A Review On Data Acquisition In Cyber Forensics

By Author: Wisemonkeys
Total Articles: 277
Comment this article

ABSTRACT Similar to traditional evidence, courts of law do not assume that digital evidence is reliable if there is no evidence of some empirical testing regarding the theories and techniques pertaining to its production. Courts take a careful notice of the way in which digital evidence has been acquired and stored. In contrast with traditional crimes for which there are well-established standards and procedures upon which courts can rely, there are no formal procedures or models for digital data acquisition to which courts of law can refer. A standardised data acquisition process model is needed to enable digital forensic investigators to follow a uniform approach, and to assist courts of law in determining the reliability of digital evidence presented to them. This paper proposes a model that is standardised in that it can enable digital forensic investigators in following a uniform approach, and that is generic in that it can be applied in both law enforcement and corporate investigations. To carry out the research presented in the paper, the design science research process (DSRP) methodology proposed by Peffers et al. (2006) ...
... has been followed.

Keywords: digital forensics; data acquisition; process model; standardised model; digital investigations; computer forensics; formal process

1. Introduction

Nowadays, the nature of evidence presented in courts of law tends to be less likely paper-based considering the pervasive nature of information technology. Evidence of digital crime varies from that related to traditional crimes for which there are deep-rooted standards and procedures (Adams et al., 2014; Stanfield, 2009; Smith et al., 2009). There does not currently exists a standardized and generic process model for digital data acquisition process that is widely accepted by digital forensic community and courts of law, and that can be applied in the different fields of digital forensic

The main objective of a digital data acquisition process is to assist the investigators in explaining how particular digital evidence was found on a device (Kohn et al., 2013; Casey, 2011). Like any other types of evidence, courts of law do not assume that digital evidence is valid and reliable without some empirical testing in relation to theories and techniques associated with its production

2. Background

Prior to the design and development of the new model, all the prominent digital forensic investigation process models (DFIPMs) presented to date were critically reviewed and assessed to gain an in-depth insight into these models

The result of this review revealed a gap that there does not exist a SDAPM for digital forensic investigations that can be widely accepted by the digital forensic community and courts of the law. The previous models have often been criticised for being too specific

Courts of law take a careful notice of the manner in which the digital evidence acquisition and storage were carried out

3. Research methodology

Problem identification and motivation involve defining the research problem to be addressed and justifying the value of the research. The objective of a solution requires the researchers to define the research aim and objectives while design and development involves creating the artifactual solution. Demonstration involves demonstrating the efficacy of the artefact in some appropriate environment to solve the stated problem, while evaluation requires observing and measuring how well the constructed artefact supports the solution to the stated problem. Finally, communication requires the researchers to communicate the problem and its significance, the artefact, its utility and novelty to other researcher via publications. The entry point for this research is the problem identification and motivation

4. Planning prior to securing the crime scene

Prior to raiding the suspect’s place of work or residence (crime scene) to carry out the on-scene data acquisition, DFIs will need to embark upon a detailed planning. Such a planning can have a significant impact on the efficiency and success of on-scene data acquisition process. Regarding the pre-raid planning, Sammes and Jenkinson (2007) state that it is very important that the number of computers, their types, operating systems and connections are all known before entering the scene of crime (Sammes and Jenkinson, 2007). Although this might be valid to a large extent in an ideal world, the investigators often have little idea about the computer systems, quantity and location of data, types of hard disk or the operating systems involved, prior to visiting the crime scene.

5. Securing the crime scene prior to data acquisition

Once the proper planning has been finalised, investigators will now need to attend the crime scene where the data representing potential digital evidence might be stored in a digital system. The first step that the investigators will need to undertake during this stage is to address safety issues in relation to personnel and witnesses as well as the material under investigation. In order to demonstrate in a court of law that the digital evidence was acquired in a forensically sound manner, first the investigators must be able to show that the crime scene from which the digital evidence was acquired was preserved unaltered. Thus, if possible and practicable, the investigators must enforce a lock down of the entire crime scene in order to achieve what Casey (2011) calls a ‘pristine environment’ to preserve the integrity of both digital device and the potential evidence contained in it.

