3.

Digital forensic readiness

The ability to perform digital

investigation with minimal cost, while
maximizing the usefulness of evidence

Definition- Digital forensic readiness

• Digital forensic readiness is defined by answering the question “What does it

mean to be ready?” Simply put, it means being prepared.
• The goal of digital investigation is to reconstruct the incident and find
supporting or refuting evidence.
• Ultimately, the collected digital evidence can be used in a court of law.
• Thus, it follows: to be forensically ready means to be prepared to
efficiently execute digital investigations and then present evidence to the
intended audience (such as auditors or legal advisors in enterprise
settings) or in a court of law.

• In an ideal situation, we would be able to seize all digital devices, collect and
thoroughly analyze all possible data, and quickly come up with a conclusion.
• Unfortunately, we have limited resources and time.
• We must finish the investigation within a reasonable period of time, by
focusing on the artifacts that give the most value to the investigation based on
the specific incident.

Law Enforcement versus Enterprise Digital Forensic Readiness

• Enterprise Digital Forensic Readiness

The ability in an enterprise to perform digital investigations with minimal cost
and disruption to business operations, while maximizing the usefulness of
evidence.

• Who is performing digital investigations? The first thought is usually law

enforcement.
• The common view of forensics (like fingerprints or ballistics) is that of a
crime scene where law enforcement personnel conduct an investigation and
perform forensics as needed.
• The same conception applies to digital forensics as well, where law
enforcement personnel conduct an investigation and collect digital evidence.

• More recently, enterprises have found new application areas for

digital forensics.
• For example, finding the root cause of incidents, providing due
diligence (compliance to the normal standards of care in the industryor
taking reasonable precautions), supporting disciplinary actions, and more.
• This led to the birth of a new sub area within digital
forensics,enterprise digital forensics
• A mix of law enforcement and enterprise forensic analysts involved in an
investigation is also possible.
• The enterprise can perform its own initial digital forensic investigation as
part of the incident response procedures before deciding whether to contact
law enforcement and handing off the evidence to a criminal investigation.

• Even if enterprises do not initially plan to use the gathered evidence from an
investigation of an incident in a court of law, the investigation might reveal
criminal activity.
• Additionally, the loss of personally identifiable information (PII) or
intellectual property belonging to a third party may result in lawsuits or other
civil action.
• Whether the ultimate goal of the digital forensic investigation is to present
digital evidence for an enterprise audience or to a court of law, the same
methodology applies.
• In both cases, digital evidence must be collected in a forensically sound
manner, by following forensic principles

• However, unlike law enforcement, enterprises are more likely to be required

to ensure business continuity during forensic investigations and limit the
potential disruptions to business operations.
• In addition, different laws and regulations may apply between investigative
activities performed by private investigators and forensic professionals in
enterprise and regulations that apply to law enforcement.

Why? A Rationale for Digital Forensic Readines

• we will discuss two main reasons for considering digital forensic readiness:
cost and the usefulness of the digital evidence that has been collected.

Cost

• Based on the objectives (Tan, 2001) and definition of digital forensic

readiness (see Definition 4.1), the first important aspect of digital forensic
readiness is minimizing the cost.
• incidents occur one at a time, and that the investigation team has all the
resources needed to solve them within the given time period.
• The attackers do not stand in the line and wait for their turn to act. There
are times when the forensic team has to juggle between several
investigations at the same time.
• The number and scope of the forensic investigations are constrained by
resource limitations
• What “cost” components are we discussing here? The cost of the
investigation involves time spent on the investigation (which can be measured
by hours or investigators‟ fees) and level of effort required, equipment costs,
and other costs directly related to conducting the investigation.

• J. Tan (2001) provides the following estimate for the costs involved of a
forensic investigation after the evidence has already been collected.
• A two-hour intrusion resulted, on average, in the forensic investigator
spending 40 hours to perform an analysis and write a report.
• This assumes that the evidence has already been collected beforehand and
the investigators can dive straight into the analysis; a more accurate estimate
must also include the costs related to collecting and handling the digital
evidence.

