DFIRLABS | Digital Forensics South Africa
[email protected]
  • Home
  • Discovering Our Services
    • Digital Forensics
    • Incident Response
    • Electronic Discovery
  • Exploring DFIRLABS
    • Our Team
    • Our Values
    • Our Standards
    • Legal and Compliance
  • Engage With Us
    • Thoughts from DFIRLABS
    • Our Research
    • Careers
  • Contact Us

Thoughts from DFIRLABS

Engage With Us > Our Blog

Digital Evidence – Part II

12/12/2017

0 Comments

 
Read Part I of this post here.

Last time, I gave a little background on digital evidence – where it comes from, why it’s relevant and how it should be gathered. Now we get to the interesting, finicky part: how does the legal system deal with digital evidence? (Disclaimer: this is the part where I say that I’m not a lawyer, no matter how much I loved Suits and The Good Wife).

I am from South Africa, so I’m mainly coming from a South African legal context and perspective (this is not to say that these issues won’t affect you if you’re from another country – these considerations are rather universal, and different countries have different ways when it comes to addressing them).

In a great informative paper written by Prof Murdoch Watney on the South African legal position regarding electronic evidence, the legal questions and concerns surrounding digital (or electronic) evidence are grouped into two main categories:
  1. Determining admissibility of a data message as electronic evidence
  2. Once the electronic evidence is admitted, what evidential weight can be attached to it?

While these issues can legally get quite complex, I’ll be addressing it from the digital forensic examiner’s point of view – the ways we try and ensure that the evidence we extract is correct, unaltered and interpreted correctly.

Admissibility

Everyone who’s worked with a computer likely knows how easily files and their metadata can be altered. The mere act of logging onto a computer (no matter if you’re the end user or the investigator) can alter the device’s state, thereby altering the source of evidence – now we’re seeing issues of integrity and originality being raised, which can easily influence the evidence’s admissibility in court. This is why we use the process of “imaging” (which I briefly mentioned in Part I) to preserve evidence correctly. Imaging a device results in a read-only image or “clone” of the original device’s entire storage (or file directory, depending on the needs of a case). The data/potential evidence is essentially stored in a forensic container and verified via hashing. During the verification process, the hash calculated over the forensic image is compared to the hash calculated over the original evidence in order to ensure that no alterations occurred during the imaging process. Imaging also has the advantage of eliminating our reliance on the device that the evidence was found on, i.e. the suspect’s mobile phone or laptop, since we now have an image file that we can safely store and work with.

I was watching a fabulous Korean legal drama called Witch’s Court (마녀의 법정) the other day. However, in one of its less-fabulous moments, the prosecutors had obtained a tablet that contained incriminating video evidence that they were building their case around. First, they watched the videos on the tablet itself (no forensic imaging, or any attempt to preserve the evidence, was made!). Later, they discovered the videos had been purposely deleted off the tablet - while in their custody - due to an app installed on it. Cue the panic that their evidence was gone. Meanwhile, I was incoherently yelling at the screen that this wouldn’t have been a problem if your forensics people had been following the proper procedures! (I’m super fun at parties). Luckily it worked out all right in the end, if you’d been stressing.

Evidential Weight

Prof Watney goes on to talk about how the evidential weight of an exhibit is decided by the court, and how several guidelines as laid out by Section 15 of the Electronic Communications and Transactions Act 25 of 2002 must be followed. One line I’d like to draw attention to in Prof Watney’s paper is this one: “…in using these guidelines a court will probably need some expert help to understand technical procedures…”.
​
It’s easy to misinterpret digital evidence, especially if one doesn’t have a technical background (or even if you do, sometimes). One of the most infamous examples of the misinterpretation of digital evidence is the Casey Anthony trial – two separate forensic tools gave differing outputs after parsing a Mozilla database, and the prosecution’s case suffered when it was determined that their interpretation was incorrect (a fantastic, technical breakdown of digital forensics side of the case circumstances can be found here). The sheer complexity of the systems that are being dealt with in digital forensics – whether it’s Windows, Android, iOS, or any of the numerous third party data structures we find within these environments – means that a deep technical understanding of computers is a must.