If the investigation is not covert and the suspect is at the crime scene, they must be detained and interviewed. Suspects often would be ‘psychologically more vulnerable’ within the first few hours of their initial encounter with the police (Black, 2014), particularly when this encounter takes place in their place of business or dwellings (Yeschke, 2002). Due to the shock that they have received, they often tend to be more compliant

Once the crime scene has been securely preserved, the investigators attending the crime scene will need to conduct a preliminary survey of the physical crime scene to obtain an idea about how to process the physical crime scene and what kind of special skills are required. The aim of performing the preliminary survey must be:

1 to identify the ‘obvious’ pieces of physical evidence by walking around the crime scene (Casey, 2011)

2 to identify the ‘fragile’ pieces of physical evidence (Carrier and Spafford, 2003)

3 to identify any technical issue (Adams et al., 2014)

4 to survey the digital crime scene to identify data of interest that represents potential digital evidence

5 to determine the mixture of laboratory and onsite data acquisition

6 to develop an initial theory about the incident or crime.

Last but not least, it is extremely important to document all the activities carried out throughout this stage in order to enable other investigators to authenticate the process and results. Thus, it is imperative to maintain a detailed record of what was performed on the computer system and what information was acquired. Maintaining a detailed documentation will enable the investigators:

to preserve the chain of custody in a forensically sound manner
to increase the possibility of a successful investigation
to record all information produced during this process to support decision making and the legal, administrative processing of those decisions.

Note that similar to the planning stage, this process might become irrelevant in circumstances where the digital device has already been seized and transported back to a DFL. In these situations, the investigators can simply skip this process without negatively affecting the results of the investigation.

6. The proposed model 6.1 Design and development considerations The data acquisition process has a significant bearing on the entire digital investigation, and it is often challenged by the courts concerning infringements on the chain of custody (Kruse and Heiser, 2002), documentation (Valjarevic and Venter, 2015; Jones et al., 2006), the integrity of the evidence (Brown, 2009) and the methods and procedures utilised to acquire the digital evidence (Kessler, 2010). If the court doubts the initial collection and management of the digital evidence, the entire digital investigative process will be subject to dispute. One of the shortcomings of the previous models concerning their data acquisition process is due to the superficial level of details provided concerning this process. These models (Valjarevic and Venter, 2015; Adams et al., 2014; Kohn et al., 2013) often provide a high-level, single phase stating that the data needs to be collected without providing lower-level and useful details necessary to assist the DFIs in acquiring digital evidence in a forensically sound manner. Another limitation of the existing models related to the data acquisition process is the fact that they do not explicitly distinguish ‘live’ data acquisition from ‘static (dead)’ data acquisition where each activity requires a different set of components and procedures.

Therefore, in order to address the stated shortcomings associated with the acquisition process, the following three considerations were made when designing and developing the proposed model, the SDAPM.

1 Static acquisition and live acquisition have been differentiated in the SDAPM; therefore, relevant and discrete components have been assigned to each process.

2 The SDAPM has further distinguished between a static data acquisition onsite and a static data acquisition in a DFL and has assigned discrete components to each aspect accordingly.

3 The live data acquisition process has been further broken down into both the live acquisition of volatile data and the live acquisition of non-volatile data. Therefore, relevant components have been assigned to each aspect accordingly.