• let us look at a few more estimates. Endicott-Popovsky et al. (2007) analyzed

and compared two cases.
• Both of the investigations were performed in an ad hoc reactive manner
requiring a considerable amount of time and resources:
• The estimated investigation time in a New Zealand hacker‟s case,
characterized as a typical intrusion scenario, was 417 hours, resulting in
investigation cost of $27,800 (one victim only).
• A Russian hacker‟s case (automated online auctions using a stolen credit
card) that resulted in prosecution took 9 months of investigators‟ time. A
partial estimate of the cost was $100,000

Usefulness of Digital Evidence

• Recall the goals(Tan, 2001) and the definition of digital forensic

readiness(see Definition 4.1).
• One part of the definition deals with “maximizing the usefulness of incident
evidence data.”
• What is “useful” digital evidence? The usefulness can be defined through the
intended purpose or the situation in which the evidence will be used.
• Grobler et al. (2010) suggest a definition of comprehensive digital
evidence that captures the components of usefulness, namely: evidentiary
weight in a court of law, relevant and sufficient for determining root cause,
linking the attacker to the incident.
• To sum up, digital evidence is useful when it can be captured and preserved,
contributes to solving the incident or crime, is relevant, is sufficient, and has
evidentiary weight in a court of law.

Existence of Digital Evidence

Digital evidence is difficult to collect and easy to destroy.

• The required evidence might not be available.

• Some digital data (e.g., network traffic) exists only for an instant,
unless it is captured and preserved.
• If activities or actions are not logged, it might be impossible toretrace
them.
• Order of volatility also plays a role and we may be changing some
types of data in the process of extracting other types of data.

The story in Example 4.2 illustrates one way todestroy or lose

potential evidence data in enterprises or on personal devices

• A user notices that there is something wrong with his computer.

• The first thing he does to improve the situation is to restart thecomputer.
• Then he asks a colleague for help. The colleague suggests it is malware.
• The user calls IT support all stressed and impatient: “I need to have this up
and running now! I have work to do.”
• The helpful IT support staff cleans up the malware. If at this point youwere
called to do a forensic investigation, how successful would you be?

Evidentiary Weight of Digital Evidence

• How much evidentiary weight does digital evidence carry? This can be
expressed through degrees of trustworthiness, relevance, sufficiency, and
validity.

Relevance and Sufficiency of Digital Evidence

• Relevancy is described as demonstrating that the evidence collected contains

information of value and helps to prove or disprove an element in the incident
being investigated (see ISO/IEC 27037.2012; ISO/IEC, 2012).
• Sufficiency is defined as having enough material to allow the elements in
the investigation of the incident to be adequately examined (see ISO/IEC
27037.2012; ISO/IEC, 2012).

Trustworthiness of Digital Evidence

• Even if you manage to collect the digital evidence, how trustworthy is the
evidence?
• Is it accurate?

• Did it come from sources that you can trust?

• Was it collected and handled appropriately?

• How do you know that the evidence has not been changed or forged?
• Is the evidence complete, or are there
• What impact did the investigator‟s tools have on the digital evidence?
• All of these questions point to various aspects of trustworthiness,
namelyauthenticity, integrity, and reliability.

An Obliging Legal Assistant

• “An attorney had custody of a client‟s computers. Information technology

staff from the opposing counsel‟s office insisted on knowing the size of the
plaintiff‟s drives. An obliging legal assistant booted the systems and reported
the disk sizes. When the drive was subjected to a proper forensic
investigation, 192 files had been changed and the „last modified‟ dates
corresponded to the time the assistant started the machines.”