Avoiding mistakes like these is why it’s so important that a digital forensics examiner understands not only the systems and data structures of the evidence they’re examining, but also the workings and limitations of the forensic tool being used to conduct the examination. This means education and training in the technical aspects of IT systems; it means quality assurance on all forensic reports originating from a digital examination and analysis; it means the verification and validation of forensic tools. It means that the digital forensic examiner must do everything in his or her power to ensure that the interpretation of evidence provided is as accurate and correct as possible – because ultimately, people’s lives and futures may very well be on the line.

Author

Saskia Kuschke is a digital forensics examiner and resident pop-culture reference generator at DFIRLABS.

0 Comments

Digital Evidence - Part I

4/12/2017

2 Comments

 
I’ve recently started watching season 3 of FOX’s detective show Lucifer. I’ve always enjoyed the show, despite how improbable it that the resident forensic scientist appears to specialise in digital forensics, toxicology, ballistics, DNA forensics or whatever the plot requires - though I suppose that’s hardly the most unrealistic thing in a show about the devil solving crimes in Los Angeles.

Something I’ve observed is that whenever a case grinds to a halt in this show (and many other police procedurals), some piece of digital evidence usually comes to light to save the day – whether it’s suddenly-unearthed CCTV footage, or a photo of a number plate, or some incriminating emails or Google searches.

So let’s talk about digital evidence (DE) – what it is, why it’s the 21st century’s new treasure trove for the inquiring investigator, and the legal niceties surrounding it.

What is Digital Evidence (DE)?

Our entire lives are becoming increasingly more digital. We socialise on Facebook, show off on Instagram, argue on Twitter and mess around on Reddit. We do our work on laptops and smartphones, and play games on consoles and desktops. We order things online, we do our banking online, we regularly query the great oracle Google regarding the mysteries of the universe and where the nearest Chinese takeaway place is – that sort of thing.

Is it any wonder, then, that crime is another thing happening in the digital space?

The US National Institute of Justice gives us this definition for digital evidence:

“Digital evidence is information stored or transmitted in binary form that may be relied on in court. It can be found on a computer hard drive, a mobile phone, a personal digital assistant (PDA), a CD, and a flash card in a digital camera, among other places.”

I like this definition because it emphasises how many sources of digital evidence there can be, beyond your basic computer and mobile phone. Any device that stores or tracks data in some way is a potential source of evidence – yes, even your FitBit.

How is DE gathered and preserved?

This is where the DFIR (digital forensics and incident response) gentlemen and ladies come in. Gathering and preserving digital evidence is not simply copying and pasting a piece of data and handing it over (we’ll get into the reason for this when we get to the legal issues in Part II). There are accepted and standardised methods for acquiring data for evidential purposes, and special tools to facilitate these processes.

The Scientific Working Group on Digital Evidence (SWGDE) outlines the best practices when conducting an acquisition. The entire document can be found here (the document is at version 3.1 at the time of writing), but the basic idea is:

  1. Document the scene
  2. Secure and collect the devices that contain the digital evidence (provided that devices may be removed from the scene)
  3. Image the devices (i.e. create a bit-stream copy – called a forensic image – of the relevant data, which will be saved to a proprietary format such as .E01). This step is arguably the most critical in any investigation – if the integrity of the evidence is compromised here, the rest of the investigation is going to be a walk in the (Jurassic) park
  4. Verify the forensic image against the original data (where possible)

Since this post is getting a little longer than I anticipated, I’ll be talking about the legal issues surrounding digital evidence in Part II. 

Author

Saskia Kuschke is a digital forensics examiner and resident pop-culture reference generator at DFIRLABS.

2 Comments

    'Digital forensics is not a job, it is who I am'​

    All
    Standards

    Archives

    September 2019
    May 2018
    March 2018
    January 2018
    December 2017
    July 2017
    October 2015

    RSS Feed

Copyright DFIRLABS (Pty) Ltd
(Reg. No. 2014/097774/07) 2014-2017.
All Rights Reserved.
  • Home
  • Discovering Our Services
    • Digital Forensics
    • Incident Response
    • Electronic Discovery
  • Exploring DFIRLABS
    • Our Team
    • Our Values
    • Our Standards
    • Legal and Compliance
  • Engage With Us
    • Thoughts from DFIRLABS
    • Our Research
    • Careers
  • Contact Us
Picture
Copyright DFIRLABS (Pty) Ltd (Reg. No. 2014/097774/07) 2014-2016. All Rights Reserved.