Thus, in the SDAPM, the live acquisition pertains to the acquisition of both volatile and non-volatile data from a running device or a network, whereas the dead acquisition relates to the static acquisition of the data from a powered-off device onsite at the crime scene or in a DFL. It is contended that the SDAPM is the most systematic and detailed digital data acquisition process presented to date

6.2 The FSDAPM representation and description If it has been determined that the on-scene data acquisition is not needed and the data should be acquired in a DFL, the DFIs must then find out whether the device subject to the data acquisition is running or not. If the device is running, the DFIs must determine whether the data residing on the device is stable or not before powering it down. If the data residing on the device is stable, the DFIs will need to remove the power source directly from the device. However, if the data residing on the device is not stable, a normal shut down must be performed. In both cases where the device was running and then shut down or the device was already in powered-off state, the DFIs must ensure to record, remove, secure and label the connection for the device before packaging the device for transportation back to a DFL or a secure storage. It is essential for the DFIs also to collect any material which might be associated with the potential digital information. This material can include, but are not limited to, paper c

6.2.1 On-scene data acquisition process If it has been determined that the on-scene data acquisition is required, the DFIs must then decide whether the device from which data is to be acquired is running or not. In turn, knowing the state of the device will determine whether the live data acquisitionshould be conducted or not. If the device is not running, to acquire the data, the DFIs must undertake the same data acquisition steps as those described under the DFL data acquisition. The only difference would be that the static data acquisition must be performed onsite as opposed to offsite in a DFL. Similarly, if the authorisation permits for the device to be seized, the same procedures as described under DFL acquisition should be followed in relation to securing, labelling, packaging, transporting and storing the evidence, etc. In the SDAPM, the transportation of the digital evidence acquired onscene can differ from that of the physical device described in the preceding section. As discussed, in cases where onsite data acquisition is not required, the physical device has to be transported physically to a secure location such as a DFL for subsequent data acquisition, examination and analysis. However, the digital evidence acquired onsite can be transported both physically and electronically. In cases where the digital evidence is to be transported electronically, the DFIs must take special precautions such as encrypting and digitally signing data in order to preserve the integrity and chain of custody. If the device is running, the DFIs must determine whether live data acquisition is required or not. If live data acquisition is not needed, the DFIs must then follow the same procedures as described in the preceding section concerning powering down the device, acquiring and preserving the evidence, the transportation (both physically and digitally) and storage of the evidence. However, if live data acquisition is required, the DFIs must determine whether to carry out live data acquisition on volatile data, non-volatile data or both. Similar to the static data acquisition, the acquired data from the live acquisition of both volatile data and non-volatile data must be duplicated and verified using a proven

7 SDAPM’s overriding principles

As well as the formal UML representations of the SDAPM, a set of ten overriding principles have also been developed in order to enable DFIs to gather solid evidence that can be relied upon by the decision makers whether they are in a court room or board room. These overriding principles or actionable principles are objectives that need to be

achieved in a given digital forensic investigation. We argue that any approach for conducting the data acquisition process must preserve the reliability, completeness, accuracy and verifiability of digital evidence. Therefore, these overriding principles are proposed as a standard requirement for data acquisition process in digital investigations.

7.1 Interact with physical investigation

A digital investigation and a physical investigation are often interrelated and dependent on one another (Carrier and Spafford, 2003). In cases where a physical investigation requires an assistance from a digital investigation, an example could be to carry out a data acquisition process to extract digital evidence to reveal communication between terror suspects via computers, mobile phones, online social network activities, e-mail communication, communication via chat rooms and forums, etc. An example of digital investigation being dependent on a physical investigation is when a suspect is interviewed to provide a password to a system under investigation. Referring to the significance of interaction between physical and digital investigation, Valjarevic and Venter (2015) state that defining the relationship between a digital investigation and a physical investigation is important in order to preserve the chain of custody, preserve the integrity of the digital evidence, protect the digital evidence from damage and ensure an efficient investigation

7.2 Obtain and adhere to an appropriate authorisation

The case officer in charge of the digital investigative process will need to obtain an appropriate authorisation prior to DFIs can start the data acquisition process. This will

ensure that DFIs do not infringe on any legal rule or rights of the system owners, custodians, principals or users. Authorisation for investigations involving law enforcement often requires a search warrant or other legal approval that requires sufficient evidence or suspicion. For corporate incidents, search warrants are not usually required so long as the proper privacy policies are in place.

