Standard Representation for Digital Forensic Processing

This paper discusses the lack of reliability and reproducibility validation in digital forensics for a criminal trial. It is argued that this challenge can be addressed with standard data-representation for digital evidence. The representation must include reproducibility documentation on processing operations including automation, human interaction, and investigation steps. Analyzed are two blueprint articles - the CASE specification language for cyber-investigations [1] and the WANDA data standard for the documenting semi-automated hand-writing examination [2]. These two generic frameworks are studied for their granularity to support reproducibility testing by representing: (i) artefact characteristics, forensic - tool parameters and input - output logic; (ii) human and tool data interpretation; and (iii) parallel-running forensic tasks or chains of processes. Proposed is the integration of WANDA-based schema as CASE expression. The utility of such integration is demonstrated as a new module in CASE designed to meet the high standard of proof and scientific validation typically required in criminal investigations and trials. The expression ensures compliance without overburdening digital forensic practitioners

Systematically assessing the competence level of digital evidence handling

Norway is among the most digitalized countries in the world. For ex-ample, more than 91% of the citizens use mobile phones, and even more than 98% have access to the Internet. Hence, almost all kinds of criminal cases inves-tigated by the Norwegian police include digital evidence. Within the police or-ganization, various roles and responsibilities exist, ranging from first responders arriving and securing crime scenes, to police investigators, analysts, forensic sci-entists, and prosecutors. They will all need to handle digital evidence according to their work tasks. Available skilled personnel with education in digital forensics accounted for only 2% of the available personnel in 2018. To assess the skill level of first responders in securing digital evidence at crime scenes, derive knowledge needs and recommend adequate training, we conducted a large-scale field study. This paper presents our methodology in detail, comprising i) a theoretical com-petency assessment and ii) a practical test. Our findings indicate deficiencies in the examination phase of digital evidence, and there are indications that a digital evidence verification system is missing before the evidence is presented in court. Further findings are discussed in this paper before we propose several activities for decision makers to implement and to improve digital competence and digital understanding for personnel in law enforcement agencies

Privacy-respecting digital investigation

The forensics investigation requirements are in direct conflict with the privacy rights of those whose actions are being investigated. At the same time, once the private data is exposed it is impossible to ‘undo’ its exposure effects should the suspect is found innocent! Moreover, it is not uncommon that during a suspect investigation, private information of other innocent parties becomes apparent to the forensics investigator. These all raise the concern for development of platforms for enforcing privacy boundaries even to authorized forensics investigators. To the best of authors' knowledge, there is no practical model for privacy-respecting digital investigation which is capable of considering different jurisdictions requirements and protecting subjects' data privacy in line with investigation warrant permissions and data-origin privacy requirements. Privacy-respecting digital forensics as an emerging cross-disciplinary research area is moving toward addressing above issues. In this paper, we first establish needed foundations and describe details of "privacy-respecting digital investigation" as a cross-disciplinary field of research. Afterwards, we review main research efforts in different research disciplines relevant to the field and elaborate existing research problems. We finalize the paper by looking at potential privacy issues during digital investigation in the light of EU, US, and APEC privacy regulations. The main contributions of this paper are first establishing essential foundations and providing detailed definition of "privacy-respecting digital investigation" as a new cross-disciplinary field of research, second a review of current state of art in different disciplines relevant to this field, third elaborating existing issues and discussing most promising solutions relevant to these disciplines, and forth is detailed discussion of potential privacy issues in different phases of digital forensics life cycle based on EU,US, and APEC privacy regulations. We hope this paper opens up a new and fruitful avenue in the study, design, and development of privacy respecting forensics investigation as an interdisciplinary field of research

Practical use of Approximate Hash Based Matching in digital investigations

AbstractApproximate Hash Based Matching (AHBM), also known as Fuzzy Hashing, is used to identify complex and unstructured data that has a certain amount of byte-level similarity. Common use cases include the identification of updated versions of documents and fragments recovered from memory or deleted files. Though several algorithms exist, there has not yet been an extensive focus on its practical use in digital investigations. The paper addresses the research question: How can AHBM be applied in digital investigations? It focuses on common scenarios in which AHBM can be applied, as well as the potential significance of its results. First, an assessment of AHBM for digital investigations with respect to existing algorithms and requirements for efficiency and precision is given. Then follows a description of scenarios in which it can be applied. The paper presents three modes of operation for Approximate Matching, namely searching, streaming and clustering. Each of the modes are tested in practical experiments. The results show that AHBM has great potential for helping investigators discover information based on data similarity. Three open source tools were implemented during the research leading up to this paper: Autopsy AHBM enables AHBM in an existing digital investigation framework, sddiff helps understanding AHBM results through visualization, and makecluster improves analysis of graphs generated from large datasets by storing each disjunct cluster separately

Reliability assessment of digital forensic investigations in the Norwegian police

This case study presents a qualitative assessment of the reliability of digital forensic investigation in criminal cases in Norway. A reliability validation methodology based on international digital forensic standards was designed to assess to what extent those standards are implemented and followed by law enforcement in their casework. 124 reports related to the acquisition, examination, and analysis of three types of digital data sources - computers, mobile phones, and storage devices were examined. The reports were extracted from the criminal case management system used by the police and prosecution services. The reports were examined on technology, method, and application level in order to assess the reliability of digital evidence for criminal proceedings. The study found that digital forensic investigation in 21 randomly sampled criminal cases in Norway were insufficiently documented to assess the reliability of the digital evidence. It was not possible to trace the digital forensic actions performed on each item or link the digital evidence to its source. None of the cases were shown to comply with digital forensic methodology, justify the methods and tools used, or validate tool results and error rates