Missing Surveillance Footage

• Attorneys for accused double-homicide defendant, Jeffrey Lepsch, aremoving

for dismissal or, in the alternative, suppression of video- recorded
surveillance evidence reportedly depicting Lepsch inside the crime scene at
May‟s Photo between 1:53 and 2:58 p.m. on the date of the gruesome
murders. Apparently, missing is surveillance footage after 3:30 p.m. This
footage is critical to Lepsch because a witness reportedly saw another person
in the store behind the counter between 4:15 to 4:30 p.m.”
Validity of Digital Evidence

• Whether or not digital evidence will be accepted in a court of law depends

upon the legal system and regulations related to the digital investigation and
the digital evidence. Different countries have different definitions of digital
evidence, including admissibility requirements in some countries.
• Thus, for a specific incident, the jurisdiction and legal basis must be
considered. However, we can apply a rule of thumb when thinking about the
validity of evidence: evidence not collected in a forensically sound manner
reduces the evidence quality and credibility in thecourt.

Eliminated Evidence

• “In 2003, an Illinois U.S. District Court Judge granted a defendant‟s motion
for sanctions against the plaintiff and recommended that the case be
dismissed with prejudice after it was discovered that the plaintiff had
attempted to delete relevant evidence from his computer by running the
Evidence Eliminator TM software, which claims to defeat forensic analysis
software.”

Controlled by Spyware

• “In 2007, Julie Amero, a substitute teacher at a Connecticut middle school,

was wrongly convicted on four counts of felony charges of risk of injury to a
minor and impairing the morals of a child by showing pornography on a
school computer. The conviction carried a maximum prison sentence of 40
years. The conviction was eventually overturned, after appeal, when computer
experts at a second trial showed that the NewDotNet spyware program,
injected into the system days prior to the crime, spawned uncontrollable
pornographicpop-ups.” See Endicott-Popovsky and Horowitz

The Justice System and Digital Evidence

• “There are a few examples where the justice system has properly handled the
admission of digital evidence. We transition from an example of glaring
misunderstandings and lack of knowledge of digitalevidence (Amero case), to
an analysis of a competent judicial opinion regarding digital evidence, the
case of Lorriane v. Markel American Insurance Company.” See Alva and
Endicott-Popovsky (2012).

Frameworks, Standards, and Methodologies

• There is no single answer to “how to become digital forensic ready.” Various

standardization bodies and organizations propose frameworksand
methodologies to address that question, but there is no “one sizefits all” or
generally accepted practice to follow.
• In addition to standards and methodologies, the research communityalso
explores the topic and proposes guidelines or frameworks.
• Digital forensic readiness is still evolving as a discipline, so we only
look at the most relevant frameworks, standards, and methodologiesthat are
available at this time.
Standards

• Two of the most well-known standardization bodies, ISO5 and NIST,6 have
issued several standards that relate to the
digital forensic investigation process and digital forensic readiness.
• ISO/IEC 27037
The ISO/IEC 27037 standard gives a definition of digital evidence
and describes its three main governanceprinciples: relevance, reliability, and
sufficiency.

They include “auditability, justifiability, and either repeatability or reproducibility

depending on particular circumstances”
(ISO/IEC 27037.2012; ISO/IEC, 2012).

The initial digital evidence-handling processes (identification, collection,

acquisition, and preservation) are also detailed
through descriptions of key components within the process.
• ISO/IEC 17025
• The requirements for a forensic laboratory are provided in ISO/IEC 17025
(ISO/IEC, 2005).

• They encompass both management and technical requirements; however, the

emphasis is placed on technical
requirements.
• These include, for example, requirements related to methodology, equipment
handling, sampling, and quality assurance.
• NIST SP 800-86
• SP 800-86 (NIST SP800-86; NIST, 2006) discusses the phases of the
digital forensic process: collection, examination,
analysis, and reporting.
• This standard includes general recommendations as well
as more detailed technical guidelines for evidence
collection and examination from data files, operating
systems, networks, applications, and other sources.
Guidelines
• Guidelines for digital forensics were developed in parallel and in addition to the
standards.