7.3 Perform risk assessment

DFIs will need to carry out a detailed and accurate risk assessment prior to conducting the data acquisition steps outlined in the SDAPM in order to deal with new challenges and threats. As part of this risk assessment, safety issues need to be addresses in relation to the safety of personnel, victims, witnesses, the equipment and material under data acquisition process at the crime scene

7.4 Preserve digital and physical evidence This principle involves the investigators securing the digital crime scene and preserving the digital evidence that could change. This could include, but is not limited to, isolating the system from the network, acquiring the volatile data that would be lost after the system is powered down, and detecting suspicious processes that are running on the system. During the data acquisition process, investigators who employ the SDAPM must investigate those users suspected of causing the incident who are logged into the system. Log files should be secured in case that they will be lost before the system is imaged. In order to preserve the digital crime scene, investigators will need to make a full forensic image backup of the system so that it can be examined and analysed at a later stage in a DFL. Investigators must note that a full forensic image of the system preserves the whole digital crime scene whereas copies that are system backups preserve only the allocated data within the digital crime scene.

7.5 Maintain an accurate and detailed documentation The aim of the documentation principle is to record all information applicable or produced during the data acquisition process to support decision making and the legal, administrative processing of those decisions. This overriding principle involves documenting both physical and digital crime scene. Documentation of the physical crime scene – where data acquisition process is carried out on a digital system suspected of containing potential digital evidence – involves creating sketches and making video of a physical crime scene. Documentation of digital crime scene involves the investigators properly documenting each item of digital evidence when it is discovered. Digital evidence can be in many abstraction layers (Carrier and Spafford, 2003) and therefore should be documented accordingly. As an example, the investigators will have to document files by utilising their full file name path, the clusters in the file system that they employ, and also the sectors on the disk that they use. In terms of a network, investigators will need to document the network data with the source and target addresses at different network layers. Due to its extreme importance, DFIs who employ the FSDAPM must adhere to this principle to preserve the chain of custody and increase the possibility of a forensically sound data acquisition process.

7.6 Maintain an accurate audit trail

From both forensic and legal standpoint, it is necessary for the DFIs to maintain an audit trail of all activities carried out on the digital evidence. This audit trail could be relied upon to assess the forensic soundness of the process by documenting that a copy of the extracted data has been acquired accurately. The audit trail must involve documenting how the data was acquired, how it was converted and what steps were followed to ensure that it is complete and accurate. Moreover, hash verifications (MD5 and SHA1) of the acquired data must be calculated, and these values must be documented for future comparisons to assist digital forensic analysts in verifying that the evidence has not been modified since it was acquired.

7.7 Maintain a restricted access control

This actionable principle refers to both limited acquisition of digital data as well as restricted viewing of the data. The data acquisition tools must support restricted viewings of results in order to increase their utility and limit privacy concerns. With the appropriate technology utilised, the data acquisition and examination tools could determine to provide a positive or negative sign that certain types of data are contained in the digital device. For instance, if the computer contains indecent images of children, the data acquisition tool could simply report that such contraband is likely to be present without actually showing the images or videos.

7.8 Preserve chain of custody In order to preserve the chain of custody, investigators must adhere to all legal requirements and must properly document the steps outlined in the SDAPM in accordance with ACPO (2003, 2012). Chain of custody is of extreme importance especially in investigations involving the law enforcement. Cases where chain of custody has not been properly preserved can be easily challenged in courts of law and potentially rejected irrespective of the incriminating evidence. An example of preserving chain of custody is when evidence copies are required to be shared with other experts in other locations. This handling of evidence must be properly documented to preserve chain of custody

7.9 Maintain an effective case management This overriding principle applies to the role of managers such as case officers who often lead a team of investigators during the data acquisition process. When conducting the data acquisition steps outlined in the SDAPM, case officers will need to undertake certain tasks. These include, but are not limited to, determining the team members who should preform the data acquisition process, acquire and check the appropriate authorisations, guiding the DFIs in the right direction and creating an overall picture of the data acquisition process, etc.

