virtual world there are individuals who penetrate computer systems and "steal" all your valuable data. Just as in the real world, there are uninvited guests and people feel happy when they steal or destroy someone else's property, the computer world could not be deprived of this unfortunate phenomenon. It is truly detestable the perfidy of these attacks. For if it can be observed immediately the apparent lack of box jewelry, penetration of an accounting server can be detected after a few months when all clients have given up the company services because of the stolen data came to competition and have helped it to make best deals. Cybercrime is a phenomenon of our time, often reflected in the media. Forensic investigation of computer systems has a number of features that differentiate it fundamentally from other types of investigations. The computer itself is the main source of information for the investigator. CONTENTS: Computing systems and storage media - Computing devices - - Peripheral devices - - External drives for media storage - Typology of data stored on specific supports – File systems - - Program that allows working with ” inactive” space - Information that can be obtained from the computing system environment Computer networks - Copper wire in computer networks - Optical fibers - Wireless LAN - Internet and Intranet Software and services - Client/server architecture - Protocols and Standards - Internet Services - - e-Mail - - - Spam - - HTTP - - Web address - URL - - Web browsers - - - Browser cookies - - Working with web pages - - - Choosing your favorite web pages - - - Keeping track of visited web pages - - - Saving web pages - - Proxy servers - - Privacy on the Internet - FTP - Instant Messaging - Peer-to-peer networks Vulnerabilities - The first attacks on the Internet - Cybercrime - - Typologies of cyber attackers - - - Classification of cyber attackers according to their skills and objectives - Classification of risks and incidents in cyberworld - - Classification as a list of terms - - List of categories - - Categories of results - - Empirical lists - Events, attacks and incidents - Online security events, actions, and targets - - Actions - - Targets - Attacks - - Tools - - Vulnerabilities - - Unauthorized results Cybercrime laws - The concept of "cybercrime" Investigations - Computer forensic investigations - Digital evidence - Digital sampling during investigations - The suspect - Witnesses in cybercrime - Transporting of samples in laboratory - Analysis of samples - Preparing team members - Computer tools Convention on Cybercrime - Preamble - Chapter I – Use of terms - Chapter II – Measures to be taken at the national level - - Section 1 – Substantive criminal law - - - Title 1 – Offences against the confidentiality, integrity and availability of computer data and systems - - - Title 2 – Computer-related offences - - - Title 3 – Content-related offences - - - Title 4 – Offences related to infringements of copyright and related rights - - - Title 5 – Ancillary liability and sanctions - - Section 2 – Procedural law - - - Title 1 – Common provisions - - - Title 2 – Expedited preservation of stored computer data - - - Title 3 – Production order - - - Title 4 – Search and seizure of stored computer data - - - Title 5 – Real-time collection of computer data - - Section 3 – Jurisdiction - Chapter III – International co-operation - - Section 1 – General principles - - - Title 1 – General principles relating to international co-operation - - - Title 2 – Principles relating to extradition - - - Title 3 – General principles relating to mutual assistance - - - Title 4 – Procedures pertaining to mutual assistance requests in the absence of applicable international agreements - - Section 2 – Specific provisions - - - Title 1 – Mutual assistance regarding provisional measures - - - Title 2 – Mutual assistance regarding investigative powers - - - Title 3 – 24/7 Network - Chapter IV – Final provisions Recommendation No. R (95) 13 - Appendix to Recommendation No. R (95) 13 - - I. Search and seizure - - II. Technical surveillance - - III. Obligations to co-operate with the investigating authorities - - IV. Electronic evidence - - V. Use of encryption - - VI. Research, statistics and training - - VII. International co-operation Rules for obtaining digital evidence by police officers Standards in the field of digital forensics Principles in digital evidence Procedures model for the forensic examination - Hard disk examination Code of Ethics Sources and references About - Nicolae Sfetcu - - By the same author - - Contact Publishing House - MultiMedia Publishin

We Could, but Should We? Ethical Considerations for Providing Access to GeoCities and Other Historical Digital Collections

We live in an era in which the ways that we can make sense of our past are evolving as more artifacts from that past become digital. At the same time, the responsibilities of traditional gatekeepers who have negotiated the ethics of historical data collection and use, such as librarians and archivists, are increasingly being sidelined by the system builders who decide whether and how to provide access to historical digital collections, often without sufficient reflection on the ethical issues at hand. It is our aim to better prepare system builders to grapple with these issues. This paper focuses discussions around one such digital collection from the dawn of the web, asking what sorts of analyses can and should be conducted on archival copies of the GeoCities web hosting platform that dates to 1994.This research was supported by the Natural Sciences and Engineering Research Council of Canada, the Social Sciences and Humanities Research Council of Canada, the US National Science Foundation (grants 1618695 and 1704369), the Andrew W. Mellon Foundation, Start Smart Labs, and Compute Canada

Dark clouds on the horizon:the challenge of cloud forensics

We introduce the challenges to digital forensics introduced by the advent and adoption of technologies, such as encryption, secure networking, secure processors and anonymous routing. All potentially render current approaches to digital forensic investigation unusable. We explain how the Cloud, due to its global distribution and multi-jurisdictional nature, exacerbates these challenges. The latest developments in the computing milieu threaten a complete “evidence blackout” with severe implications for the detection, investigation and prosecution of cybercrime. In this paper, we review the current landscape of cloud-based forensics investigations. We posit a number of potential solutions. Cloud forensic difficulties can only be addressed if we acknowledge its socio-technological nature, and design solutions that address both human and technological dimensions. No firm conclusion is drawn; rather the objective is to present a position paper, which will stimulate debate in the area and move the discipline of digital cloud forensics forward. Thus, the paper concludes with an invitation to further informed debate on this issue

In-the-wild residual data research and privacy

As the world becomes increasingly dependent on technology, researchers endeavor to understand how technology is used, the impact it has on everyday life and the life-cycle and span of digital information. In doing so, researchers are increasingly gathering `real-world' or `in the wild' residual data, obtained from a variety of sources without the explicit consent of the original owners. This data gathering raises significant concerns regarding privacy, ethics and legislation, as well as practical considerations concerning investigator training, data storage, overall security and disposal. This paper surveys recent studies of residual data gathered in the wild and analyses the challenges that were faced. Taking these insights, the paper presents a compendium of practices for addressing the issues that arise in in the wild residual data research. The practices presented in this paper can be used to critique current projects and assess the feasibility of proposed future research