• They typically address practices and methods for performing digital

investigations and handling of digital
evidence.
• they help to implement digital forensic readiness for private enterprise
as well as law enforcement.

• IOCE Guidelines
• The International Organization on Computer Evidence (IOCE)
Guidelines (IOCE, 2002) are used for implementing digital forensic
examination procedures. They provide general descriptions of the practices
 for the digital investigation and some specific principles. Most of the
requirements are rather high level, for example the

• Scientific Working Group on Digital Evidence (SWGDE)

• The Scientific Working Group on Digital Evidence (SWGDE, 2013) lists

the primary types of errors found in
the implementation of digital forensic tools: incompleteness, inaccuracy, and
misinterpretation.

• The focus of the guidelines is to understand the limitations of tools and

techniques, as well as to discuss
error mitigation techniques, including tool testing, verification, procedures, and
peer reviews.
• ENFSI Guidelines
• The European Network of Forensic Science Institutes (ENFSI) has
published a Best Practice Manual for the Forensic Examination of Digital
Technology (ENFSI, 2015). The manual provides guidance for forensic
laboratories and encompasses the framework for procedures, quality
p rinciples, training processes, and Research
• Researchers have worked on digital forensic readiness for the last
few decades, and several frameworks have beenproposed.
• Rowlingson’s Ten-Step Process

• Rowlingson (2004) considers the objectives for forensic readiness introduced

by Tan (2001) and proposes a framework for
digital forensic readiness consisting of ten steps.
• He highlights the benefits of collecting the evidence in a business context
and considers system forensics a part of overallenterprise forensic readiness.
• Rowlingson also implies that forensic readiness in corporate environments
should be aligned with business risks and tied with business continuity and
incident response. The paper focuses on corporate environments and lists
issues, benefits, and costs that an enterprise should consider when deciding
on implementation measures for becoming forensically ready.The author
does not go into analysis of specific policies, tools, or mechanisms.
• Grobler et al.’s Forensic Readiness Framework
• Grobler et al. (2010) introduce the notion of comprehensive digital evidence
(discussed in Section 4.4.2). The idea of comprehensive digital evidence, as
compared to the traditional notion of digital evidence, implies that in addition
to usinginformation to support or refute hypotheses, it has to carry
evidentiary weight; thus, organizations have to be aware of the risks and
legal requirements that they face when collecting useful data as the
evidence.
• Endicott-Popovsky et al.’s Forensic Readiness Framework
• Endicott-Popovsky et al. (2007) propose a framework for network
forensics. The frame work consists of several layers toaid enterprises in
implementing forensic readiness.
• The first layer is the theoretical base that covers information security
governance and discusses embedding forensics in anenterprise as a
component of its information assurance elements. The second layer of the
framework analyzes a “3R” strategy model (resistance, recognition, and
recovery) for survivable systems and introduces the notion of a fourth R –
Enterprise Digital Forensic Readiness
• Enterprises can be very complicated organizations that exert high pressure
to keep operations running smoothly. When an incident occurs, there isn‟t
enough time to ask questions; rather, it is time to act. Thus,planning and
preparations are crucial.

• Legal Aspects
• The legal basis of the country (area) where an enterprise operates is an
important factor for planning digitalforensic readiness.
• Collecting, analyzing, and presenting digital evidence in an appropriate manner
for legal proceedings require
compliance with local laws and regulations.
• As a starting point for identifying when digital evidence is required, the
enterprise can consider a list of cybercrime types. When deciding upon
scenarios in which digital evidence will be collected and to which extent, the
enterprise has to juggle between the need to collect digital evidence, due
diligence, admissibilityrequirements, and regulations related to privacy and
data retention.
• When preparing for a digital investigation, some important questions the
enterprise should ask and evaluatein a legal context include:
• Which scenarios require the enterprise to exercise due diligence and collect
digital evidence?
• What is considered to be the digital evidence, and when it is admissible in a
court of law?
• Which information and data can be collected as digital evidence, and under
what circumstances?
What are the requirements or procedures required for collecting, preserving, and
presenting digital evidence incourt?