7.10 Manage information flow One of the major issues with the existing models is the lack of identifying information flow which could have a negative impact on the other actionable principles such as chain of custody. A defined information flow should exist between each given process in a digital investigation and between different stakeholders

Conclusions and future work

The fundamental issue that this paper addressed was the fact that there was not a SDAPM that was formal in that it enabled the DFIs in following a uniform approach, and that was generic in that it could be applied in both law enforcement and corporate investigations. 246 R. Montasari The SDAPM that was proposed in this paper is a step forward towards addressing the identified issue. The SDAPM was presented and described utilising a proven formal notation, unified modelling language activity diagram, that can assist courts of law in properly understanding the processes followed to acquire evidence from digital sources. Due to its overriding principles, it is argued that the SDAPM observes the forensic principles of minimising the contamination of the original crime scene and evidence, preserving the integrity of digital evidence, preserving the chain of custody of evidence and adhering to the rules of evidence for admissibility in courts of law

References

Adams, R., Hobbs, V. and Mann, G. (2014) ‘The advanced data acquisition model (ADAM): a process model for digital forensic practice’, Journal of Digital Forensics, Security and Law, Vol. 8, No. 4, pp.25–48.

Ademu, I., Imafidon, C. and Preston, D. (2011) ‘A new approach of digital forensic model for digital forensic investigation’, International Journal of Advanced Computer Science and Applications, Vol. 2, No. 12, pp.175–178.

Agarwal, A., Gupta, M., Gupta, S. and Gupta, C. (2011) ‘Systematic digital forensic investigation model’, International Journal of Computer Science and Security, Vol. 5, No. 1, pp.118–130.

Armstrong, C. and Armstrong, H. (2010) ‘Modeling forensic evidence systems using design science’, Paper presented at the IFIP WG 8.2/8.6 International Working Conference, Perth, Western Australia.

Association of Chief Police Officers (ACPO) (2003) Good Practice Guide for Computer-Based Evidence, London, UK. Association of Chief Police Officers (ACPO) (2012) Good Practice Guide for Computer-Based Evidence, London, UK.

Baryamureeba, V. and Florence, T. (2004) ‘The enhanced digital investigation process model’, Proceedings of the Fourth Digital Forensic Research Workshop.

Beebe, N. and Clark, J. (2005) ‘A hierarchical, objectives-based framework for the digital investigations process’, Digital Investigation, Vol. 2, No. 2, pp.147–167.

Black, I. (2014) The Art of Investigative Interviewing, 3rd ed., Butterworth Heinemann, Boston.

Bogan, A.C. and Dampier, D.A. (2005) ‘Unifying computer forensic modeling approaches: a software engineering approach’, Paper presented at the Proceedings of the First International Workshop on Systematic Approaches to Digital Forensic Engineering, Taipei, Taiwan

Brown, C. (2009) Computer Evidence: Collection and Preservation, 2nd ed., Course Technology, Boston.

Bulbul, H., Yavuzcan, H. and Ozel, M (2013) ‘Digital forensics: an analytical crime scene procedure model (ACSPM)’, Forensic Science International, Vol. 233, No. 1, pp.244–256.

Carlton, H. and Worthley, R. (2009) ‘An evaluation of agreement and conflict among computer forensic experts’, 42nd Hawaii International Conference on System Sciences (HICSS), IEEE, Hawaii, 5–8 January

Carrier, B. (2002) ‘Open source digital forensic tools: the legal argument’ [online] http://www.digital-evidence.org/papers/opensrc_legal.pdf (accessed 6 January 2014)

Carrier, B. and Spafford, E. (2003) ‘Getting physical with the digital investigation process’, International Journal of Digital Evidence, Vol. 2, No. 2, pp.1–20.

Casey, E. (2011) Digital Evidence and Computer Crime Forensic Science, Computers and the Internet, 3rd ed., Elsevier, California..

Ciardhuáin, O. (2004) ‘An extended model of cybercrime investigations’, International Journal of Digital Evidence, Vol. 3, No. 1, pp.1–22.

Cohen, F. (2009) Digital Forensic Evidence Examination, 2nd ed., Fred Cohen & Associates, California

Cohen, F. (2011) ‘Putting the science in digital forensics’, Journal of Digital Forensics, Security and Law, Vol. 6, No. 1, pp.7–14.

Cohen, F. (2012) ‘Update on the state of the science of digital evidence examination’, Proceedings of the Conference on Digital Forensics, Security & Law, pp.7–18.

Cook, D. and Skinner, J. (2005) ‘How to perform credible verification, validation, and accreditation for modeling and simulation’, The Journal of Defense Software Engineering, Vol. 18, No. 5, pp.20–24

Garfinkel, S., Farrell, P., Roussev, V. and Dinolt, G (2009) ‘Bringing science to digital forensics with standardized forensic corpora’, Digital Investigation, Vol. 6, pp.S2–S11.

Grobler, C.P., Louwrens, C.P. and von Solms, S.H. (2010) ‘A multi-component view of digital forensics’, ARES’10 International Conference on Availability, Reliability, and Security, IEEE.

Hevner, A. and Chatterjee, S. (2010) Design Science Research in Information Systems, Springer, USA

Ieong, R.S.C. (2006) ‘FORZA – digital forensics investigation framework that incorporate legal issues’, Digital Investigation, Vol. 3, pp.29–36

ISO/IEC 27035 (2011) ISO/IEC 27035: Information Security Incident Management, British Standards Institution, London.

ISO/IEC 27037 (2012) Guidelines for Identification, Collection, Acquisition, and Preservation of Digital Evidence, CD 27037: ISO/IEC, Geneva, Switzerland.

ISO/IEC 27043 (2015) Incident Investigation Principles and Processes, Geneva, Switzerland.

ISO/IEC 29 10118-2 (2010) Hash Functions, Geneva, Switzerland

Jones, K.J., Bejtlich, R. and Rose, C.W. (2006) Real Digital Forensics, Addison-Wesley, Boston, USA.

Karyda, M. and Mitrou, L. (2007) ‘Internet forensics: legal and technical issues’, 2nd International Workshop on Digital Forensics and Incident Analysis, Samos, Greece, pp.3–12.

Kent, K., Chevalier, S., Grance, T. and Dang, H. (2006) Guide to Integrating Forensic Techniques into Incident Response, NIST Special Publication, 800-86.

Kessler, C. (2010) Judges’ Awareness, Understanding, and Application of Digital Evidence, PhD thesis, Nova Southeastern University.

Kohn, M., Eloff, M. and Eloff, J. (2013) ‘Integrated digital forensic process model’, Computers and Security, Vol. 38, pp.103–115.

Kruse, W. and Heiser, J. (2002) Computer forensics: Incident Response Essentials, Addison Wesley, Boston, USA.

Leigland, L. and Krings, A. (2004) ‘A formalization of digital forensics’, International Journal of Digital Evidence, Vol. 3, No. 2, pp.1–32.

Mason, S. (2007) Electronic Evidence: Disclosure, Discovery & Admissibility, LexisNexis Butterworths, London. Memon, A., Vrij, A. and Bull, R. (2003)

Psychology and Law: Truthfulness, Accuracy and Credibility, John Wiley & Sons, West Sussex. Meyers, M. and Rogers, M. (2004) ‘Computer forensics: the need for standardization and certification’, International Journal of Digital Evidence, Vol. 3, No. 2.

Montasari, R., Peltola, P. and Evans, D. (2015) ‘Integrated computer forensics investigation process model (ICFIPM) for computer crime investigations’, Proceedings of 10th International Conference on Global Security, Safety and Sustainability, pp.83–95. OMG (2016) Unified Modeling Language (UML) [online] http://www.omg.org/spec/UML/ (accessed 8 March 2016)

Peffers, K., Tuunanen, T., Gengler, C., Rossi, M., Hui, W., Virtanen, V. and Bragge, J. (2006) ‘The design science research process: a model for producing and presenting information systems research’, The First International Conference on Design Science Research in Information Systems and Technology, pp.83–106