Policy, Processes, and Procedures

• The goal of digital forensic readiness is to align digital forensic
investigation policies with theother existing frameworks and
practices within the enterprise.
• The digital forensic investigation policies should follow a risk-based approach;
align with the
business‟s goals and objectives; define policies, processes, procedures, roles,
and responsibilities;identify skills, competencies, awareness, and training
needs; and also utilize infrastructure and tools in the same manner as the rest
of the enterprise.
• Risk-Based Approach
• The digital forensic investigation process can be considered a part of the general
information
security framework within an enterprise.
• How do digital forensics relate to the enterprise risks? To answer this question,
we will examine
the components that comprise information security risk and how that risk can
be assessed.
• In enterprises, all types of risk assessment, including IT and information
security, should be done with a focus on business operations. Decision
makers can better evaluate and choose the measures to implement (including
decisions to commence forensic investigations) when weighingbusiness risks
against business benefits.
• Thus, we will consider operational risks related to information
security (as derived from theoperational risk definition of
COSO(Committee of Sponsoring Organization) as:
• those that are related to information and
• are focused on breach of confidentiality, integrity, and availability.

Incident Response versus Digital Forensics

• A digital forensics investigation within an enterprise is likely to start aspart of

an incident response.
• For example, a digital forensic investigation can be initiated when criminal
activities are suspected or identified during the investigationof the incident.

Policy
• The organization and relationships between policies, processes, and
procedures will depend upon the enterprise.
• For example, a process-oriented enterprise with a high level of workflow
automation might choose to have a high-level policy, implemented through
automated processes.
• Inside the automated processes, the workflows might be defined and used to
replace the
procedures, paper forms, and checklists.
• Instead of having a documented procedure defining how, for example, the
chain of custody is preserved, supported by paper checklists, the workflow
within the process could automatically request a user (or assign a user) to
acquire the evidence, note wherethe evidence is located, and so on.

• At a minimum, the policy should contain:

• a brief explanation of the purpose of the policy;
• its scope of applicability (what is affected by the policy, and to which
extent the policy applies);
•
list of identified judiciary requirements, laws, and regulations
related to digital
readiness, digital forensic investigation, evidence handling, and similar;
• the relation of digital forensics to the
other existing enterprise frameworks and managementsystems, like
risk management and incident response; and
• the policy’s relation to the other
enterprise policies.

Processes and Procedures

To support each stage in the digital investigation process, the enterprise digital
forensic readiness process can
generally be described as follows:
• Identify relevant laws and regulations related to digital forensic readiness,
digital forensic investigations, anddigital evidence.
• Perform risk assessments, or obtain the results of existing risk assessments.

• Identify incident scenarios that require digital evidence, based on laws and
regula tions, as well as risk assessment.

• Identify the relationship of digital forensic capabilities with existing

frameworks and processes within the enterprise.
• Define the general enterprise digital forensic policy, or update existing policies
with aspects related to digital forensics.

• Set policies regarding outsourcing or the use of third parties, and describe the
service levels utilized, if needed.
• Define sub policies and procedures based on the general policy to support
digital forensics capabilities.
• Establish an organizational structure that specifies allocation of authority and
responsibility.
• Describe the roles and responsibilities, and specify the required skills and
competencies.
• Define the requirements for performing operational and awareness training, con
duct the trainings.
• Prepare tools and infrastructure; specify validation, verification, and calibration
requirements.
• To support the digital forensic policy and investigation
process, the enterprise at a minimum should consider the
following aspects in itssubpolicies or procedures:
• standard operating procedures for evidence handling;
• Monitoring policy
• privacy protection policy and requirements;
• monitoring requirements to detect the incidents defined in the
incident scenarios;
• incident escalation into digital investigation;
• handling specific types of investigations, for example child
pornography;
• reporting to external parties, law enforcement, and the release of
data;
• outsourcing and involvement of third parties in the digital
investigation;
• preparation of the digital forensic laboratory and/or tools;
• training and awareness; and
• roles, responsibilities, and competence requirements.

People

• People are an important aspect of a digital forensic investigation.

• For a successful digital forensic investigation, it is necessary to define roles
and responsibilities and gather the team with the right skillset and
competencies.
• However, one should not forget others in the enterprise
who maypotentially play a role in the process.
• Awareness training for all staff is an essential step in implementing policies,
processes, and procedures.

• This section examines the three main aspects in the people dimension:

• roles and responsibilities;

• skills, competencies, and training; and

• awareness training.
Roles and Responsibilities

• The definition of roles and responsibilities usually depends on the sizeof the
enterprise and the maturity of its forensic capabilities.
• The enterprise can establish a digital forensic
investigationorganization as a team or a unit.
• However, for small companies this option might not be feasible.
• They can dedicate only one or a few persons, or assign forensic
responsibilities to other existing roles, often in addition to their usualtasks.

• The roles and responsibilities in the digital forensic

investigationprocess can be defined as follows:
• First responder: This role is responsible for the initiation of the digital
investigation, securing the scene of the incident, primary identification of
the digital evidence, securing the evidence, and identifying the digital
investigation procedures that should be followed for the specific type of
incident. These roles might also be part of the incident response team or
security operations center (SOC).
• Digital forensics specialist: This role is responsible for identification and
collection of the digital evidence ensuring the forensic principles are
followed. This role can have a responsibility to perform live forensics.
• Digital forensics analyst/examiner: This role is responsible for analysis of
different types of digital evidence and reporting the results. This role can
also have a responsibility for performing live forensics.
• Digital forensic investigator/lead investigator: This role is responsible
for directing the investigation, coordinating the activities, interpreting
the findings, and reporting the results.
• Data retention specialist: This role is responsible to ensure the evidence is
retained according to the retention policy or requirements.
• If the organization responsible for digital forensic investigation
becomes too complex, a RACI matrix can be utilized to clarify the
division of accountability and responsibility for the activities in the
process.8 Each role is assigned the letter matching the activity for
each step in the process:
• R stands for responsibility (role performs the activity).
• A stands for accountability (role is accountable for the success of the activity
and has approval authority).
• C stands for consulted (role provides input for the activity).
• I stands for informed (role receives information related to activities,
decisions, or deliverables).
Skills, Competencies, and Training
• One of the core requirements for any of the roles related to digital
forensics is knowledge and understanding of digital forensics investigation
processes, principles, and methods .
• Awareness Training
• Awareness training should be conducted with everyone involved in the
process of incident response and digital forensic investigations, including IT
staff.
• Furthermore, all employees should know what might be considered an
incident, whom to call, and how to behave during the incident response or
when a forensic investigation is initiated.
• who should be part of awareness training:
• incident response and forensic team(s),
• IT and information security,
• legal department,
• human resources,media contacts and public relations, and
• other employees (e.g., those reporting incidents, and people under
investigation).

Technology: Digital Forensic Laboratory

• The enterprise needs to decide whether to develop a full-scale digitalforensic

laboratory, outsource the digital evidence analysis, or acquire and validate
digital forensics tools.
The guidance for a laboratory‟s preparation is based on:
• the ISO 17025 (ISO/IEC, 2005) standard,
• the ISO 27001 (ISO/IEC, 2013) standard,
• the ISO 9001 (ISO, 2008) standard,

• the ILAC-G19:2002 (ILAC-G19, 2002) guidelines, and other

generalgood practices.

Accreditation and Certification

• The digital forensic laboratory can be established, prepared, accredited,

and/or certified according to industry-accepted or international standards,
such as ISO 17025 and ISO 9001, and by following guides to good practice.
• We will focus on two international standards – ISO 17025 and ISO 9001 – as
they can be applied across various countries and industries.
• The International Laboratory Accreditation Cooperation (ILAC) notes
thefollowing reasons for accreditation based on ISO 17025 (ILAC,
2002):
• “A recognition of testing competence,
• a benchmark for performance,
• a marketing advantage, and
• international recognition for your laboratory.”

Organizational Framework
• Each laboratory should have a mandate that describes what are its roles,
functions, services, clients (who are the functions aimed at?), stakeholders,
authorities, and responsibilities.
• Security Policy or Framework
• The security policy or framework can be specific to the laboratory, or the
general framework or policy established for the entire enterprise can applyto
the laboratory as well.
• Control of Records
• The records related to investigations need to be managed and controlled to
ensure evidence integrity and maintain the chain of custody at all times.
• The measures will include administrative (e.g., procedures and
guidelines), physical and environmental (e.g., protection against fireand
flood, locks), and logical (e.g., encryption) controls.
• ILAC (2002) provides further guidance for control of
records,including:
• maintaining the records related to each case
under investigation, reflecting the principles
of repeatability, completeness, reliability, and
traceability;
• enforcing quality assurance through policies,

procedures, and reviews;

• recording operating parameters;

• recording observations and test results (e.g., by
photography, scanning, and sketching) as well
as reasons for rejecting them; and
• double-checking calculations and data
transfers that are not partof validated tests.

Processes, Procedures, and Lab Routines

• The laboratory should define processes and procedures for handling digital
evidence.
• At the minimum, the routines should detail the ways to protect the
evidence during collection and transportation: against tampering, physical
damage, water, magnets, statics, heat, cold, and more.
• The routines for taking notes and describing, documenting, and sketching
the scene should follow rules for controlling records. It is important to note
passwords and the content displayed on the active screens of devices.
• Routines should cover both physical and logical access to the laboratory.
They should also specify controls to protect specific areas in the laboratoryif
different levels of access controls are needed.
• Procedures and routines for information reporting and disclosure
bothinternally and externally need to be defined.

• Configuration, calibration, and measurement procedures and routinesshould

cover:
• Conformity, monitoring, and measurement
requirements;
• documentation, tasks, and activities;
• calibration steps;
• results validation;
• exception and disconformity handling;
• adjustment documentation; and
• controls for maintenance, storage, and protection
against damage.

Methodology and Methods

• Methodology and methods should satisfy the general requirement,
as defined in ISO/IEC Guide 2:2004(ISO/IEC, 2004): “Most of the
activities performed in laboratories should satisfy the definition of
the objective test, or have required controls in place.”
• Personnel
• The laboratory needs competent and trained personnel. For each identified
role of personnel to support thelaboratory‟s functions and services, the
description of the skillset and competencies required has to be defined.
• A training and awareness program should be developed to ensure that
personnel maintain the required
competencies.
• Code of Conduct
• The laboratory‟s personnel are expected to follow a set of rules or
guidelines for professional behavior – a code of conduct, practice, and/or
ethics. Here are two example requirements that may be listed in such a
code of conduct, from the UK Government (2014):
• “Act with honesty, integrity, objectivity
and impartiality, and declare at the
earliest opportunity any personal, business
and/or financial interest that could be
perceived as a conflict of interest.”
• “Provide expert advice and evidence only
within the limits of your professional
competence.”
• Tools
• The laboratory operations have to be supported by appropriate forensic tools.
• Appro priate means tested and validated, where results produced by the tool are
considered forensically
sound in a court of law.

Challenges in Digital Forensics

The Objectives of Computational Forensics

• Large-Scale Investigations Cybercrime investigations and investigations in
large multinational corporations share the properties of large volumes of data
from a wide range of sources.
• The ability to efficiently and effectively manage the data during the digital
forensics process requires the application of computational methods.
• Automation Digital forensics has to a large degree been dependent on manual
processes, supported by checklists, process descriptions, and some built-in
automation and scripting in forensic tools.
• There is, however, a need for more comprehensive automation in to reduce
manual efforts and increase the quality of digital forensics.

Analysis

• The analysis of digital evidence can be significantly strengthened through

computational methods.
• Whereas a human analyst can spot anomalies and patterns based on
experience, computational methods can establish timelines, perform link
analysis, and identify patterns in a predictable manner.
• Validated computational forensics methods will support human analysts in
deducing conclusions based on evidence, in less time and with higher
certainties.
Forensic Soundness

• Any method used for digital forensics must take forensic soundnessinto
consideration.
• Computational forensics must ensure that evidence integrity and
chain of custody are built in, thus reducing the probability of both
unintentional mistakes and intentional evidence tampering.
• In a similar fashion to automated testing for software quality
assurance, forensic tool testing should be performed at all levels.

Disciplines of Computational Forensics

It should be further noted that the research area of computational forensics is not
limited to digital evidence but also encompasses computational methods for other
forensic disciplines. This includes,but is not limited to:
• Signal and image processing: Transforming signals and images for
better human or machineprocessing.
• Computer vision: The automatic recognition of objects (e.g., face
recognition and similarity to
other known images) in computer images or video.
• Computer graphics and data visualization: The synthesis of two-
dimensional images or three-
dimensional scenes from multidimensional data for better human
understanding.
• Statistical pattern recognition: The classification into one or more classes
based on abstract
measurements, identifying whether a sample belongs to a known class and with
what probability.
• Machine learning: A mathematical model is learned from examples.
• Data mining: Large volumes of data are processed to discover nuggets of
information (e.g., the
presence of association, number of clusters, and outliers).
• Robotics: Human movements are replicated by a machine, for example for the
purpose of
forensic reconstruction experiments

Automation and Standardization

• While automation was included as one of the objectives of
computational forensics, the problem of automation and
standardization deserves additionalattention.
• As we have seen in other domains, automation is required to reduce
manualefforts and to increase consistency and quality.
• Successful automation, however, is dependent on a standardization of, for

example, data storage and exchange formats.

• automation requires that software used as part of the processing of digital

evidence must meet certain minimum standards in terms of forensic soundness.

• A lack of understanding of the weaknesses of individual tools
and methodsutilized in an automated forensic process could
result in large, aggregated uncertainties in the conclusions.
• The benchmarking of forensic tools is thus a critical success
factor, achievedthrough tool testing to identify strengths,
weaknesses, and error rates.

Research Agenda

• Digital forensics as a research field is constantly evolving with increasingly

complex technologies. Consequently, there is a range of open questions that
can be investigated.
• As an inspiration, we include the research agenda from the Testimon Forensics
Group:
• Large-scale investigations: Research in the area of large-scale
investigations; automatic searching through terabytes of electronic storage
within closed systems and the Internet (including the darknet).
• Internet and cloud forensics: Research and development for the rapid
acquisition, correlation,and analysis of Internet and cloud-related
evidence. New tools and methods for evidence acquisition and analysis
are constantly needed, with a corresponding need for educating law
enforcement and practitioners in the field.
• Embedded systems and the Internet of Things (IoT): Digital forensics
involving a mobile device or other embedded systems often involves
hardware analysis in addition to software analysis. Hardware is often based
on proprietary technology and can be device specific, and forensic
acquisition directly from hardware requires customized and well-tested
methods. Both the problem of data acquisition and the decoding of binary
data represent a continuously developingresearch area.

• Cross-media search and data integration: Technologies for cross-

mediasearch and data integration to access diverse sources of
information, in particular data enrichment from Internet sources.
• Encrypted evidence: Algorithms for the analysis of encrypted
evidenceand cryptographic credentials.
• Computational intelligence: Design of advanced computing
technologiesto achieve more objective evidence analysis and final
decision making by implementing computational intelligence.
• Attribution and profiling: Development of methods and tools for
digitalpenetrator attribution and profiling, visualization of serious
criminal relationships and associations, and geographical mapping of
digital andphysical evidence.